Compliance
FTC Safeguards Rule: What Auto Dealers Need to Know in 2025
The FTC Safeguards Rule amendments are now fully in effect. Auto dealerships that handle customer financial data must maintain a formal written information security program, designate a qualified individual, conduct annual penetration testing, and report to their board.
The number of reported cyberattacks continues to grow. In the financial sector, businesses face increasing pressure to meet cybersecurity compliance requirements. Non-compliance carries real consequences, including fines and regulatory scrutiny.
If you own or manage a business in the financial sector, the Federal Trade Commission (FTC) Safeguards Rule is among the regulations you must meet. This article covers what the Safeguards Rule requires, which businesses it applies to, and how to comply.
What Is the FTC Safeguards Rule?
The FTC Safeguards Rule was enacted in 1999 under the Gramm-Leach-Bliley Act (GLBA). It was designed to protect consumers by requiring financial institutions to safeguard their personal information. The rule took effect in 2003 and was amended in 2021 to keep pace with technology changes.
The amended rule is more specific and prescriptive. It defines exactly what financial institutions must do when handling, processing, storing, and securing customer data.
Which Businesses Are Covered?
The Safeguards Rule applies to financial institutions. These are businesses that engage in significant financial activities or activities incidental to financial activities. Covered businesses include:
- - Payday lenders.
- - Mortgage lenders and mortgage brokers.
- - Finance companies.
- - Collection agencies.
- - Tax preparation firms.
- - Investment advisors.
- - Credit unions.
These companies are generally not required to register with the SEC. Covered institutions must build and maintain information security programs with physical, technical, and administrative safeguards.
How to Comply: The Nine Required Elements
A financial institution can only comply with the Safeguards Rule if its information security program includes all nine critical elements.
1Designate a Security Officer
Assign a qualified individual to oversee your information security program. This person can be an employee or a managed IT services provider. They are responsible for your compliance and will bear accountability if something goes wrong.
2Conduct Risk Assessments
Before building a security program, audit what data you have and where it is stored. Risk assessments identify foreseeable internal and external threats to customer information. The written risk assessment must include criteria for evaluating those risks.
3Design Safeguards to Control Your Risks
Your safeguards must address the risks identified in your assessment. At a minimum, your institution must:
- - Establish and periodically review access controls.
- - Know what data you have and where it is stored.
- - Encrypt customer information at rest and in transit.
- - Set up procedures for access to proprietary and third-party applications.
- - Require multi-factor authentication (MFA) for anyone accessing customer information.
- - Dispose of customer data securely, no later than two years from your most recent use.
- - Monitor authorized user activity and watch for unauthorized access.
4Monitor and Test Your Safeguards Regularly
Testing your security program is not optional. Required testing includes:
- - Continuous system monitoring.
- - Annual penetration testing.
- - Vulnerability assessments.
A managed services provider can help manage this process.
5Train Your Employees
Your security program is only as strong as your least vigilant employee. Employees are a critical line of defense against cyberattacks. Include information security training so employees can identify emerging threats and appropriate responses.
6Assess Your Service Providers
Robust security is undermined if third-party providers have weak cybersecurity measures. Monitor service providers closely. Work only with those that have adequate safeguards, and ensure your service-level agreements outline your security expectations.
7Keep Your Program Current
Information security is constantly evolving. At some point you will need to update your operational setup, personnel, risk assessment procedures, and more. Your information security framework should be flexible enough to accommodate those changes.
8Create a Response Plan
A cyberattack is a matter of when, not if. Your recovery plan should cover:
- - The goals of your disaster response and recovery plan.
- - Internal processes that come into play during security events.
- - Roles, responsibilities, and decision-making authority.
- - Information sharing with relevant stakeholders.
- - Procedures for addressing the weaknesses that led to the security event.
- - The process for documenting and reporting the event.
9Report to Your Board of Directors
The individual overseeing your information security program must report to your board in writing at least annually. The report must include an assessment of your information security posture and cover topics related to the program.
FTC Safeguards Rule vs. SOC 2 Compliance
The FTC Safeguards Rule and SOC 2 compliance are sometimes confused. Both frameworks aim to protect sensitive information, but they serve different purposes.
The FTC Safeguards Rule is a set of regulations designed specifically to protect customer information held by financial institutions.
SOC 2 compliance is a standard created by the American Institute of Certified Public Accountants (AICPA). It ensures that service providers manage data securely and protect client privacy. SOC 2 involves an independent audit of controls over data security, availability, processing integrity, confidentiality, and privacy.
SOC 2 compliance can demonstrate that your institution has appropriate controls in place. However, it may not be sufficient to meet all Safeguards Rule requirements on its own. A qualified managed services partner can help ensure full compliance.
Get Help with FTC Safeguards Rule Compliance
Complying with FTC guidelines is complex, and staying current on regulatory changes adds another layer of difficulty. The team at Cyber One Solutions has a proven track record of helping businesses build strong information security programs. Contact us today to learn how we can help you navigate the compliance landscape.