If you’re an IT Managed Service Provider (MSP), you need to be aware of the new regulations that have been put in place by the Federal Trade Commission (FTC) that are coming into effect on June 9th, 2023. The FTC, in response to the changing threat landscape in the cloud, has updated the guidelines that businesses need to follow to meet the new Cyber Security requirements to keep sensitive client data secure.
These regulations, known as the new FTC Safeguards Regulations, will affect your clients who operate in the following verticals:
- CPAs
- Mortgage lenders
- Mortgage brokers
- Motor vehicle dealers
- Payday lenders
- Finance companies
- Account services
- Check cashing companies
- Wire transferors
- Collection agencies
- Credit counselors
- Financial advisors
- Tax preparation firms
- Non-federally insured credit unions
- Investment advisors
What are the FTC Safeguards Regulations?
The new Safeguards require businesses to implement and maintain reasonable cybersecurity measures to protect sensitive customer information. The regulations aim to ensure that businesses that handle sensitive customer information take appropriate steps to safeguard that information against data breaches and other cybersecurity threats.
What do the FTC Safeguards Regulations mean for MSPs?
The FTC Safeguards Regulations will have a significant impact on MSPs who provide services to clients in the industries mentioned above. MSPs will need to ensure that they have appropriate safeguards in place to protect sensitive customer information, and they will be required to demonstrate compliance with the regulations. This is a fantastic opportunity for MSPs to upsell new services to existing clients including enforcing least privileges access, MFA, tracking of data locations, encryption, application assessments, customer data disposal, and activity logs.
To ensure compliance with the FTC Safeguards Regulations, MSPs must ensure that their affected clients meet the following nine requirements:
FTC Requirement 1: Designate A Qualified Individual
The first step is to designate a qualified individual who will be responsible for communicating the organization’s risk posture, activity status, and outcomes from the executive to operational levels. This is a great way for MSPs to become the mandatory qualified individual at a client site or upsell VCIO services.
FTC Requirement 2: Conduct a Cyber Security Risk Assessment
The second step is to conduct a comprehensive cybersecurity risk assessment. This assessment will help ensure that the cybersecurity controls you choose are appropriate to the risks your organization faces. As part of this assessment MSPs should be focusing on application inventories, multifactor authentication, penetration testing, and activity logs.
FTC Requirement 3: Design & Implement Safeguards
The third step involves following a 7-step process to design and implement safeguards. This includes periodic review, tracking of data locations, encryption, application assessments, multi-factor authentication, customer data disposal, and activity logs.
FTC Requirement 4: Monitor Your Systems & Evaluate
The fourth step involves constant monitoring and penetration testing of your systems to ensure compliance. If your clients are still on an ‘as needed’ contract with your business, this is a great opportunity to convert them to fully managed contracts.
FTC Requirement 5: Employee Training & Monitoring
The fifth step involves providing security awareness training to your employees and scheduling regular refreshers. It is also important to provide specialized training for employees, affiliates, or service providers with hands-on responsibility for carrying out your information security program.
FTC Requirement 6: Monitor Your Service Providers
The sixth step involves monitoring your service providers to ensure that they are also in compliance with the FTC Safeguards Regulations.
FTC Requirement 7: Keep Your Program Current
The seventh step involves regularly monitoring and analyzing security events and reflecting on them through security awareness training for your staff.
FTC Requirement 8: Incident Response Plan
The eighth step involves having a mandatory incident response plan in place that reflects the goals of the plan, your internal processes response, and a breakdown of roles, responsibilities, and authorities.
FTC Requirement 9: Reporting To The Board Of Directors
The final step involves the qualified responsible person organizing and presenting relevant materials to the Board of Directors intermittently. These materials should include the results of cybersecurity risk assessment scans, action plans, safeguard results, monitoring, and penetration testing results.
As an MSP, we need to ensure that our affected clients know that failure to comply with the FTC Safeguards Regulations could result in serious consequences, such as fines and damage to their reputation. Therefore, it is crucial for them to take the necessary steps to ensure compliance and protect your client’s sensitive information.
In conclusion, the FTC Safeguards Regulations are an essential development that MSPs must understand and comply with to protect their affected clients’ sensitive information. By following the nine requirements outlined above, MSPs can ensure compliance and prevent data breaches that could harm both their clients and their own business.