Understanding FTC Safeguards Rule 2023 Deadline and Compliance Steps

Seimitsu FTC Safeguards Rule: What You Need to Know Scott C. Scheidt Chief Security Officer Seimitsu

Safeguards Rule 2023 Deadline: June 09, 2023 Applicable entities: Mortgage Brokers | Mortgage Lenders Payday loan | Wire Transferors | Check Cashing Check Printers Applies to financial institutions subject to the FTC s jurisdiction and that aren t subject to the enforcement authority of another regulator under section 505 of the Gramm- Leach-Bliley Act, 15 U.S.C. 6805. Finance Companies Collection Agencies Credit Counselors E-Commerce | List Developers A financial institution if it s engaged in an activity that is financial in nature or is incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C 1843(k). Financial Advisors Accountants Tax Preparers Investment Advisors Automotive Dealerships (To include Used Car Resale Dealerships) Personal Property Appraiser | Real Estate Appraiser Travel Agency Retailer that extends credit by issuing its own credit card

Safeguards Rule 2023 Deadline: June 09, 2023 U.S. Federal Trade Commission (FTC) ruling the Safeguards Rule requires non-banking financial institutions to develop, deploy and maintain a comprehensive security program to keep customer financial data safe. The Rule requires financial institutions to implement an information security program, a set of policies, procedures, and guidelines that an organization uses to protect its customer information. The program must include plans for managing access to data, detecting and responding to security incidents, security awareness training, and risk management. In addition, it sets forth the roles and responsibilities of the security team. The goal of an information security program is to protect information from unauthorized access or data breaches and can be an important part of an organization s overall security strategy. https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314

Steps to Business Compliance DESIGNATE A QUALIFIED INDIVIDUAL Responsible to Design, Maintain, and Enforce the Information Security Policies and Compliance Requirements of FTC Safeguards Rule The Safeguards Rule mandates that a Qualified Individual oversees information security programs and reporting, but offers no hard definition of who a Qualified Individual is. There are no defined experience, degree or accreditation requirements. This was done to provide flexibility, but it will lead to confusion for business owners CONDUCT A RISK ASSESSMENT* Written* Self Attestation or 3rd party documented HAVE A WRITTEN INCIDENT RESPONSE PLAN* Have a written risk assessments with a plan of action and milestones for risk mitigation PROVIDE SECURITY AWARENESS TRAINING AND SECURITY POLICY COMPLIANCE Documented, Trackable by employee, Managed updates * - Requirement is waived if you have records for less than 5,000 consumers.

Steps to Business Compliance IMPLEMENT SAFEGUARDS TO REDUCE RISK MFA, Access Controls, Encryption, Intrusion Detection, Penetration Testing* MONITOR & TEST EFFECTIVENESS OF THE SECURITY PROGRAM NDR, EDR, MDR, XDR, Vulnerability Scanning Every 6 Months MANAGE & MAINTAIN INFRASTRUCTURE RMM, Log Review & Retention, patches, & updates MONITOR 3RD PARTY SYSTEMS & SERVICE PROVIDERS Security expectations in contracts, Periodic Reassessments, Monitor service providers work ANNUAL REPORTS TO YOUR BOARD OF DIRECTORS, OR SENIOR MANAGEMENT* Status of the plan and the organization s compliance with the plan * - Requirement is waived if you have records for less than 5,000 consumers.

FTC Fines for Non-Compliance AMERICAN RECOVERY AND REINVESTMENT ACT OF 2009 Entities not covered under HIPAA are required to notify consumers, the media and the FTC of breaches of personally identifiable health information within 60 days of discovery of a breach, or as soon as possible or within 10 business days if the breach affects more than 500 people. NO TABLE OF FINES AT THIS TIME FTC has not developed a specific fine table but has brought litigation against organizations that have not follow data breach update rules. FTC SETTLEMENT WITH GOODRX February 2023 DoJ finalized $1.5 Million settlement against GoodRX for unauthorized disclosure of consumer data FTC SETTLEMENT WITH EASY HEALTHCARE May 2023 DoJ finalized $100,000 settlement against EH for unauthorized disclosure of consumer data from Premom Ovulation and Period-tracking application

