News & Blogs

FTC Announces New Safeguards Rule (2023)

cyber octet

What is The FTC Safeguards Rule?

The Federal Trade Commission, or FTC, was founded in 1914 by then-President Woodrow Wilson to protect consumers, investors, and businesses against anti-competitive or industry monopoly practices. Essentially, this meant encouraging competition and making it easier for others to enter the market area.

The Federal Trade Commission's significant significance in the US economy contributes to its smooth operation. They accomplish this by implementing different rules and regulations aimed at preventing anti-competitive, deceptive, and unfair corporate activities. The FTC safeguards rule is one such guideline for consumer protection.

This essay explains what the FTC protections regulation is, what the 2023 modification implies for your firm, and how to smoothly execute the rule. Let's get started right away!

Action Points

  1. The Gramm-Leach-Billey Act of 1999 established the FTC Safeguards Rule. Its goal is to ensure that financial organizations protect their customers' non-public personal information.
  2. The Safeguards Rule was updated in October 2023 to require non-banking financial organizations to notify the FTC within 30 days of a breach affecting 500 or more clients.
  3. According to the Safeguard Rule, enterprises must establish and implement an information security program that is appropriate for their size and complexity.
  4. Organizations subject to FTC jurisdiction must identify risks, establish safeguards, supervise service providers, and conduct frequent penetration testing to monitor security measures.

What Is the FTC Safeguards Rule?

The FTC Safeguards Rule, also known as the Standards for Safeguarding Customer Information, is a collection of regulations enacted as part of the Gramm-Leach-Billey Act (GLBA) of 1999. Its major purpose is to protect the personal information of consumers held by financial organizations. They must ensure the confidentiality and security of non-public personal data of consumers.

Banks, credit unions, insurance firms, and other companies that participate in financial activity are all referred to as "financial institutions" in this context. Social security numbers, credit histories, and account numbers are examples of non-public personal data.

The standard was established in 2003, however it was modified in 2021 to keep up with current technological advancements. In terms of protecting client data, the amended rule gives more solid direction for firms.

Gramm-Leach-Billey Act, 1999

The Financial Services Modernization Act of 1999 is another name for the 1999 legislation that replaced the Gramm-Leach-Bliley Act. The way financial organizations handle people's private information is governed by a US federal law. The act requires the implementation of safeguards for sensitive data and the disclosure of information-sharing policies. The Safeguards Rule, the Financial Privacy Rule, and the Pretexting provisions are the regulations under the GLBA.

Who Does The FTC Safeguards Rule Apply To?

The FTC Safeguards Rule primarily pertains to financial institutions that are within the purview of the FTC, as previously stated. In addition, as per the Gramm-Leach-Billey Act, the finance industry must not be subject to any additional regulatory enforcement powers.

Let's go straight to the point if you're wondering if your company is covered by the FTC's safeguards rule for financial institutions. The rule's Section 314.2 enumerates a few examples of organizations that fall under the category of financial institutions. Among them are:

  1. Mortgage brokers & lenders
  2. Payday lenders
  3. Finance companies
  4. Check cashers
  5. Collection agencies
  6. Credit counselors and other financial advisors
  7. Tax preparation firms
  8. Non-federally insured credit unions,
  9. Investment advisors who aren’t required to register with the SEC

The 2021 amendments to the Safeguards Rule add a new example of a financial institution – finders. Those are companies that bring together buyers and sellers and then the parties themselves negotiate and consummate the transaction. It is also key to note that even if your company wasn’t covered in the original rule, it is important to keep checking since the rule is under constant evolution.

Latest 2023 Amendment To FTC Safeguards Rule

On October 20, 2023, the FTC Safeguards Rule went into force as a result of the Gramm-Leach-Billey Act, which was passed 20 years earlier. In addition, the FTC announced a change to the regulation requiring non-banking financial firms under its purview to notify the agency of any data breach affecting 500 or more individuals.

What Is It?

The updated regulation primarily addresses notification events, which are characterized as the gathering of customer data without the consent of the affected customer. Within 30 days of learning about the breach, the impacted organization is required to notify the Federal Trade Commission (FTC) if the information of at least 500 individuals is compromised.

