Safeguarding Customer Information and FTC Cybersecurity Requirements: A Guide for MSPs

On June 9, 2023, the Federal Trade Commission (FTC) rolled out updates to its Standards for Safeguarding Customer Information. Because managed service providers (MSPs) play a crucial role in ensuring the security of customer data and applications, some of the responsibility for data protection now falls to you.

This article will summarize some of the key updates to the FTC standards. Additionally, it emphasizes the importance of monitoring SaaS business applications, particularly Microsoft 365 and Google Workspace, and outlines compliance requirements and best practices for you to follow when safeguarding customer information for your clients.

The FTC Safeguard Standards and National Cybersecurity Strategy

The recent National Cybersecurity Strategy released by the Biden-Harris administration has led to the FTC updating its Standards for Safeguarding Customer Information, known as the Safeguards Rule. The rule provides guidelines for developing and maintaining administrative, technical, and physical safeguards to protect customer information.

While primarily targeting financial institutions, it also applies to various other entities, including MSPs working with covered entities. Adhering to these standards is essential for effectively protecting sensitive customer information, and for maintaining compliance with government regulations.

The Need for Enhanced Cybersecurity in SaaS Business Applications

SaaS business applications such as Microsoft 365 and Google Workspace have revolutionized business operations, enabling remote work and collaboration. However, the increased reliance on these applications also exposes businesses to higher risks of data breaches and unauthorized access. To comply with FTC standards, MSPs must proactively monitor and secure these platforms to protect customer information and maintain trust.

We break down what’s expected in the next sections.

Standards for Safeguarding Customer Information

According to the Safeguards Rule, covered entities must establish and maintain a comprehensive security program that includes administrative, technical, and physical safeguards appropriate for their operations.

The security program’s objectives are to ensure the security and confidentiality of customer information, protect against anticipated threats, and prevent unauthorized access.

Key elements of the security program must include designating a qualified individual, conducting regular risk assessments, implementing access controls and encryption, monitoring user activity, and having an incident response plan in place.

The Role of Managed Service Providers in Strengthening Security

MSPs have a crucial role in enhancing security and protecting customer information. You should work with your customers to establish comprehensive security programs that include the required policies, procedures, and controls. Each customer will need to designate a qualified individual to work with you and oversee implementation, conduct regular risk assessments, and keep the program up to date.

It’s important that you carefully manage access to customer information, implement multi-factor authentication (MFA), and employ encryption. Monitoring user activity and regularly testing and updating safeguards are also vital. MSPs should prioritize security awareness training and develop incident response plans to promptly address security events.

FTC Multi-Factor Authentication (MFA) Requirements

Multi-factor authentication isn’t just an optional extra layer of security anymore. It’s a necessity for all covered entities. This security measure ensures that a single compromised password isn’t the gateway to a system-wide breach.

Under the FTC’s mandate, MFA goes beyond simple password protection. It requires at least two of the following factors:

1. Knowledge Factors: Things you know, like passwords or answers to security questions
2. Possession Factors: Things you possess, such as a security hardware key or a specific devices
3. Inherence Factors: Physical characteristics unique to an individual, such as fingerprints or retina scans

The FTC explicitly emphasizes that companies should opt for phishing-resistant MFA. This means the commonly used SMS-based or push notification one-time passwords (OTPs) just don’t make the cut. Citing risks and vulnerabilities, the FTC stresses that MFA should not be just another data collection measure, but a robust security mechanism.

Why the emphasis on phishing-resistant MFA? 

Phishing remains one of the top cybersecurity threats. Even with MFA, if one layer, like a password, can be easily phished, the entire system’s integrity is jeopardized. Hence, methods like OTPs or security questions, which can be socially engineered or easily gleaned from public data, should be avoided. Instead, the FTC advocates for solutions based on secure protocols and public key infrastructure. The gold standard, as recognized by the Cybersecurity and Infrastructure Agency (CISA), is FIDO-based authorization.

Leveraging SaaS Security Platforms for Enhanced Protection

SaaS Alerts provides an advanced SaaS security platform designed to assist MSPs in monitoring and securing Microsoft 365, Google Workspace, Slack, Dropbox, and Salesforce. The platform offers real-time monitoring and alerts for potential threats, incident response with automated remediation, compliance reporting, and risk assessment across the aforementioned SaaS applications. By leveraging these features, MSPs can strengthen security measures, maintain compliance, and ensure the confidentiality, integrity, and availability of customer data for their clients.

MSPs have a significant responsibility in safeguarding customer information, especially in the context of the updated FTC Standards for Safeguarding Customer Information. By implementing comprehensive security programs, monitoring user activity, employing access controls, and utilizing advanced SaaS security platforms like SaaS Alerts, MSPs can more effectively protect customer data in the SaaS business applications that their clients rely on.

For more information, including a comprehensive list of the types of entities impacted by the FTC updates, download our full white paper, The FTC’s Standards for Safeguarding Customer Information: A Guide for MSPs.