HIPAA Fines for Non-Compliance Comparison 4-Tier Penalty Structure Did not know and, by exercising reasonable diligence, would not have known of the violation: Penalty ranges from $100 to $50,000 per violation and up to $1.5 million for identical violation per year. Violation due to reasonable cause and not willful neglect: $1,000 to $50,000 per violation; Up to $1,500,000 per identical violation per year. Violation due to willful neglect and was corrected within 30 days after the covered entity knew or should have known of the violation: Mandatory fine of $10,000 to $50,000 per violation; Up to $1,500,000 per identical violation per year. Violation due to willful neglect, and the violation was not corrected within 30 days after the covered entity knew or should have known of the violation: Mandatory fine of not less than $50,000 per violation; Up to $1,500,000 per identical violation per year.

How can Seimitsu Help? Information Security Services Cybersecurity Breach Protection Platform (BPP) and Managed Security Demos Security Operations Center (SOC) as-a-Service Cybersecurity Service Assurance $500,000 Security Service Warranty

Seimitsu TrueSecure Cybersecurity Services www.seimitsu.com/cybersecurity BPP and Managed Security Demo Breach Protection Platform https://youtu.be/2dik5YE3IEU Cybersecurity Training Dark Web Analysis (24 hours a day) Phishing Campaigns Customizable Compliance Supportive Security Policy Portal Security Risk Assessments Device Security Protection https://youtu.be/QdUurWYK5Z8 Windows, MAC, Linux, Chrome OS Next Generation Antivirus (NGAV) Mobile Device Security User Behavioral Analytics Cloud Security Posture Monitoring Deception Ransomware Protection Network Analysis Endpoint Security Beyond the Firewall Security monitoring and counter-attack (24x7x365)

Seimitsu TrueSecure Cybersecurity Services www.seimitsu.com/cybersecurity TrueSecure $500,000 Security Service Assurance $500,000 Security Service Guarantee Cybersecurity controls check list for TrueSecure Assurance Threat monitoring for ransomware/ business email compromise Data backup & Encryption of data at rest Patching cadence followed - within 60 days of release MFA on all employee email accounts Client verifies / documents any out of band wire requests or changes in routing instructions on invoices. Service Assurance Coverage Up to $100,000 of ransomware protection. Up to $100,000 of compliance and regulatory failure protection. Up to $50,000 of business interruption/loss protection. Up to $250,000 of cyber legal liability protection.

Seimitsu TrueSecure vCISO Solution TrueSecure vCISO Service: Virtual Chief Information Security Officer (vCISO) service Seimitsu s Chief Security Officer and his team provide a contracted number of Hours per Month of support for vCISO cybersecurity actions or industry compliance review for PCI DSS, HIPAA, CMMC, NIST, ISO27001 or other relevant compliance standard. Provide executive level support for C-Suite meetings, Strategic Cyber Planning and Incident Response to any cyber attacks. Cybersecurity Service Assurance Dark Web Analysis $500,000 Security Service Guarantee (Certain Requirements must be met) 24 Hour Dark Web Analysis for organizational level domains Dark web analysis for all employee professional and/or personal emails Up to $100,000 of ransomware protection. Cyber Awareness and Phishing Training Up to $100,000 of compliance and regulatory failure protection. Cyber awareness training platform for up to employees that will include Up to $50,000 of business interruption/loss protection. Annual cyber awareness training program, Up to $250,000 of cyber legal liability protection. Weekly micro trainings Monthly Phishing campaigns English, French, Spanish Language Training Security Risk Management Organizational Security Risk Assessment; Security Policy Development and Design Managed Detection and Remediation Deception Covers managed endpoint security sensors for all laptops, desktops, and servers User Behavior Analytics Next Generation Anti-Virus Network Traffic Monitoring Deception; Honeypots, Files, Users Accounts, Hosts Ransomware Protection Endpoint Security with 24x7x365 SOC monitoring and remediation

SEIMITSU FTC SAFEGUARDS RULE 2023 REVIEW Points of Contact: Scott C. Scheidt, MSc, MBA C)CSOM, C)NFAM, C)CIRM, C)DRRM Chief Security Officer scotts@seimitsu.com +1.912.525.0326