On November 15, 2022, the Federal Trade Commission (FTC) announced that it is delaying the effective date of certain changes to the Gramm–Leach–Bliley Safeguards Rule. The Safeguards Rule, which first became operative in 2003, imposes certain security requirements on non-banking financial institutions. The FTC amended the Rule in December 2021, and several provisions under the amendment went into effect on January 9, 2022. Some sections, however, were set to become operative on December 9, 2022. The FTC’s decision extended the deadline to comply with those provisions by six months. More specifically, the below changes to the Safeguards Rule will now go into effect on June 9, 2023:
- 16 C.F.R. § 314.4(a): This subsection requires covered financial institutions to designate a “qualified individual” that oversees, implements, and enforces the information security program. A qualified individual is the institution’s employee, affiliate, or service provider in charge of the security program. To use an affiliate or service provider as a valid qualified individual, the covered entity must retain compliance responsibility, designate a senior officer that oversees the qualified individual, and ensure the qualified individual’s security program adequately protects the institution.
- 16 C.F.R. § 314.4(b)(1): This subsection requires the development of written risk assessments.
- 16 C.F.R. § 314.4(c)(1)–(8): This subsection requires the designing and implementation of safeguards to address risks identified through written risk assessments. It also addresses the elements of adequate risk assessments.
- 16 C.F.R. § 314.4(d)(2): This subsection requires the implementation of continuous monitoring, periodic penetration testing, and vulnerability assessment for information systems.
- 16 C.F.R. § 314.4(e): This subsection requires covered entities to provide sufficient security training and updates for their personnel.
- 16 C.F.R. § 314.4(f)(3): This subsection requires periodic assessments of service providers’ risk and safeguards.
- 16 C.F.R. § 314.4(h): This subsection requires the establishment of a written incident response plan to respond to and recover from material security incidents.
- 16 C.F.R. § 314.4(i): This subsection requires the qualified individual to submit a written report at least annually to the business’s governing body, or if such governing body does not exist, a senior officer responsible for the information security program.
The FTC’s Final Effective Date Notice stated three reasons behind the decision: (1) reported shortage of “qualified personnel to implement information security programs”; (2) supply chain issues in obtaining necessary security equipment; and (3) effects of the COVID-19 pandemic. The FTC explained that these issues are especially challenging for small institutions to come into compliance by the original deadline of December 9, 2022. Commissioner Christine Wilson, who voted against the amendment to the Rule in 2021, wrote a separate concurring statement noting that the new Safeguards Rule imposes “onerous, misguided, and complex obligations” on financial institutions.