Understanding the FTC Safeguards Regulations and What It Means for MSPs

If you’re an IT Managed Service Provider (MSP), you need to be aware of the new regulations that have been put in place by the Federal Trade Commission (FTC) that are coming into effect on June 9th, 2023. The FTC, in response to the changing threat landscape in the cloud, has updated the guidelines that businesses need to follow to meet the new Cyber Security requirements to keep sensitive client data secure.

These regulations, known as the new FTC Safeguards Regulations, will affect your clients who operate in the following verticals:

  • CPAs
  • Mortgage lenders
  • Mortgage brokers
  • Motor vehicle dealers
  • Payday lenders
  • Finance companies
  • Account services
  • Check cashing companies
  • Wire transferors
  • Collection agencies
  • Credit counselors
  • Financial advisors
  • Tax preparation firms
  • Non-federally insured credit unions
  • Investment advisors

What are the FTC Safeguards Regulations?

The new Safeguards require businesses to implement and maintain reasonable cybersecurity measures to protect sensitive customer information. The regulations aim to ensure that businesses that handle sensitive customer information take appropriate steps to safeguard that information against data breaches and other cybersecurity threats.

What do the FTC Safeguards Regulations mean for MSPs?

The FTC Safeguards Regulations will have a significant impact on MSPs who provide services to clients in the industries mentioned above. MSPs will need to ensure that they have appropriate safeguards in place to protect sensitive customer information, and they will be required to demonstrate compliance with the regulations. This is a fantastic opportunity for MSPs to upsell new services to existing clients including enforcing least privileges access, MFA, tracking of data locations, encryption, application assessments, customer data disposal, and activity logs.

To ensure compliance with the FTC Safeguards Regulations, MSPs must ensure that their affected clients meet the following nine requirements:

FTC Requirement 1: Designate A Qualified Individual

The first step is to designate a qualified individual who will be responsible for communicating the organization’s risk posture, activity status, and outcomes from the executive to operational levels. This is a great way for MSPs to become the mandatory qualified individual at a client site or upsell VCIO services.

FTC Requirement 2: Conduct a Cyber Security Risk Assessment

The second step is to conduct a comprehensive cybersecurity risk assessment. This assessment will help ensure that the cybersecurity controls you choose are appropriate to the risks your organization faces. As part of this assessment MSPs should be focusing on application inventories, multifactor authentication, penetration testing, and activity logs.

FTC Requirement 3: Design & Implement Safeguards

The third step involves following a 7-step process to design and implement safeguards. This includes periodic review, tracking of data locations, encryption, application assessments, multi-factor authentication, customer data disposal, and activity logs.

FTC Requirement 4: Monitor Your Systems & Evaluate

The fourth step involves constant monitoring and penetration testing of your systems to ensure compliance. If your clients are still on an ‘as needed’ contract with your business, this is a great opportunity to convert them to fully managed contracts.

FTC Requirement 5: Employee Training & Monitoring

The fifth step involves providing security awareness training to your employees and scheduling regular refreshers. It is also important to provide specialized training for employees, affiliates, or service providers with hands-on responsibility for carrying out your information security program.

FTC Requirement 6: Monitor Your Service Providers

The sixth step involves monitoring your service providers to ensure that they are also in compliance with the FTC Safeguards Regulations.

FTC Requirement 7: Keep Your Program Current

The seventh step involves regularly monitoring and analyzing security events and reflecting on them through security awareness training for your staff.

FTC Requirement 8: Incident Response Plan

The eighth step involves having a mandatory incident response plan in place that reflects the goals of the plan, your internal processes response, and a breakdown of roles, responsibilities, and authorities.

FTC Requirement 9: Reporting To The Board Of Directors

The final step involves the qualified responsible person organizing and presenting relevant materials to the Board of Directors intermittently. These materials should include the results of cybersecurity risk assessment scans, action plans, safeguard results, monitoring, and penetration testing results.


As an MSP, we need to ensure that our affected clients know that failure to comply with the FTC Safeguards Regulations could result in serious consequences, such as fines and damage to their reputation. Therefore, it is crucial for them to take the necessary steps to ensure compliance and protect your client’s sensitive information.

In conclusion, the FTC Safeguards Regulations are an essential development that MSPs must understand and comply with to protect their affected clients’ sensitive information. By following the nine requirements outlined above, MSPs can ensure compliance and prevent data breaches that could harm both their clients and their own business.

Derik Belair

As President and CEO, Derik leads the vision, strategy and growth of Augmentt. Prior to founding Augmentt, Derik was the Vice President at SolarWinds, leading the digital marketing strategy for SolarWinds’ Cloud division. Derik has been working in the channel for over 20 years, starting his career as a channel sales rep at Corel Corp. and eventually becoming the first employee at N-able Technologies in April of 2000.
SUBSCRIBE for more resources
Related Content

Agent-based SaaS Discovery

    When it comes to Augmentt Discover, we believe in flexibility and power. Augmentt Discover can collect SaaS usage data using both an Agent and Agentless model. Here is a quick [...]

    Product Evaluation Guide

      Thank you for starting your Augmentt Product Evaluation and Trial   Here are a few resources that will help you through this technical process. Support Technical Support is available to [...]
      Augmentt is a centralized SaaS security platform built for MSPs to deliver scalable managed security services for Microsoft and cloud apps. Our multi-tenant platform gives you visibility across all your end-users to easily audit, protect and detect security threats for a holistic approach to cyber security.