Skip to content
FUNCSHUN Cybersecurity
FTC Safeguards

FTC Safeguards, satisfied.

The amended FTC Safeguards Rule turned 'good security' into a legal mandate for auto dealers, lenders, mortgage brokers, and other financial institutions. We stand up the full program — a Qualified Individual, a written plan, and all nine required controls — so an examiner finds nothing missing.

Book your strategy callTalk to an engineer

15-minute call · senior engineer · no obligation

9
Required elements
Every one, implemented.
QI
Qualified Individual
Named, supported, reporting to the board.
WISP
Written & living
The plan the Rule mandates.
01What's included

The whole Safeguards program.

  • 01Written Information Security Program (WISP) authored to the Rule
  • 02A Qualified Individual to own the program — fractional / vCISO
  • 03Risk assessment, documented and periodically updated
  • 04Access controls, encryption, and MFA across systems
  • 05Continuous monitoring, or annual pen test plus vulnerability scans
  • 06Service-provider oversight and contractual safeguards
  • 07Incident response plan and the required annual board report
02How we work

From exposed to examiner-ready.

01
Scope

Confirm you're a covered 'financial institution' and map customer information.

02
Plan

Author the WISP and appoint a Qualified Individual to own it.

03
Implement

Stand up the nine required safeguards across people and systems.

04
Report

Monitor, reassess, and deliver the required annual report to leadership.

03FAQ

Questions, answered.

Does the Safeguards Rule apply to us?+

If you're a non-bank business significantly engaged in financial activities — auto dealers, mortgage brokers, payday and consumer lenders, tax preparers, collection agencies and more — yes. Many covered businesses don't realize they qualify until an incident or a lender asks.

What is the Qualified Individual?+

The Rule requires a single named person responsible for your information security program. We serve as, or support, your Qualified Individual on a fractional basis — including the periodic reporting to your board or senior leadership that the Rule mandates.

What are the nine required elements?+

A risk assessment, access controls, a data inventory, encryption, secure development practices, MFA, secure disposal, change management, and monitoring/logging — all wrapped in the WISP, with continuous monitoring or annual testing.

What's the risk of ignoring it?+

The FTC can pursue enforcement, and many cyber-insurance carriers and lenders now require attestation. Beyond penalties, a breach without a documented program is far harder — and costlier — to defend.

Get started

Ready when you are.

Book a 15-minute introduction call. Walk away with a clear next step — whether you work with us or not.

Book your strategy callTalk to an engineer

15-minute call · senior engineer · no obligation