Hey, my name is Matthew Mulcahy.
I’m the Director of Business Development at ProSource.
I wanted to touch on some recent rule changes from the Federal Trade Commission.
So the Federal Trade Commission has had a comment period open
for the safeguards rule, asking for feedback and proposed changes.
That comment period has closed and has solidified any changes to the rulemaking.
So for those of you that don’t know what the safeguards rule is,
it’s a rule set of cybersecurity requirements
that are meant to help businesses protect consumer financial data.
If you’re a business that is asking for non-public
financial data from consumers, these rules apply to you.
[You] could be an auto dealership doing financing, could be a CPA firm working on
taxes, could be a financial advisor helping with investments —
if you are working with non-public financial information, this is important.
So I’ll link down below a little deeper article
that shows more granularly the rules for businesses.
But what I really wanted to touch on
were the solidified cybersecurity requirements.
So let’s hop down to that.
The first and most important thing,
we see this in HIPAA with a designated compliance officer,
but for the safeguards rule they’re asking you to designate
a named individual to champion this program.
This can be an internal employee or an external vendor, but they need
to be named.
That’s really the person that is going to take ownership of this
and help your business work through this program.
The next one is you have to conduct a risk assessment.
You can’t know where to go if you don’t know where you’re starting.
So this really helps you establish a baseline:
what we have in place and where are our gaps or where’s the risk?
So the first thing you have to do is understand where your current disposition
is and then chart the path forward.
There’s a couple specific controls here based on your risk assessment,
you know, access controls, understanding where your data lies.
Encrypting data in transit and at rest.
So when you’re transferring it internally, externally.
And where you’re storing that data needs to be encrypted.
Understanding access to apps, multi-factor authentication,
whether that’s a push notification or hard token, an SMS text
message, there’s a bunch of ways you can do that.
You know, making sure you’re disposing of customer information securely.
Anticipate and evaluate changes to your IS systems.
Really, that’s just, well, practice change management
and then maintaining a log of authorized users activities
and making sure that no one is improperly accessing your systems.
So they want you to really put some fundamental cybersecurity
best practices in place and then ongoing
testing of those cybersecurity controls.
So one of the most important things down here is training your staff as well.
Your weakest link is your staff.
They can click a link that kneecaps your entire cybersecurity infrastructure
and circumvents all those great controls you have in place and you’re paying for.
Monitoring your service providers: You have to have,
you know, expert outside help in most cases.
We know this is a problem with cybersecurity talent shortages.
So it’s very important to work with a competent provider that can help
you fill those cybersecurity gaps
because you probably don’t need a full time cybersecurity person for this.
Making sure your program’s current and then having a written incident
So if something goes wrong,
you know, what I tell everyone is you can never be 100% safe.
You always have to care for that 1% chance that something is going to happen.
And in the event that thing does happen,
you have a written plan how to address that.
And then last but not least, your qualified individual,
whether that’s a inside provider,
I’m sorry, whether that’s an outside provider or an inside resource,
they have to report to your board or your owner.
So they’re making sure that
there’s no plausible deniability from the C-suite anymore.
You can’t say, I didn’t know this was happening.
You know, there’s been too many scenarios where people
have just said that I wasn’t aware, I didn’t know this was going on.
I didn’t know that we needed to do this.
And that’s just not going to be an acceptable excuse anymore.
So a great update, I think, from the FTC.
But yet again, another federal agency pushing down rules that might
contrast with a different agency.
So all this is a lot to keep up with.
If you’re wondering how this applies to your organization, feel free to reach out.
We run a free IT double-check, and it touches on pretty much all
the pieces here and will help you begin your really know your risk assessment
where you lie and where the gaps are in terms of aligned to the safeguards ruleset.
So thanks so much for watching.
If you like the video, like it below
and if you have any questions, feel free to DM us.
Once again, Matt from ProSource. I’m the Director of Business Development.
I hope you have a great day. Thanks. Bye.