As we discussed in our March 3 Advisory, on October 27, 2021, the Federal Trade Commission (FTC) announced revisions (the 2021 Revisions) to its information "Safeguards Rule" (the Rule) adopted under the Gramm-Leach-Bliley Act (GLBA). The Rule was first enacted in 2002 to ensure that financial institutions under the jurisdiction of the FTC protect nonpublic personal information (NPI) of their natural person clients and investors (each, a Customer). Financial institutions under the FTC's jurisdiction include private investment funds (Private Funds) and any investment advisers that are not registered with the Securities Exchange Commission (SEC) such as state registered investment advisers. The 2021 Revisions were adopted in response to the significant harm caused to consumers, including monetary loss, identity theft and other forms of financial distress as a result of data breaches and other cybersecurity concerns.
The 2021 Revisions became effective on December 9, 2021, with an initial compliance date of December 9, 2022, for most substantive changes. However, for various reasons, including lack of personnel and supply chain equipment issues, on November 15, 2022, the FTC extended the compliance deadline until June 9, 2023 for several aspects of the 2021 Revisions. Nonetheless, the compliance date for other aspects of the 2021 Revisions remains December 9, 2022. Below are the 2021 Revisions for those requiring compliance by December 9, 2022 and for those which compliance was delayed until June 9, 2023.
2021 Revisions Requiring Compliance by December 9, 2022
Each financial institution must:
- develop and implement an information security program;
- base the information security program on a specific risk assessment;
- test or otherwise monitor the effectiveness of the information security program's key controls;
- oversee service providers by taking reasonable steps in selecting and retaining service providers;
- require service providers by contract to implement and maintain appropriate safeguards for Customer NPI; and
- evaluate and adjust the information security program in light of the results of any tests or risk assessments.
2021 Revisions Requiring Compliance by June 9, 2023
Each financial institution must:
- designate a qualified individual to oversee its information security program;
- develop a written risk assessment identifying reasonably foreseeable internal and external risks to security, confidentiality and integrity of Customer NPI;
- limit and monitor personnel that can access Customer NPI;
- encrypt all Customer NPI held or transmitted by the financial institution both in transit over external networks and at rest;
- provide training to personnel regarding information security risks;
- develop an incident response plan designed to limit the consequences of cyber-attacks against the financial institution's information systems;
- periodically assess the data security practices of service providers; and
- implement multi-factor authentication or another method with equivalent protection for any individual accessing Customer NPI through the financial institution's information systems.
Separately, as discussed in our March 3 Advisory, on February 9, 2022, the SEC proposed new rules 206(4)-9 under the Investment Advisers Act of 1940 and 38a-2 under the Investment Company Act of 1940 (collectively the Proposed Rules) to address cybersecurity risks. The Proposed Rules have yet to be adopted, and we will continue to update you on any developments with respect to those proposals.
Katten has templates of policies and procedures to address the 2021 Revisions that go into effect on December 9, 2022. If you have any questions about the Rule, the Proposed Rules, or would like our assistance with updating your policies and procedures to address the applicable 2021 Revisions, please contact any of the attorneys listed below or your Katten contact.