FTC Safeguards Rule · GLBA · Effective June 2023

FTC Safeguards Rule Compliance for Auto Dealers, Accountants & Financial Services MSPs

📜Official source: FTC Safeguards Rule

Automate the FTC Safeguards Rule's 9 required cybersecurity elements for non-bank financial institution clients. Continuous monitoring, evidence collection, and audit-ready reports.

Start Free Trial → See the 9 Elements
FTC Safeguards Assessment7/9 Elements
§Qualified individual designatedPASS
§Encryption of customer dataPASS
§MFA implementedPASS
§Access controls in placePARTIAL
§Incident response planFAIL
Who Needs FTC Safeguards Compliance?

Non-Bank Financial Institutions Under the FTC's Jurisdiction

The FTC Safeguards Rule applies to any business that is significantly engaged in financial activities. If your MSP serves any of these client types, they need FTC Safeguards compliance.

🚗
Auto Dealers
Any dealership offering financing, leasing, or vehicle loans — regardless of size.
🏠
Mortgage Brokers
Non-bank mortgage originators, brokers, and servicers handling customer financial data.
📊
Accountants & CPAs
Tax preparers and accounting firms that access or maintain customer financial records.
💰
Finance Companies
Payday lenders, check cashers, wire transfer services, investment advisors, and more.
The 9 Required Elements

FTC Safeguards Rule — 9 Cybersecurity Safeguards

The amended FTC Safeguards Rule (effective June 9, 2023) requires covered financial institutions to implement these 9 specific cybersecurity controls. SBCMSP automates the technical ones.

1
Designate a qualified individual
Assign a CISO or qualified individual to oversee your information security program.
Manual / Policy
2
Base your program on a risk assessment
Conduct regular risk assessments identifying reasonably foreseeable internal and external risks.
✓ Auto — SBCMSP scans
3
Design and implement safeguards
Implement and regularly test safeguards including access controls, encryption, and monitoring.
✓ Auto — 673 checks
4
Regularly monitor and test
Continuous monitoring or periodic penetration testing and vulnerability assessments.
✓ Auto — daily scans
5
Train your staff
Train employees on information security and ensure personnel implement your program.
Manual / Policy
6
Monitor your service providers
Select, retain, and oversee service providers by contract to implement appropriate safeguards.
Partial — vendor checks
7
Keep your program current
Evaluate and adjust your information security program in light of business changes and new risks.
✓ Auto — continuous
8
Create a written incident response plan
Establish a written incident response plan addressing detection, containment, and notification.
Manual / Documentation
9
Report to your board
Require qualified individual to report to the board of directors at least annually.
✓ Auto — SBCMSP reports
Why Compliance Matters

FTC Enforcement Is Active and Growing

The FTC actively enforces the Safeguards Rule and has pursued high-profile enforcement actions against non-compliant companies. In 2023, the FTC expanded the rule's technical requirements significantly.

Civil Penalty
$51,744
Maximum per violation per day of non-compliance. Adjusted annually for inflation under the FTC Act.
New 2023 Requirements
MFA Required
The amended rule explicitly requires MFA for anyone accessing customer information systems — a specific technical requirement.
Breach Notification
30 Days
Notify the FTC within 30 days if a security event affects 500+ customers. Failure to notify is a separate violation.

Start FTC Safeguards Compliance Today

Add your first auto dealer or financial services client in 2 minutes. Free 14-day trial.

Start Free Trial →