The organization then has to complete a form with the following information:

  • Name and contact information of the organization
  • Description of information type
  • Specific date or date range of the breach
  • The number of customers affected
  • A general description of the breach.

Who Does It Affect?

Are you wondering if your organization can benefit from the most recent amendment? The answer is definitely true if your business is a non-banking financial institution that is governed by the FTC, such as car dealers, payday lenders, and mortgage brokers.

Why Was It Enforced?Why Was It Enforced?

The purpose of the legislation was to make sure businesses handling such private financial data would be more forthcoming in the event of a data breach. The purpose of this disclosure agreement is to provide non-banking financial organizations with an additional incentive to protect their client information.

FTC Safeguards Rule Requirements For Your Company

The FTC mandates that you keep an information security program in place if your business is one of the financial institution's listed enterprises. To ensure that customers' private information is safeguarded, an administrative, physical, and technical safeguarding framework must be used in the development, implementation, and maintenance of the information security program.

Your company's information security program needs to match its scale and complexity. It should cover the kind and extent of your company's operations and guarantee the security and confidentiality of client data in line with those needs. Along with guarding against unauthorized access, the program should also guard against possible dangers, threats, or hazards to the security of the data.

Strategies To Implement FTC Safeguards Rule

Your information security program should have nine components, according the FTC Safeguards Rule. These are tactics to put into practice and keep your data secure.

  1. A Qualified Individual, an employee, or a service provider should implement and supervise your business’ information security program.
  2. Conduct a GLBA risk assessment to find internal and external threats to your customer’s non-public information.
  3. Design and implement safeguards to control the risks identified in the risk assessment.
  4. Regularly monitor and test the effectiveness of your safeguards through annual penetration tests or regular vulnerability scans.
  5. Train your staff and schedule regular refreshers on their responsibility in the information security program.
  6. Monitor your service providers, spell out clear security expectations, and build a way to monitor the provider’s work.
  7. Keep your information security program current by changing it based on learnings from your risk assessments, vulnerability scans, and penetration tests.
  8. Create a written incident response plan that includes the goals of the plan and internal response events to an incident.
  9. Your Qualified Individual should report to the Board of Directors in writing, regularly or annually providing an assessment of the company’s compliance with the program.

How Can Astra Security Help?

An organization called Astra Security specializes in penetration testing and vulnerability assessment. It offers 24/7 security testing services to evaluate internet-facing assets as rapidly and effectively as possible in order to find flaws. Astra Security conducts penetration testing using experienced professionals who are aware of weaknesses in payment gateways and your company's information security policies.

It gives users the option to search for particular compliances that an organization requires. Astra offers compliance-specific scans for PCI-DSS, HIPAA, SOC2, ISO 27001, and GDPR. Following the completion of your penetration test and the patching of all vulnerabilities found, your organization's security measures are certified with an Astra Pentest certificate that has a 180-day validity period.


within the Gramm-Leach-Billey Act of 1999, the FTC Safeguards Rule was put into place to guarantee that companies that fall within the FTC's purview secure the personal information of their customers. As per the 2023 update to the FTC Safeguards Rule, non-banking financial institutions, including mortgage businesses and car dealers, are also required to notify the FTC in the event of a breach that impacts over 500 clients.

Hackers are becoming more creative these days in their attempts to steal personal data for nefarious ends. As a result, it is your duty as a company to stay current with security measures to make sure that your clients are spared from such a situation.

Regularly do vulnerability scans, penetration testing, and risk assessments to make sure your business's FTC-mandated information security program is current and equipped to safeguard the data of your clients.


Financial institutions are required by the FTC Safeguards Rule, also known as the Standards for Safeguarding Customer Information under the Gramm-Leach-Bliley Act (GLBA), to establish and maintain extensive information security programs to safeguard the non-public personal information of their customers.

Financial organizations must control service providers, evaluate risks, create written information security programs, put safeguards in place, and routinely check security measures using vulnerability assessments or penetration testing.

Financial institutions under the FTC's authority, including banking and non-banking, are subject to the FTC Safeguards Rule. The FTC or other supervising regulatory agencies may take regulatory action against any such corporation that violates the law and levy fines or penalties.