by Luke Dembosky, Jeremy Feigelson, Avi Gesser, Jim Pastore, Suchita Mandavilli Brundage, and Marissa MacAneney
On July 13, 2020, the Federal Trade Commission (“FTC”) hosted a virtual workshop on its proposed changes to the Standards for Safeguarding Customer Information (“Safeguards Rule”). The workshop followed up on the FTC’s 2019 notice of proposed rulemaking requesting public comment on its proposal to amend the Safeguards Rule.
The workshop was intended to provide a forum to explore “the cost of information security for financial institutions, the availability of information security services for smaller financial institutions, and other issues raised in comments received.” The panelists chosen to participate included engineers, information security professionals, and academics; they represented a range of industries, expertise, and experiences in the information security field.
What Is the Safeguards Rule?
The current rule, promulgated pursuant to the Gramm-Leach-Bliley Act, requires financial institutions to safeguard customer information by maintaining comprehensive information security programs appropriate to the size, complexity, and nature of the organization as well as the sensitivity of the customer information.
What Is the Proposed Amendment?
The proposed amended rule, based largely on the New York Department of Financial Services’ Part 500 cybersecurity regulation (PDF: 100 KB), is intended to maintain the current rule’s flexibility while providing more detailed requirements and concrete guidance to financial institutions.
As under the current Safeguards Rule, financial institutions would still be required to evaluate and adjust their information security programs, periodically assess their programs, and oversee service providers. The proposed amended rule would introduce several important requirements, including the designation of a single qualified individual responsible for oversight, an annual written report to the institution’s governing body, and mandatory encryption and multifactor authentication (“MFA”), among others.
The proposed rule would require information security programs to address certain areas, including (1) access controls for limiting access to only authorized individuals; (2) information inventory procedures to identify and manage data, personnel, devices, systems, and facilities and how they are connected to risk strategy; (3) restricting physical access to locations containing customer information; (4) encryption for customer information both in transit and at rest; (5) secure development practices concerning applications developed to handle customer information as well as the evaluation of third-party applications; (6) MFA for anyone accessing customer information; (7) audit trails to allow for detection of security events; (8) procedures for disposal of information that is no longer necessary for legitimate business purposes; (9) change management procedures to handle changes to the system; and (10) monitoring and detecting authorized and unauthorized activity.
Under the proposed rule, financial institutions would be required to designate one qualified individual to oversee the program. The current rule requires the company only to designate “an employee or employees.”
What Did We Learn at the Workshop?
CISO or No?
Although the proposed rule uses the term Chief Information Security Officer (“CISO”) to describe the qualified individual, the panelists acknowledged that the qualified person does not need to carry the title of CISO. It was also mentioned that the necessary qualifications for the responsible individual will vary based on the information security needs of a particular financial institution.
Panelists generally responded positively to this proposed change, noting that having a single point person in charge of the program can lead to better and faster decisions. Additionally, panelists noted that a single point-of-contact could help streamline communications with third parties involved in incident response by identifying a single person to whom these third parties should report. At the same time, it may be difficult for smaller companies to designate one person for this position and to justify the cost of doing so.
Companies would be permitted to hire a third party to serve as the designated point person. Panelists advised that companies taking this route should hire a third party that understands the company culture and risk tolerance and should designate someone inside the company to manage that relationship.
Monitoring Program Effectiveness
The proposed rule would require financial institutions to regularly test or otherwise monitor the effectiveness of their programs either through continuous monitoring or through both annual penetration testing and biannual vulnerability assessments.
Cost is one of the primary concerns regarding the requirement of these processes. On the issue of cost, panelists explained that companies will always be paying for experts, whether those experts are in-house or external. While outsourcing can be expensive, in-house talent may be costly as well, especially if the organization has a shortage of personnel. As one panelist noted, “You are getting what you pay for.”
