IT Examiner School - Oct 2025

Internal Use Only

Regulations & Guidance – Non-Depository

16 CFR Part 314 of the FTC Rules and Regulations “Standards for Safeguarding Customer Information” • Took effect in 2003 and is designed to ensure that covered entities maintain safeguards to protect the security of customer information • It applies to financial institutions subject to FTC jurisdiction and that aren’t subject to enforcement authority of another regulator under Section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6805. • In December 2021, the FTC amended the Safeguards Rule to keep pace with current technology.

Source: https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know

Internal Use Only

Regulations & Guidance – Non-Depository Section 314.4 of the Safeguards Rule identifies 9 elements that a company’s ISP must include: • Designate a qualified individual to implement & supervise the InfoSec program • Conduct a risk assessment • Design & implement safeguards to control risk identified by the risk assessment • Regularly monitor & test the effectiveness of those controls • Train staff

• Monitor Service Providers • Keep the program current • Create a written Incident Response Plan • Require the qualified individual to report to the Board