Why the FTC Safeguards Rule Complements Cyber Insurance
The Federal Trade Commission updated its Standards for Safeguarding Customer Information under the Gramm-Leach-Bliley Act, commonly referred to as the FTC Safeguards Rule. Brokers often take on the role of informal risk advisor for their clients, and in that context, will benefit from a better understanding of the FTC Safeguards Rule.
As of June 9, 2023, non-banking financial institutions* are required to protect consumer information by implementing an information security program. The updates to the FTC Safeguards Rule ("Rule") will prompt many organizations to reevaluate their data protection and cybersecurity strategies.
Covered organizations with cyber insurance policies will likely have an advantage over those without. That advantage is because many Rule requirements are consistent with the cyber hygiene measures that an insurance provider like Coalition imposes on policyholders to improve their risk posture and protect their business. The Rule may also increase demand for innovative cyber insurance products that combine security services with financial risk mitigation, as organizations may seek coverage to bolster their data protection and cybersecurity posture.
Overview of the FTC Safeguards Rule
The Rule requires certain non-banking financial institutions, subject to the FTC's jurisdiction, to develop, implement, and maintain an information security program ("Program") to protect consumer information. The Program should include measures to protect customer information, which the FTC defines as "any record containing nonpublic personal information about a customer of a financial institution." The Rule does not distinguish between physical or digital information.
Simply put, covered organizations must implement a written Program or plan containing the steps they are taking to protect customer data, and that plan must be tailored to the size of their organization and the complexity of the data they handle. The plan should also contain measures to defend against cyber threats and prevent unauthorized access to information.
Violations of the Safeguards Rule can result in fines, adding to an already costly experience if the noncompliance is discovered during the course of a cyber-related business disruption.
Understanding the Information Security Program requirements
Many Rule requirements parallel the best practices cyber insurance companies impose on policyholders. Consequently, cyber insurance policyholders may already have appropriate controls in place, or at least will have a solid foundation from which to improve.
The Rule requires that covered organizations, among other things:
Conduct a risk assessment: Risk assessments are an important first step in developing an information security program. Coalition offers risk assessments that include actionable mitigation steps.
Implement multi-factor authentication (MFA): The FTC calls on covered entities to implement MFA to control access to customer data. MFA can also reduce the likelihood of experiencing cyber incidents, such as funds transfer fraud, by requiring additional verification to access business accounts.
Create a written incident response plan: Incident response plans are living documents that help guide organizations before, during, and after a cyber incident. They can also be useful when processing a cyber insurance claim.
Train employees: Human error is the root cause of many security incidents. However, that risk can be mitigated by training your employees to spot common attacks like email phishing and report them. Well-trained employees have helped to prevent and disrupt malicious cyber activity.
Monitor vendors: Mitigating the risk of supply chain disruptions can be difficult. Risk management platforms like Coalition Control™ provide businesses options to assess and monitor critical business partners both up and downstream.
Taken together, a Program containing these technical, administrative, and physical controls protect consumer data and reduce the likelihood of experiencing a cyber incident.
The FTC Safeguards Rule and cyber insurance
Brokers often take on the role of informal risk advisor for their clients, and in that context, must understand the FTC Safeguards Rule. Rule requirements are well-aligned with the recommendations and controls required to secure a cyber insurance policy. Insurtechs know that by implementing these controls, businesses have a more resilient cybersecurity posture, and they are better risks because they are less likely to experience a claim.
Insureds should understand that a cyber insurance policy that combines security services with traditional financial risk mitigation is only one element of a comprehensive security program, but it is an excellent place to start. For example, a Coalition Risk Assessment highlights an organization's security findings with prioritized recommendations and a risk impact score, empowering organizations to quantify their risks and take meaningful steps to mitigate them.
Additional support like pre-claims assistance, in-house experts, and monitoring services are particularly important for small and mid-sized businesses; these are the tools they need to maintain a strong cybersecurity defense — a prerequisite to safeguarding customer data.
Guiding clients to understand their cyber risks
The FTC Safeguard Rule demonstrates the government's continued commitment to aligning cybersecurity best practice with business standards.
Brokers should remind their clients that for a full explanation of the requirements, they should consult the FTC Safeguards Rule or other FTC business guidance resources.
New and prospective policyholders can evaluate their cyber risk using Coalition's Cyber Risk Assessment available within Coalition Control™.