Everything You Should Already Know About FTC Safeguards Compliance 

The deadline for complying with the updated FTC Safeguards Rule was June 9, 2023. Are you in compliance?

The Safeguards Rule requires any business entity that is categorized as a financial institution to comply with security principles designed to protect non-public personal information. Some companies that were not considered financial institutions under the previous Rule may be included in the new updated guidelines, so it’s important to check the policy language if you handle any individual customer financial records. This may include lines of credit, loans, or other finance information.

In this post, we’ll recap the key information in the update and show you how our tools can help you stay compliant. 

Who Is Covered?

The FTC Safeguards Rule applies to non-banking financial institutions not covered by another regulatory body. That definition includes many entities that may not be immediately obvious, including: 

  • Mortgage lenders (if not regulated by another consumer data privacy rule)
  • Mortgage brokers
  • Auto dealers
  • Finance companies
  • Financial advisors
  • Check cashing companies
  • Wire transfer service providers
  • Collection agencies
  • Tax preparation firms

Even if your company didn’t qualify as a financial institution under the original rule, it may apply to you now. It’s wise to periodically check the FTC definition of a financial institution, since updates may include additional business models. 

However, if your institution falls under another federal regulating body such as the SEC, the FTC Safeguards Rule will not apply to you. This includes banks, federally-insured credit unions, and many others.

What Are the Requirements of the FTC Safeguards Rule?

The Safeguard Rule addresses the implementation, assessment, and enforcement of information security measures. They are designed to identify and mitigate security risks and ensure data safety. Among other requirements, the Rule requires companies to:

Designate someone to oversee, implement, and enforce your security program.

You may designate a qualified individual on your internal team, or you may outsource to a third-party provider. If you choose to outsource, you should still have a designated representative internally to serve as point person.

Develop a written risk assessment of internal and external risks.

The risk assessment should identify threats that could result in misuse of data or unauthorized access and should describe risk mitigation strategies. Risk assessments should be conducted on a regular basis to re-examine safeguard efficacy.

Encrypt sensitive information.


Encryption is a defensive failsafe strategy designed to render information unusable, even if a cybercriminal gains access. It protects the confidentiality and integrity of data, and it is often a requirement for regulatory compliance.

Implement multi-factor authentication (MFA).

MFA adds an extra layer of security by requiring multiple identifiers such as a PIN, a code sent by text message, or a biometric in addition to a password. According to Microsoft, 99.9% of account compromise attacks can be blocked by MFA.

Implement access controls to authenticate, limit, and monitor authorized access to customer information. 

In addition to encryption and multi-factor authentication, access controls may include zero-trust architecture, secure coding practices, network segmentation, password management, privileged access management, and regular monitoring. These controls should monitor the activity of authorized users and detect any unauthorized activity they may engage in.

Test and assess security measures regularly.

Regular testing ensures that you can quickly identify and resolve vulnerabilities that could compromise the security of your data. 

How CyberFOX Helps You Comply

The standards set forth in the FTC Safeguards Rule are designed to protect customer data privacy, detect data leaks, prevent unauthorized access, and manage risk. CyberFOX can help you meet these goals with solutions that manage privileged access to sensitive data and prevent password compromise. Here’s how we do it:

Privileged Access Management (PAM): AutoElevate by CyberFOX

Privileged access management removes local admin rights so that all users operate with standard user accounts. Our solution secures accounts across all environments and allows you to set up custom rules to manage privileged access without frustrating end users.

AutoElevate by CyberFOX helps you meet the requirements for limiting and monitoring access to privileged accounts and protects your sensitive data. It also enables you to monitor authorized user activity so you can immediately detect anomalous incidents.

Password Management: Password Boss by CyberFOX

According to Verizon, 81% of data breaches are the result of weak or stolen passwords. Password Boss protects you from external threats in the form of stolen or misused credentials by delivering multi-layered password protections, including the multi-factor authentication required by the FTC Safeguards Rule.

Password Boss also uses role-based access, secure password sharing, multi-device access, auto-logins, and dark web scanning to help you stop password breaches and minimize risk.

What’s Next?

The FTC compliance deadline was June 9, 2023. If you didn’t realize your business was subject to these guidelines or you need to upgrade your current solutions, now is the time to act. Even if you do have a security program in place that meets the guidelines, it’s a good idea to periodically review your solutions and ensure that they can provide the best security protection available. 

At CyberFOX, we specialize in helping MSPs and IT professionals close security gaps and mitigate risk. Contact us today to start your free trial!