The $5.8 Billion Wake-Up Call You Can't Afford to Ignore

In 2023, the FTC finalized sweeping updates to the Safeguards Rule. By 2024, enforcement actions were landing on companies most people had never heard of — small mortgage brokers, auto dealers, online retailers. The message was clear: the FTC cybersecurity requirements for businesses apply to you, not just Fortune 500 companies.

I've watched organizations scramble after receiving an FTC complaint. It's not pretty. The legal fees alone can gut a small business, and the reputational damage lingers for years. If you handle consumer financial information in any capacity, the FTC considers you a "financial institution" under the Gramm-Leach-Bliley Act — and that definition is far broader than you think.

This post breaks down exactly what the FTC expects, what happens when you fall short, and the specific steps your organization needs to take right now to stay compliant and protected.

What Are the FTC Cybersecurity Requirements for Businesses?

The FTC enforces data security under two main authorities: Section 5 of the FTC Act (which prohibits unfair or deceptive practices) and the Standards for Safeguarding Customer Information — commonly called the Safeguards Rule. Together, they form the backbone of FTC cybersecurity requirements for businesses that collect, store, or transmit consumer data.

The updated Safeguards Rule requires covered businesses to:

  • Designate a qualified individual to oversee your information security program.
  • Conduct a written risk assessment identifying internal and external threats.
  • Implement access controls limiting who can reach sensitive customer data.
  • Encrypt customer information both in transit and at rest.
  • Deploy multi-factor authentication for anyone accessing customer data.
  • Develop an incident response plan you can actually execute.
  • Train employees on security awareness — and keep that training current.
  • Monitor and test the effectiveness of your safeguards continuously.
  • Assess the security practices of your service providers.

If your business processes consumer financial data — tax preparers, auto dealerships, real estate settlement companies, payday lenders, collection agencies, even some retailers with credit programs — you're covered. No minimum revenue threshold. No exemption for being small.

Who Exactly Does the FTC Consider a "Financial Institution"?

This trips up more businesses than any other point. The FTC's definition under the Safeguards Rule extends well beyond banks. If you're a mortgage broker, a car dealer that handles financing, an accountant, a financial advisor, a wire transfer service, or a company that helps consumers find lenders — you qualify. Even finders, meaning businesses that connect consumers with financial service providers, fall under this umbrella.

The only partial exemption applies to businesses maintaining customer information on fewer than 5,000 consumers. They're exempt from some requirements (like the written risk assessment and incident response plan), but they're still obligated to maintain reasonable safeguards. "We're too small" has never been a valid defense.

Real FTC Enforcement: What Actually Happens When You Fail

The FTC doesn't just write rules and walk away. They enforce them aggressively, and the settlements read like case studies in what not to do.

In 2022, the FTC took action against Drizly and its CEO after a data breach exposed the personal information of approximately 2.5 million consumers. The FTC's order didn't just target the company — it followed the CEO personally, requiring him to implement security programs at any future companies he leads. That was a first, and it sent a clear signal.

CafePress faced a similar reckoning. After a 2019 breach exposed millions of customer records, the FTC's investigation revealed the company stored Social Security numbers in plain text and failed to respond to known vulnerabilities. The FTC's resulting order required significant security overhauls and financial penalties.

In my experience, the companies that get hit hardest share three traits: they had no designated security person, they hadn't conducted a risk assessment, and their employee training was nonexistent or years out of date.

The Employee Training Requirement Most Businesses Get Wrong

Section 314.4(e) of the Safeguards Rule mandates that covered businesses provide security awareness training to personnel. This isn't a suggestion. It's a requirement with teeth.

But here's what I see constantly: organizations treat this as a check-the-box exercise. They run a single annual presentation, maybe show a dated video, and call it done. The FTC has made clear in enforcement actions that "reasonable" security includes training that's current, relevant, and ongoing.

Threat actors evolve their tactics monthly. Phishing campaigns now use AI-generated content that's nearly indistinguishable from legitimate communication. Credential theft schemes target specific employees with personalized pretexts. Your training needs to keep pace.

A strong starting point is enrolling your team in cybersecurity awareness training that covers the full spectrum of social engineering tactics, password hygiene, and incident reporting. Pair that with regular phishing awareness training for organizations that uses phishing simulation exercises to test and reinforce what employees learn.

What Good Training Actually Looks Like Under FTC Standards

The FTC expects training to be role-appropriate and updated as threats change. That means:

  • New employees receive training during onboarding — not three months later.
  • All staff complete refresher training at least annually, with more frequent sessions for high-risk roles.
  • Phishing simulations test real-world response, not just knowledge retention.
  • Training records are documented and available for review if the FTC comes knocking.

I can't stress documentation enough. During an FTC investigation, "we told everyone to be careful" carries zero weight. Written policies, completion records, and simulation results demonstrate you took the requirement seriously.

Multi-Factor Authentication: The Non-Negotiable Control

The updated Safeguards Rule explicitly requires multi-factor authentication for any individual accessing customer information systems. Not "recommended." Required.

