Breaking Down the Safeguards Rule Incident Response Plan Requirement

The Federal Trade Commission (“FTC”) has given financial institutions six additional months to comply with the new Safeguards Rule requirements. Auto dealers who offer financing to consumers and finance companies that take assignment of retail installment sales contracts from dealers are financial institutions under the Safeguards Rule. Regardless of your level of skill, entry-level safeguards technicians to experts skilled in technical controls, examining the incident response requirements imposed by the Safeguards Rule to ensure compliance by the June 9, 2023 deadline is key.

Under the recently amended Safeguards Rule, a financial institution must have a written incident response plan (“IRP”). An IRP is a documented roadmap on how a “security event” will be handled. A security event occurs when there has been “unauthorized access to, or disruption or misuse of, an information system or information stored on such information system, or customer information held in physical form.” The FTC provides the example of a ransomware attack that results in the encryption of customer information such that the financial institution is no longer able to use the information.

IRPs can and should be very detailed step-by-step instruction manuals. The Safeguards Rule requires IRPs to be “designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in your control” and to address the following seven areas:

1. Goals. The Safeguards Rule requires that an IRP include goals, but it does not specify which goals must be included. The goals of an IRP can be simple and often include the financial institution’s intent to prepare for a security event, identify a security event, stop the event from causing further damage, fix the damage caused by the event, and return to a pre-event state.

2. Internal Processes for Responding to a Security Event. Processes are usually written in enough detail that a person with entry-level knowledge could complete the process in its entirety. For example, the process might list initial technical steps to be taken upon discovery of a potential security event and how a response team is to be mobilized to respond to the event. The process might list, by name and title, those individuals that are part of the team and include instructions for how team members should be contacted and what to do if a member cannot be reached.

3. Roles, Responsibilities and Levels of Decision-Making Authority. This area of an IRP often identifies people by name and explains each person’s job if there were a security event.

4. External and Internal Communications. A proactive communications plan can go a long way in preparing and responding to a security event. This plan should detail who should have contact with the media and who needs to review any press releases prior to their publication.

5. Remediation. Any identified weaknesses in information systems or controls that led to the event must be remediated according to specific requirements, which must be detailed in the IRP according to the Safeguards Rule. Typically, a financial institution will identify broad categories of attacks that could be made on information systems and controls and include particular measures to begin the remediation process. For example, one requirement could be to force password changes if an information system has been compromised.

6. Documentation and Reporting. The Safeguards Rule requires that financial institutions document and report security events appropriately. Like all good compliance programs, proper documentation of a security event is key to understanding what happened and why. The Safeguards Rule also requires that the qualified individual report in writing to the financial institution’s board of directors or similar body on various topics, including any security events.

Additionally, while not part of a Safeguards Rule requirement, all states have enacted data breach laws that dictate when notice is required and to whom the notice must be sent. A thorough review of these state laws, along with any federal requirements applicable to the financial institution, should be completed prior to a security event.

7. Post-Mortem. Following a security event, a financial institution must evaluate the IRP and revise it as necessary to provide the most effective response to a future security event.

As a proactive measure, financial institutions should conduct training sessions (or tabletop exercise) to test the IRP prior to an actual event. Tabletop exercises, especially those modeled after real life security events, can provide valuable insight into how an IRP can be improved. Practice makes perfect, so why not take your IRP for a test-drive to make sure it is in tip-top shape for an actual event?