In October 2021, the United States Federal Trade Commission (FTC) announced changes to the Safeguards Rule, requiring greater security measures from “non-banking” organizations handling and transacting consumer financial data. The deadline for compliance is June 9, 2023.
What does the FTC Safeguards Rule require?
The FTC Safeguards Rule applies to U.S. businesses that are “significantly engaged” in providing financial products or services, regardless of their size. The FTC’s definition of a financial institution covered by the Safeguards Rule includes many types that may not typically describe themselves in that way.
These businesses covered by the FTC Safeguards Rule are required to develop, implement, and maintain a comprehensive security program to protect their customer’s information.
This program should have the following objectives:
- Ensure the security and confidentiality of customer information
- Protect against anticipated security threats
- Protect against unauthorized access to customer information
It’s important to remember the Safeguards Rule requires mitigation of “reasonably foreseeable internal and external risks” – in other words, protection against data breaches, data leakage, phishing, and ransomware.
That’s good business practice anyway. If your day-to-day business is operational and productive and not offline due to a malware attack, then your business can achieve its goals, whether those are profit, growth, long-term wealth for you and your employees, or solving customer problems.
Developing a cybersecurity program
Practical steps your business can take immediately to develop a comprehensive security program include deploying a flexible product like Cisco Umbrella that allows you to quickly deploy DNS-layer security in 24 hours to begin demonstrating compliance. Umbrella also allows you to incrementally deploy additional layers of protection to comprehensively address both compliance and security needs, leveraging features like:
- Data loss prevention (DLP)
- Cloud access security broker (CASB)
- Remote browser isolation (RBI)
- Malware inspection
- Web security features
All of these solutions are managed from a single browser interface.
But how to begin identifying those risks for the security program required by the FTC Safeguards Rule? One method is to leverage the MITRE ATT&CK framework, a global knowledge base of adversary tactics and techniques based on real-world observations.
Using MITRE ATT&CK as a frame of reference, here are a few key risks that may be important to include in your FTC Safeguards Rule security program, with specific Cisco Umbrella way to mitigate them:
Mixed-mode workstation risks
| Risk | MITRE Att@ck | Mitigations |
| Systems with customer financial information also used for personal activities subject to drive-by compromise, phishing, and valid account compromise. | Drive-by Compromise Browser Session Hijacking Command and Control (Web) Command and Control (DNS) | Umbrella Remote Browser Isolation protects against browser-based threats Umbrella DNS security detects/mitigates ransomware, C&C, phishing Umbrella secure web gateway analyzes content via sandboxing, blocks risky sites Umbrella SNORT IPS detects malware Umbrella CASB controls app access, secures resources on shared domains |
On their personal time, employees may use business laptops, desktops, and mobile phones for their own personal usage, watching videos, browsing, posting social media updates, etc. This can introduce risks and vulnerabilities, because those same devices access customer information during working hours.
Phishing attacks
| Risk | MITRE Att@ck | Mitigations |
| Trick users into clicking links that download malware or direct them to malicious websites where identity is compromised. | Phishing | Umbrella DNS mitigates phishing attempts, and protects users from accessing known malicious domains and websites – before connections are made Umbrella Secure Internet Gateway (SIG) adds additional security; its Secure Web Gateway functionality can blog access to compromised websites designed to steal personal information |
Phishing attacks often involve creating fake links that appear to be from a legitimate organization using methods like email, text messages, and fake online ads. The victim may be lured into clicking a link where malware is then downloaded to their device, or they may be redirected to a malicious website where they are tricked into providing their credentials, which are then stolen.
Ransomware and data destruction
| Risk | MITRE Att@ck | Mitigations |
| Data and file destruction or encryption to interrupt business operations | Data Destruction Data Encrypted for Impact | Umbrella blocks access to malicious IP addresses, websites Umbrella disrupts adversary Command & Control Callbacks Umbrella CASB blocks unauthorized access to cloud applications and their data |
Ransomware is a specific type of malware designed for the purpose of extorting money from victims. It prevents targeted organizations from accessing their IT systems (servers, databases, workstations, etc.) until a ransom is paid, with the threat of data destruction unless payment is made. A phishing attack can be the delivery method to introduce ransomware into your business.
Cloud data exfiltration
| Risk | MITRE Att@ck | Mitigations |
| Adversaries may access data from improperly secured cloud storage and package it to avoid detection during removal. | Data from Cloud Storage | Detection of data exfiltration via DNS tunneling events DLP capabilities for detecting and blocking sensitive data in motion from leaving your on-premises and cloud-based systems Cloud DLP can identify sensitive data in cloud data stores CASB functionality can limit access to high-risk cloud applications |
Data exfiltration is a security concern for all businesses, independent of whether the data is stored on-premises or in the cloud. Businesses utilizing the cloud to host applications and customer data do not control the physical network infrastructure. In public clouds, the network fabric of the hosting provider is shared, and there is no perimeter in the traditional sense. Securing data in the cloud requires new security approaches and methods of monitoring and controlling data access.
Start getting compliant today
It’s important for businesses to deploy security products that are easy to use, flexible, and allow them to move towards compliance in 24 hours and then add on additional layers of security protections to improve their overall business posture. Cisco Umbrella meets business needs for compliance, security, and productivity.
In environments where compliance is a cost of doing business, there is no time to lose. Implement Umbrella and begin checking off critical items for demonstrating FTC Safeguards Rule compliance in days — not weeks or months.
Want to learn more about how Cisco Umbrella can help you on your road to compliance? Check out our White Paper on the FTC Safeguards Rule. And if you’d like to give Umbrella a try yourself, be sure to sign up for a free trial.