Vulnerability testing involves a broad sweep of the entire ecosystem in order to identify potential security weaknesses. It is generally inexpensive, as the majority of it can be automated. Though only required twice a year, it was suggested that vulnerability tests should be conducted as often as possible, and always after any significant network change or intrusion attempt. Panelists recommended having an expert on staff to detect network performance issues that may occur during vulnerability testing. In addition, panelists cautioned that vulnerability tests can result in false positives, or “vulnerabilities” that appear on a report but are not true security weaknesses. Further, it is crucial to use the test results and assess if and how the detected vulnerabilities will impact your system.
While recognizing the importance of monitoring and testing for security weaknesses, panelists urged the FTC to recognize the differences between large and small companies and focus on outcome-based guidance rather than demanding specific processes like penetration testing. In addition to the size of the company, the amount and type of data at risk should be a part of the calculation. Further, panelists encouraged the FTC to give smaller organizations longer than six months to become compliant with the new rule.
Encryption & MFA
Perhaps the most specific requirements in the proposed amended Safeguards Rule would mandate financial institutions to encrypt all customer information while in transit over external networks and at rest and to implement MFA for anyone accessing internal networks containing personal information, including through remote access.
The amended rule would not prescribe a particular technology or technique but, with regard to implementing MFA, would require that it must include two of the following: knowledge factors (e.g., biographical information such as your mother’s maiden name), possession factors (e.g., a physical token that gives you a code), and inherence factors (e.g., biometric characteristics such as fingerprints). Regarding specific MFA tools, panelists generally agreed that SMS is cheap and widely available but comes with well-known risks. As for encryption, fortunately for companies large and small, it is now generally easy and inexpensive to adopt.
If implementing encryption and/or MFA is not feasible, companies may use an effective alternative control if it is reviewed and approved by the person in charge of the program.
Panelists agreed that the Board, not the CISO, should make decisions about alternative compensating controls. The CISO should be able to attest from a technical perspective whether a compensating control is functionally equivalent but not whether to accept the risk.
Written Incident Response Plan
Another proposed change would require companies to create a written incident response plan detailing what needs to be done in the event of an incident, to whom an incident should be reported, and how the institution will mitigate any harm to customers and to the business.
Annual Report to Board
The proposed amended rule would require the designated point person to provide an annual report to the Board of Directors (or the equivalent governing body) regarding the status of the program.
Panelists seemed to welcome this proposed change, noting the importance of bringing the topic of information security and security risks to the level of the Board and senior leadership. Panelists advised that once per year is the minimum that the subject should be brought before the Board. They explained that a more iterative approach to educating the Board and soliciting feedback is likely to be more helpful, as the security landscape and risks change so rapidly. Recognizing the difficulty of conveying qualitative information effectively, panelists agreed that risk quantification mechanisms can help present information in a way that enables the Board to use the information to make decisions.
Report in Writing
The proposed rule would require the annual report to the Board to be in writing.
Generally, documenting decisions in writing allows companies to look back at decisions and the rationale for those decisions, panelists said. It also creates clarity over company policy and can act as precedent to help inform future decisions. A writing requirement can be costly in terms of time if taken to an extreme, panelists noted, so companies should consider whether there is value added by documenting a particular decision. Panelists urged the FTC to allow more flexibility when it comes to evidencing decisions, arguing that companies should be able to record decisions in different ways, as long as the method is consistent.
The proposed rule comes with a proposed exception which would exempt financial institutions that maintain the information of fewer than 5,000 customers from most of the new written requirements, including the requirement to prepare a written annual report and risk assessment.
What Comes Next?
Companies subject to the Safeguards Rule should review their current information security program in light of the proposed changes to determine what, if any, changes may soon be required to render their program compliant.
Luke Dembosky, Jeremy Feigelson, Avi Gesser, and Jim Pastore are partners, and Suchita Mandavilli Brundage, and Marissa MacAneney are associates, at Debevoise & Plimpton LLP. The authors gratefully acknowledge the assistance of law clerk Lily Coad in preparing this entry. This post was originally published on Debevoise’s Data Blog.
Disclaimer
The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.