The missing services of your FTC Safeguards provider.

By: Russ Hensley, CEO CISSP

Right now, many companies are in the second push of the Federal Trade Commission to expand their consumer protection laws. For decades, the Sarbanes-Oxley regulations have flowed freely and been applied to the banking industry. In January 2022, an expansion of those rules went into law bringing new industries into their scope. In simple terms, outside of a bank most companies who issue loans now have new regulations to abide by. Those now include car dealerships, loan providers, boat dealerships, etc. The current deadline is June 9th 2023 for implementation.

One of the best examples of the implementation comes from the National Auto Dealers Association (NADA) in their “A Dealers Guide to the FTC Safeguards Rule”. This guide was published by NADA for car dealers, and easily breaks down into common sense steps what security tasks, documents and positions have to be identified into 8 steps.

The marketing from vendors who are selling to these newly covered industries is varying wildly as well. Unfortunately, these marketing activities, being aimed at employees who have never been required to understand anything about compliance or cybersecurity, are creating large gaps in the implementation. For example, I recently had one dealership tell me that they are going to be compliant for $600 per year from one of their vendors, and another dealership told me that they were going to be compliant by simply moving their loan-processing software from an on-premise application to another one as a cloud service. Neither one of these options will make a company compliant. I have another article posted about the false claims of simply moving data to the cloud as a one-stop security solution for reading later, but simply neither of those claims can be true. The latter claim for example, completely ignores any consumer information that is collected in the service department work order software applications which also are in scope of the protected information. It does however, help sell the application by a company who sells you guessed it – on-line loan processing software.

On the other hand, most dealers are being engaged by firms who are charging appropriate rates to implement policies and assessments as part of the academic process. However, most of these newer companies have never been faced with creating several hundred pages of new policies and that requires a large degree of effort from professionals who do this daily.

Yet this solution doesn’t provide complete compliance with the regulations. Most national firms are unable to complete the on-site actual IT support and cybersecurity support that often requires boots on the ground. Some consulting firms are simply offering a monitored anti-virus tool, but they are not engaged in any of the required patch management efforts that is required for the FTC Safeguards rule.

Compliance does not equal secure is a mantra that often permeates IT security professionals’ meetings and here is a good example. Those firms can create the documents from the processes which would only document gaps and deficiencies. However, they are not providing the last step to execute inside the businesses with the meat and potatoes part of the solution to get the hard work done because they simply don’t have the resources to project out into the actual business for that work. Hensley / Elam does have those last-mile resources and we want to work with your consulting firm if you have one or we can complete the documentation with our staff for you if you don’t have one.

About the author – Russ Hensley is a cyber security professional (CISSP) with over a decade of direct security experience consulting banks, healthcare entities, and a lengthy list of other industries. With over 26 years of general IT experience running one of Kentucky’s largest IT service companies. He is also a multi-engine commercial instrument airplane pilot, and private helicopter pilot.

Posted in Letter from the CEO.