This was a sticking point for many small businesses when the rule took full effect. Some pushed back, claiming MFA was too burdensome. The FTC didn't budge. And frankly, in 2026, MFA is table stakes. The Verizon Data Breach Investigations Report has consistently found that stolen credentials are the most common attack vector in breaches. MFA directly addresses that vector.

If you haven't deployed MFA across every system that touches customer data — email, CRM, cloud storage, accounting software, remote access — you have an open compliance gap and an open front door for threat actors.

Your Incident Response Plan Needs to Be More Than a Document

The Safeguards Rule requires a written incident response plan. I've reviewed dozens of these for clients, and most share the same flaw: they exist as PDFs nobody has read, describing procedures nobody has practiced.

An effective plan under FTC standards must cover:

  • Clear roles and responsibilities for your response team.
  • Internal and external communication procedures, including how you'll notify affected consumers and regulators.
  • Steps for containment, eradication, and recovery.
  • Post-incident review to identify what failed and how to fix it.
  • Relationships with external forensic and legal resources established before an incident.

Tabletop exercises — where you walk your team through a simulated ransomware attack or data breach scenario — are the single best way to find gaps in your plan before a real incident exposes them.

Risk Assessments: The Foundation the FTC Looks for First

Every FTC enforcement action I've studied starts with the same question: did the company conduct a risk assessment? If the answer is no, the rest of the conversation gets very expensive very fast.

The Safeguards Rule requires a written risk assessment that identifies reasonably foreseeable risks to customer information — both internal and external. It must evaluate the sufficiency of your current safeguards and be updated as your business or threat landscape changes.

How to Conduct a Risk Assessment That Actually Protects You

A compliant risk assessment covers three categories:

  • Employee-related risks: Unauthorized access, accidental disclosure, social engineering susceptibility, and insider threats.
  • Information system risks: Unpatched software, misconfigured cloud services, inadequate encryption, and weak access controls.
  • Network risks: External attacks, data interception, malware, and ransomware exposure.

For each identified risk, document the current safeguard (or lack thereof), assess whether it's adequate, and describe what you'll do to close any gap. This isn't a one-time project. Revisit it quarterly or whenever you adopt new technology, change vendors, or experience an incident.

NIST offers a practical framework for structuring risk assessments. The NIST Cybersecurity Framework maps well to what the FTC expects and gives smaller organizations a structured approach that doesn't require a six-figure consulting engagement.

Vendor Management Is Your Responsibility, Not Theirs

The Safeguards Rule requires you to oversee your service providers' security practices. That means due diligence before you sign a contract, contractual security requirements, and periodic assessment of whether they're meeting those requirements.

This catches many small businesses off guard. You hand customer data to a cloud CRM, a payment processor, an email marketing platform — and assume they've got security handled. The FTC doesn't care about your assumptions. If your vendor gets breached and your customers' data is exposed, the FTC's investigation starts with you.

At minimum, your vendor contracts should require:

  • Implementation of appropriate safeguards for the customer data they handle.
  • Prompt notification to you in the event of a security incident.
  • Cooperation with your security assessments or audits.
  • Data return or destruction upon contract termination.

Zero Trust Isn't Just a Buzzword — It's the Direction the FTC Is Heading

While the Safeguards Rule doesn't use the phrase "zero trust" explicitly, the underlying principles align perfectly. Least-privilege access. Continuous verification. Encryption everywhere. Network segmentation. These are all zero trust concepts, and they're all either explicitly required or strongly implied by the rule.

Organizations that adopt a zero trust mindset — never trust, always verify — tend to satisfy FTC requirements almost by default. When every access request is authenticated, authorized, and encrypted, you've eliminated the most common attack paths that lead to breaches and enforcement actions.

A Practical Compliance Checklist for 2026

Here's what I tell every business owner or IT leader who asks me where to start with FTC cybersecurity requirements for businesses:

  • Designate a qualified individual responsible for your information security program. This can be an employee or an outsourced resource.
  • Complete a written risk assessment covering employee, system, and network threats.
  • Deploy multi-factor authentication on every system that accesses customer information.
  • Encrypt customer data in transit and at rest. No exceptions.
  • Implement access controls based on least privilege. Review them every 90 days.
  • Train your workforce with current cybersecurity awareness training and targeted phishing simulation exercises.
  • Write and test your incident response plan at least annually.
  • Assess your vendors' security before onboarding and periodically after.
  • Document everything. If you can't prove you did it, the FTC will assume you didn't.

The Cost of Compliance vs. the Cost of Getting Caught

I hear the objection constantly: "This is expensive and complicated." It can be. But compare it to the alternative. FTC consent orders typically last 20 years. They require ongoing third-party security assessments at your expense. They mandate reporting to the FTC for every future incident. And they follow individual executives, not just the company.

The IBM Cost of a Data Breach Report found the global average cost of a data breach reached $4.88 million in 2024. For smaller organizations, even a fraction of that figure can be existential. The FTC cybersecurity requirements for businesses aren't punishment — they're a floor. Build above it, and your customers, your reputation, and your bottom line are all better protected.

Start with your risk assessment. Get your training program current. Deploy MFA if you haven't already. These three actions alone close the majority of gaps I see in organizations facing their first FTC compliance review. The threat actors aren't waiting. Neither is the FTC.