Understanding the FTC Safeguards Rule

If you handle customer financial information, the FTC Safeguards Rule likely applies to your business. Originally designed for traditional financial institutions, the rule was updated in 2023 to cover a much broader range of businesses—including auto dealers, mortgage brokers, tax preparers, and any company that extends credit or collects financial data.

The confusion around compliance is real. We've seen countless small business owners and MSPs struggle to understand exactly what's required, especially when it comes to the "continuous monitoring" provisions. Let's break it down in plain English.

Who Needs to Comply?

The Safeguards Rule applies to "financial institutions" under FTC jurisdiction. But don't let that term fool you—it's broader than banks. If your business:

• Extends credit to customers
• Services loans or leases
• Provides financial or investment advice
• Operates as a tax preparer
• Collects consumer financial information

...then you're likely covered. Auto dealerships, accounting firms, and even some retailers fall under these requirements.

The Continuous Monitoring Question

Here's where things get interesting. The updated rule requires businesses to either:

1. Conduct annual penetration testing and semi-annual vulnerability assessments, OR
2. Implement continuous monitoring or periodic vulnerability assessments with a risk-based approach

Many small businesses hear "continuous monitoring" and immediately picture expensive 24/7 SOC operations with enterprise SIEM tools. That's one approach, but it's not the only path to compliance.

The FTC recognizes that security programs should be "appropriate to your size and complexity." For smaller organizations, continuous monitoring might mean:

• Regular automated vulnerability scans
• Log monitoring with alerting for suspicious activity
• Endpoint detection tools with automated reporting
• Scheduled security assessments throughout the year

The key is demonstrating that you're actively looking for and addressing security gaps—not just checking a box once a year.

Practical Steps for Small Businesses

1. Document Everything

The FTC wants to see that you have a written information security program. This doesn't need to be a 200-page document. It should clearly outline: - What customer information you collect - How you protect it - Who's responsible for security - How you assess and address risks

2. Designate a Qualified Individual

Someone needs to own your security program. For small businesses, this might be the owner, an IT manager, or even a trusted MSP. The "qualified" part means they understand your systems and can make informed security decisions.

3. Conduct Risk Assessments

You need to identify reasonably foreseeable risks to customer information. This includes: - External threats (hackers, malware) - Internal risks (employee access, data handling) - System vulnerabilities (outdated software, misconfigurations)

Regular vulnerability scanning is one of the most straightforward ways to identify technical risks before they become breaches.

4. Implement Safeguards

Based on your risk assessment, put controls in place. Common safeguards include: - Access controls and authentication - Encryption for sensitive data - Secure software development practices - Regular security testing

5. Monitor and Test

This is where continuous monitoring comes in. Whether you choose annual pentests or ongoing assessments, you need to regularly verify your safeguards are working. Automated vulnerability scanning provides an affordable way to maintain visibility into your security posture between more comprehensive assessments.

The MSP Perspective

If you're an MSP serving clients who fall under the Safeguards Rule, you're in a unique position. Your clients are looking to you for guidance on compliance, but you also need to ensure your own practices meet the standard.

Consider building regular vulnerability assessments into your service offerings. It's a value-add for clients and helps you demonstrate due diligence in protecting their customer data. Many MSPs find that scheduled scanning—monthly or quarterly—strikes the right balance between continuous oversight and manageable costs.

Common Mistakes to Avoid

Assuming you're exempt: The rule covers more businesses than most realize. When in doubt, consult with a compliance professional.

One-and-done mentality: A single annual pentest without ongoing monitoring leaves gaps. Threats evolve constantly.

Ignoring vendor risk: If third parties access customer data, you need to assess their security too.

Skipping documentation: Even great security practices won't help if you can't demonstrate them during an audit.

Take Action Today

Don't wait for regulators—or attackers—to find your vulnerabilities first. Regular scanning is one of the most cost-effective ways to maintain compliance and protect customer data.

Oscar Six Security's Radar solution provides automated vulnerability scanning for just $99—giving you the ongoing visibility the Safeguards Rule demands without enterprise-level costs. Focus Forward. We've Got Your Six.