FTC Safeguards Rule (Extension)
Christmas came a bit early this year for those needing a little extra time for compliance with the new Federal Trade Commission (FTC) Safeguards Rule provisions that will be required for all Title IV institutions. The FTC announced an implementation deadline extension of six months with the new target date for compliance being June 9, 2023.
If you are not familiar with the Safeguards Rule, it’s a prescriptive list of regulations that strengthen the data security controls for organizations that collect and process customer personal information. In December of 2021, the FTC expanded the definition of non-banking financial institutions to include higher education institutions providing student financial aid. These new security controls include provisions such as requiring institutions to encrypt data at rest and in transit as well as requiring yearly risk assessments (among many others). Failure to comply with these regulations could result in fines for organizations that suffer from a data breach or cyber incident.
If you have questions about the cybersecurity requirements of the Safeguards Rule or how to implement them, please contact the cybersecurity team at SIG for additional information.
Cybercrime expected to skyrocket over next 5 years
A recent study from the research and analysis firm Statista offers a bleak outlook for those hoping for a reprieve from the barrage of cyber-attacks. Statista is estimating the global cost of cybercrime will rise from 8.44 trillion in 2022 to 23.84 trillion in 2027. They cite the increasing amount of information stored online, the prevalence of cloud computing and working from home, along with the advances being made by cybercriminals as key factors for the increase in damages.
Studies like this one highlight the need for organizations to regularly budget for layered cybersecurity defense tools, staff members, and/or consultants. Cybercrime is still an emerging threat that continues to expand and threaten organizational success and excellence.
Service Spotlight: Tabletop Exercises
The time to plan how to respond to a cybersecurity incident is well in advance of the event occurring. Unfortunately, the reality for every organization is not IF a cyber incident will occur but rather WHEN one will present itself. Many organizations have prepared incident response plans and procedures to deal with these events but to verify their effectiveness they need to be tested. Tabletop exercises are unique scenarios, developed by either internal staff or consultants, that are presented to test an organization’s response capabilities.
Leadership often does not understand that when a cyber incident occurs the response needed is a shared responsibility between information technology and other groups such as human resources, legal, finance, and management. Ideally, these exercises are performed with both technical and non-technical staff members (including leadership) to test the existing plans and identify gaps that need to be remediated. These exercises usually last just a few hours and organizations emerge from them with a clear understanding of the response needed to specific types of incidents and updated plans and procedures that can be utilized to respond efficiently to cyber-attacks.
