On December 9 of last year, while the world braced for another wave of COVID infections, something even more serious was happening at the Federal Trade Commission (FTC), at least in terms of cybersecurity. After years of incrementally amending their Safeguards Rule (officially known as the “Standards for Safeguarding Customer Information,” a regulation focused on consumer protection with roots in the Banking Act of 1933), the FTC quietly dropped a bombshell.
Having previously provided guidelines on how banks were expected to protect consumer information, the FTC suddenly got very granular on all the steps “non-banking financial institutions” needed to take to comply. From putting extensive risk assessment programs in place to implementing security measures like multi-factor authentication (MFA), the FTC was now spelling out exactly what companies needed to do to avoid enforcement action. There was also a hard deadline: December 9, 2022 — one year to the day of the published update.
This post examines the implications of this updated rule for businesses, specifically examining the new security requirements and the steps companies need to take.
What “Non-Banking” Means
Before diving into technical details, it’s important to consider how broad the definition of “non-banking financial institutions” actually is. Clearly, the updated Safeguards Rule applies to companies that explicitly handle financial transactions: mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transfer companies, collection agencies, credit counselors, tax preparation firms, non-federally insured credit unions, and investment advisors that don’t have to register with the SEC.
But the rule potentially affects a much broader range of organizations, including car dealerships, real estate appraisers, retailers that offer their own credit cards, colleges and universities that participate in federal student financial programs, and even career counselors who work with clients in the financial services industry. This is because any company engaged in activities considered “financial in nature” is subject to the Safeguards Rule’s new requirements — particularly what the FTC calls “finders,” which are firms that bring together buyers and sellers but don’t actually handle the transaction.
This remarkably wide net means that many companies could be caught by surprise in December, suddenly finding themselves subject to extensive new data protection requirements they weren’t even aware of and unexpectedly facing compliance issues.
The Parameters of Compliance
Determining which organizations are subject to the updated Safeguards Rule is just the first hurdle because implementing the specific security controls that the directive dictates is where the real work begins.
- Here is an overview of nine elements that the FTC will soon require:
The designation of a “qualified individual” to implement and supervise a business’ information security program.
- Risk assessments identify exactly what customer information is stored, and where it’s stored, and evaluate any foreseeable risks and threats to that data’s security.
- Safeguards to mitigate identified risks, including implementing access controls, encrypting customer information, and implementing multi-factor authentication (MFA).
- Continuous monitoring of safeguards including system-wide scans to test for security vulnerabilities.
- Mandatory security awareness training for all employees, suppliers, and contractors to ensure readiness.
- Contracts with service providers that spell out security expectations and build-in ways to monitor their work.
- Regular updates to security programs so they remain current in the face of emerging threats and personnel changes.
- The creation of a written incident response plan in the case of a security event that results in unauthorized access to or misuse of customer data.
- Regular reports are prepared by the qualified individual and submitted to the company’s board of directors (or governing body).
The level of detail provided here will go a long way toward prodding financially-oriented organizations to implement thorough data security programs. Yet in some ways, the FTC hasn’t gone far enough with its update — especially with regards to MFA.
Granted, the agency spells out some criteria that MFA solutions should meet, including having a “knowledge factor” (i.e. a password), a “possession factor” (i.e. a token), and an “inherence factor” (i.e. a biometric characteristic). Every major MFA provider on the market meets these easily. But there is no guidance as to which specific systems MFA should be applied to, and this is an omission that could leave organizations dangerously exposed.
Compare this with the directives coming out of cyber insurance companies this year. To qualify for a policy, companies now need to be able to apply MFA to cloud-based email, remote network access, as well as internal and remote admin access to directory services, network backup environments, network infrastructure (such as firewalls, routers, and switches), and organizational workstations and servers. This is because cyber insurers have skin in the game and are aggressively trying to stem their record losses from 2020 (a ratio of up to 72%, according to some studies). The gap between the public sector and the private – that is, an agency’s broad set of guidelines vs. an individual company’s need to be profitable – has never been wider.
The Importance of MFA Everywhere
What this leads to is a simple conclusion: The FTC has simply not gone far enough in the update to its Safeguards Rule if the goal is comprehensive data protection for consumers. The reason is that traditional MFA solutions cannot actually protect companies against one of the main vectors used in ransomware attacks — command-line access.
Command-line access tools such as PsExec, PowerShell, and Windows Management Instrumentation (WMI) are used extensively by IT admins to remotely access the machines they manage. But cyberattackers also use these tools for nefarious purposes, such as moving laterally across an environment once they have compromised user credentials (usually those of an admin). In fact, nearly every recent ransomware attack has employed this exact technique. This means companies could be in full compliance with the FTC while still facing serious vulnerabilities.
Because traditional MFA can’t be applied to command-line tools, since the authentication protocols (Kerberos and NTLM) they implement don’t support MFA, this presents a security challenge. Fortunately, there is a solution available: the Silverfort United Identity Protection Platform.
Silverfort offers the only product on the market that features continuous monitoring of all authentications for every user, every system, and every environment, both on-prem and in the cloud. That means Silverfort can enforce MFA across an entire IT ecosystem, including every single app, interface, and piece of infrastructure — providing exactly the type of holistic protection of customer data sources (wherever they reside and however they’re accessed) that the FTC aspires to require.
That’s good news for everyone: Non-banking financial institutions can have confidence that their systems are not just FTC-compliant but fully secure, while consumers can have faith that their confidential data is indeed well-protected.