Managed services providers are constantly looking for angles that differentiate their practices and grow their client rosters, but offering FTC Safeguards Rule compliance remarkably runs under the radar.
Millions of SMBs must comply with FTC Safeguards. Most will require outside expertise to do so, which is firmly within MSPs’ existing wheelhouse. Let’s dig into what your practice needs to know.
What Exactly Is the FTC Safeguards Rule?
The FTC Safeguards Rule requires businesses that act as a “financial institution” — defined as any business under FTC authority and not another regulator that transfers money to and from customers — to maintain an information security program that keeps customer data secure and confidential.
Countless businesses must comply, including mortgage lenders, finance companies and advisors, wire transferors, tax preparation firms, and non-federally insured credit unions.
The FTC Safeguards Rule requires a written information security program appropriate to the size and scope of the business, its activities, and the sensitivity of the customer information it handles. The rule also defines nine required elements of an acceptable information security program:
- First, a business must designate a qualified individual (employee or MSP professional) to implement and supervise the information security program.
- Second, a business must conduct a written risk assessment that inventories customer information and evaluates threats.
- Third, a business must introduce safeguards aligned with the risk assessment, including access controls, data encryption, multifactor authentication, and more.
- Fourth, a business must conduct continuous security testing, or regular penetration testing and vulnerability assessments.
- Fifth, sixth, and seventh, a business must introduce employee security training, monitor service providers to meet security expectations, and keep its information security program updated to current needs.
Notably, each of these stated requirements is easily met by tools either built for MSPs or already in their portfolios, making it straightforward for services providers to take advantage of this opportunity. For example, MSP solutions like BeachheadSecure for remote access control and data encryption, and Coro for DLP and secure email already directly map to what the FTC Safeguards Rule asks for.
Be Compliant ASAY (As Soon As Yesterday)
While the FTC Safeguards Rule came out in 2021, businesses got a reprieve when the deadline was pushed to June 2023.
That delay likely contributed to the common misconception that enforcement will rest on the whims of different political administrations as they come and go. That’s a dangerous falsehood. Enforcement has begun, is here to stay, and any future revisions to the rule will only make it stricter.
Today, any business that isn’t meeting its requirements under the rule may face fines of up to $100,000 per violation, and puts its FTC licensing at risk. MSPs that spell out these risks and promise better protection than a business’ existing MSP present a compelling new business case.
The FTC Safeguards Rule Deserves CMMC-level Buzz
Many MSPs look at providing CMMC compliance to defense industry clients as a potential goldmine, with projects earning them into the mid-six figures.
Unfortunately, their math often fails to reflect the true costs of building their capabilities around CMMC. Earning that mid-six figure payout means hiring a team of CMMC experts, and just one CMMC project will absorb 20 hours a week of an MSP’s bandwidth for six months.
In contrast, focusing on FTC Safeguards Rule compliance means working with some of the millions of SMBs that MSPs already are adept in servicing with familiar security goals. Winning those clients and successfully delivering on their needs is simple when compared to reimagining your entire business around high-stakes, specialized CMMC compliance.
That said, an MSP that establishes FTC Safeguards compliance credentials can offer CMMC compliance later.
Offering Compliance Assistance is Becoming a Must
MSPs that ignore the rising importance of compliance requirements like the FTC Safeguards Rule will face increasing difficulties competing with those that do.
It’s just too easy for an MSP with a strong compliance offering to slide in and say, “We can make sure you meet all the FTC, credit card company, and cyber insurance company obligations that you’re currently falling short in. Why can’t your current MSP do that?”
Any business that hears that pitch will take a hard look at making the switch to a more effective MSP.
Jon DePerro is the chief compliance officer at Visibility MSP. He has over two decades of experience in security and risk management, much of which was with the U.S. Army, where he served as a counterintelligence special agent.