Commission proposes that supplement would require reporting of certain cyber events.
Security incident where probable misuse of customer information and/or the activities that impact at least 1,000 consumer profiles; with reporting within 30 days of event.
To this end, commission requests stakeholder feedback on the thresholds outlined.
The 30-day window to report and adequacy of impact threshold to 1,000 consumers.
Should event take place, firm to report contact information, information allegedly involved in security incident, and the date or date range of the alleged cyber event.
Commission would use information to create public database of reported incidents.
Consultation
Authority requests feedback on Safeguards rule supplement on or before Feb. 7, 2022.
Feb. 2022 BPI, SIFMA Comment
On Feb. 8, 2022, BPI and SIFMA issued comment on proposed FTC safeguards rule.
Stated that amendment, as currently drafted, could create operation and compliance challenges without necessarily achieving the stated intent in an effective manner.
Said FTC should coordinate with other regulators, to avoid duplication in reporting.
Rule should avoid redundant regulation of private funds and complex financial groups.
Intra-government data sharing is crucial, FTC should join existing reciprocity systems.
Reported data should be confidential; FTC should clarify threshold for requiring notice.
Oct. 2023 FTC Final Safeguard Rule
On Oct. 27, 2023, FTC reported amendments made to the Safeguard Rule, to require non-banking institutions to report data breaches and other security events to the FTC.
Financial entities must report breaches affecting over 500 customers within 30 days.
Requires notification if unencrypted customer info was acquired without authorization.
Notice must include name/contact, event date/description, no. of affected consumers.
Requirement effective 180 days after pending publication of the rule in federal register.
Nov. 2023 FTC Fed Register Final Rule
On Nov. 13, 2023, FTC published final rule in the Fed Register to amend the standards for safeguarding customer information and require financial institutions to report FTC.
Report any event where unencrypted information of 500 consumers or more is acquired without authorization; rule will become effective on May 13, 2024.