The FTC Moves Toward a Rules-Based Approach to Cybersecurity Regulation for Financial Institutions

by Avi Gesser, Kelsey Clark, Jennifer E. Kerslake, and Eric McLaughlin

In our first Cyber Blog post, we predicted that the rules-based approach adopted by the NYDFS would become the model for cybersecurity regulation.  Two years later, we’re feeling pretty good about that prediction, as the FTC recently proposed incorporating a number of aspects of the NYDFS cybersecurity rules into its Standards for Safeguarding Customer Information rule (the “Safeguards Rule”).  The proposal would also expand the Safeguards Rule’s definition of “financial institution” to include “finders,” or companies that connect potential parties to a transaction.  As a reminder, the Safeguards Rule applies to financial institutions that are not regulated by the federal banking agencies, the SEC, or state insurance authorities, including non-bank mortgage lenders, payday lenders, finance companies, check cashers, money transmitters, collection firms, and tax preparers.

The Safeguards Rule, which implements part of the Gramm-Leach-Bliley Act, established standards requiring financial institutions to put in place a comprehensive information security program with safeguards for customer information.  We have previously written about the two competing approaches to cybersecurity regulations: standards-based and rules-based.  The current Safeguards Rule reflects a standards-based approach, which favors broad, flexible requirements that mandate that a company establish a “reasonable” or “industry standard” cybersecurity program but that do not specifically prescribe how to do so.

In contrast, the FTC’s proposed amendments (PDF: 352 KB) to the Safeguards Rule (the “Proposed Amendments”) adopt a rules-based approach, setting out concrete measures that a company must take, largely without regard to the company’s particular characteristics.  Rather than requiring companies to meet current industry standards or best practices, rules-based cyber regulation creates them.

Proponents of the standards-based approach argue that having general and flexible requirements is the right model for cybersecurity regulations because they must be applied to companies that operate on different scales, and with very different types of data, resources, and risk profiles, which makes a one-size-fits-all approach impractical.  They also argue that flexible standards are necessary because cyber threats and technology are constantly changing, so specific measures that may be adequate one month may be insufficient the next.  Echoing these concerns, two Commissioners dissented (PDF: 36.5 KB) from the proposal, which they said “trades flexibility for a more prescriptive approach, potentially handicapping smaller players or newer entrants.”

Proponents of the rules-based approach, which recently was endorsed by the Eleventh Circuit in the LabMD decision (PDF: 547 KB), argue that the standards-based approach does not provide sufficient certainty—for either regulators or regulated entities—as to what is actually required.

Perhaps as a result, at least in part, of the LabMD decision, the FTC has clearly moved towards the rules-based approach.  The standard-bearer for the rules-based approach to cybersecurity is the NYDFS, which imposes significant, detailed responsibilities on covered entities.  In the commentary to the Proposed Amendments, the FTC states that the NYDFS cybersecurity rules “maintain the balance between providing detailed guidance and avoiding overly prescriptive requirements for information security programs.”

Below are some examples of the NYDFS rules and the corresponding requirements proposed by the FTC.

  NYDFS Cybersecurity Rules FTC Proposed Amendments to Safeguards Rule
Designation of Chief Information Security Officer (“CISO”) “Each Covered Entity shall designate a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy” “Designate a qualified individual responsible for overseeing and implementing your information security program and enforcing your information security program”
Risk Assessment “The Risk Assessment shall be carried out in accordance with written policies and procedures and shall be documented. Such policies and procedures shall include: (1) criteria for the evaluation and categorization of identified cybersecurity risks or threats facing the Covered Entity; (2) criteria for the assessment of the confidentiality, integrity, security and availability of the Covered Entity’s Information Systems and Nonpublic Information, including the adequacy of existing controls in the context of identified risks; and (3) requirements describing how identified risks will be mitigated or accepted based on the Risk Assessment and how the cybersecurity program will address the risks.” “The risk assessment shall be written and shall include: (i) Criteria for the evaluation and categorization of identified security risks or threats you face; (ii) Criteria for the assessment of the confidentiality, integrity, and availability of your information systems and customer information, including the adequacy of the existing controls in the context of the identified risks or threats you face; and (iii) Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks.”
Access Controls “As part of its cybersecurity program, based on the Covered Entity’s Risk Assessment each Covered Entity shall limit user access privileges to Information Systems that provide access to Nonpublic Information and shall periodically review such access privileges” “Place access controls on information systems, including controls to authenticate and permit access only to authorized individuals to protect against the unauthorized acquisition of customer information and to periodically review such access controls”

To address concerns that a one-size-fits-all, rules-based approach places too heavy a burden on smaller companies, the NYDFS rules include exemptions from certain specific requirements for very small companies (fewer than 10 employees) or if, based on a risk assessment, a company implements effective alternative compensating controls that are reviewed and approved by the CISO.  The Proposed Amendments take a similar approach.  Covered financial institutions that maintain customer information for fewer than 5,000 consumers would be exempted from certain requirements, and companies could use alternatives to encrypting customer information if the CISO reviews and approves the controls.

The Proposed Amendments do not include a NYDFS-like breach notification requirement, but the FTC has requested comment on whether financial institutions should be required to report to the FTC any event resulting in unauthorized access to, or disruption or misuse of, an information system or information stored on such system.

In addition, the Proposed Amendments would expand the scope of activities that can cause a company to be deemed a “financial institution” subject to the Safeguards Rule.  Specifically, the FTC proposes to define “financial institution” to include entities that are “significantly engaged in activities that are incidental” to financial activities, as such “incidental” activities are defined by the Bank Holding Company Act of 1956.  With this change, the Safeguards Rule would also apply to companies that act as “finders” (as defined by the Federal Reserve Board in 12 C.F.R § 225.86(d)(1)).  A finder is a company that connects buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate.  This change would bring the scope of the FTC’s rule into greater alignment with that of the CFPB’s Regulation P, which also includes a definition of “financial institution.”

Avi Gesser is a partner, and Kelsey Clark, Jennifer E. Kerslake, and Eric McLaughlin, are associates at Davis Polk & Wardwell LLP.


The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law.  PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.