The Federal Trade Commission (FTC) extended the deadline for compliance with certain changes to its Safeguards Rule announced last year, in part because of labor shortages in the cybersecurity market.
The updates to the rule set to take effect Dec. 9 will now carry a compliance deadline of June 9, 2023. The Safeguards Rule affects nonbank financial institutions, requiring them to develop, implement, and maintain a comprehensive information security program.
In announcing the delay in a press release Tuesday, the FTC acknowledged a letter it received from the Small Business Administration (SBA) that cited a shortage of labor and lack of external resources and necessary equipment as reasons trade associations felt they could not meet the Dec. 9 deadline.
“During a labor shortage, employers with the resources to offer high wages and other incentives are able to attract talent,” the SBA wrote. “It is more difficult for small firms that cannot afford the pay scales or incentives to attract talented employees.”
FTC Commissioner Christine Wilson echoed this sentiment in a statement supporting the compliance deadline extension. Wilson voted against the updates to the rule approved in October 2021 because she “feared the new obligations would inhibit flexibility and impose substantial costs, especially on small businesses.”
“Some estimates place the shortage of cybersecurity professionals in the 500,000 range,” she wrote. “Supply chain issues also have led to delays in obtaining necessary equipment for upgrading systems. These factors are outside the control of financial institutions and have complicated efforts by companies to meet the requirements of the amended rule by year end.”
Included in the six-month delay are requirements that covered entities:
- Designate an individual to oversee their information security program;
- Develop a written risk assessment;
- Limit and monitor who can access sensitive customer information;
- Encrypt sensitive information;
- Train security personnel;
- Develop an incident response plan;
- Periodically assess the security practices of service providers; and
- Implement multi-factor authentication for any individual accessing customer information.
Other provisions of the updated rule took effect in January. The rule exempts financial institutions that collect information on less than 5,000 consumers from requirements regarding written risk assessments, incident response plans, and annual reporting to the board of directors.