Welcome to the Research Assistant Weekly Newsletter - a subscriber-only resource for insight into emerging compliance challenges, details on peer calls, and links to new Research Assistant reports, documents, tools, and more.

Sponsored by TCN and Finvi

The rule requires the appointment of a “Qualified Individual” (QI) to oversee, implement, and enforce your organization’s information security program. Although this section permits this role to be fulfilled by a service provider, it contains additional provisions for the oversight of that service provider and makes clear the covered financial institution still bears ultimate responsibility for compliance with the Safeguards Rule.

Your QI may not need to have the alphabet soup of letters behind their name, but they do need to understand information security and be able to report it to the Board of Directors (BOD) or Executive Leadership Team (ELT) of your organization. This may be an issue with small agencies that don’t have a BOD or designated ELT. 

So, what exactly is the QI responsible for and what should their knowledge base include?

They are required to:

• Oversee the information security program. This means that they supervise or manage the information security program. They might or might not be an IT person. For example, they could be a compliance person who is versed in information security.

• Implement the information security program. This means they will put the program into action.

• Enforce the information security program. To enforce something, you are compelling obedience to it. This basically means that the QI will make sure the information security program is being followed.

• They are also required to provide a report, at least annually, on the overall status of the information security program, its compliance with the Safeguards Rule, and any material matters related to the information security program, including issues related to risk assessments, risk management and control decisions, service provider arrangements, testing and monitoring results, security events or violations of security, management’s responses to these items, and any recommendations for changes to the information security program.

The FTC laid all of this out in the Rule that can be found here FTC Safeguards Rule: What Your Business Needs to Know | Federal Trade Commission.

In combination with designating your QI, you should create and maintain a job description for this role or at least update the job description for the designated person to include QI the requirements. In preparation for SOC and other audits, have BOD/ELT meeting minutes where the QI was voted on and approved by the BOD/ELT and make sure that your policies and procedures are updated as well. You may consider adding new policies and procedures related to the Safeguards Rule. You should also make sure that your Information Security policy and procedure are updated to include the requirements under the Rule. The Safeguard Rules go into effect June 9, 2023.

Top Reads: 

• New Litigation Challenges CFPB’s Subpoena Authority Based on Fifth Circuit Decision Holding CFPB’s Funding Mechanism is Unconstitutional

• NYC Debt Collector Rules – Amendments Proposed; Public Hearing to be Held Dec 5th

• CFPB Focuses on Junk Fees, Credit Reporting, and COVID-19 Relief Funds in Latest Supervisory Highlights

Upcoming Webinars/ Other Announcements:

• There will be no peer meeting Monday, December 5th. 

• Check out Research Assistant’s newest resource: Statute of Limitations Matrix

• Reminder to please complete our Research Assistant Survey: Help Us, Help You!

• Research Assistant sponsor Provana has a new resource page just for Research Assistant members. Check out the new Provana resources and check in for special offers right here. 

• Reminder: Send any topics or questions that you want to discuss to sara@insidearm.com by Thursday to ensure it makes it on our agenda!