FTC Safeguards - Identifying and Evaluating Your Risks

Section 314.4 (b)

As a financial institution dealing with customers' personal and financial data, you face an endless onslaught of cybersecurity threats that could lead to that sensitive information being breached, misused or destroyed. Complying with the Federal Trade Commission's Safeguards Rule means implementing a comprehensive security program - but where do you start?

The answer lies in conducting a thorough risk assessment - something explicitly required under the Safeguards Rule guidelines. Only by first identifying and evaluating the potential risks to your customer data can you build security controls and processes tailored to effectively mitigate those threats.

At its core, the risk assessment process involves two fundamental steps:

1. Data Inventory and Mapping Before you can assess risk, you need to understand what customer data you collect and store, where it lives, how it flows through your systems and environment, and who has access to it. This data mapping exercise should account for all formats - digital records, paper files, archives, etc. Leave no stone unturned.

2. Threat Identification and Analysis With your data inventory complete, you can then systematically identify, document and prioritize potential risks to that information based on factors like:

• Data type/sensitivity (financial, health, personal identifiers, etc.)

• Storage locations and platforms (cloud, databases, mobile devices, etc.)

• Internal/employee risks (negligence, unauthorized access, etc.)

• External/cybercriminal threats (malware, hacking, social engineering, etc.)

• Business processes, applications and system vulnerabilities

• Physical environment risks (natural disasters, facilities issues, etc.)

• Regulatory/compliance obligations

For each risk scenario, your assessment should estimate the probability of occurrence as well as the potential impact in terms of reputational damage, operational disruption, legal exposure and overall harm to customers.

Importantly, the Safeguards Rule requires this comprehensive threat assessment to be formally documented, evidence-based and to establish consistent evaluation criteria for measuring identified risks.

The cybersecurity landscape and your business operations are constantly evolving, so neither your data map nor risk assessment can be static, one-time exercises. The FTC mandates that you revisit and update these foundational components on a regular basis - at minimum, whenever you experience changes to your:

• Technology environment and data footprint

• Internal processes, applications and IT infrastructure

• Business operations, products/services and third-party relationships

• Physical facilities and workforce

• Overall threat profile based on current events and trends

By starting with an in-depth, continuously updated understanding of your unique data landscape and risks, you'll be able to design and maintain an information security program that truly meets the intent of the FTC Safeguards Rule. You'll have clarity into where to prioritize your defence efforts and resource investments for maximum impact.

From there, you can address the subsequent requirements around implementing appropriate administrative, technical and physical safeguards; managing service providers and employee training; developing an incident response plan; and overseeing the program through designated leadership.

But it all begins with taking a hard look at what data you need to secure and what could potentially compromise it. Conduct that rigorous risk assessment first and you'll have the right foundation for Safeguards Rule compliance and robust data protection.