Skip to main content
National Course Portal
Corporate compliance5 min read

FTC Safeguards Rule Cybersecurity Training: What Employers Should Document

Covered financial institutions need a written information security program, employee training, and specialized training for people carrying out the program.

Quick answer

The FTC Safeguards Rule requires covered financial institutions to develop, implement, and maintain a written information security program. FTC guidance identifies employee training and specialized training for people responsible for carrying out the program as important elements. The rule is program-based, so employers should document training as part of the institution's risk-based safeguards rather than wait for one universal annual deadline.

Compliance Snapshot

Covered entities
FTC-jurisdiction financial institutions
Program
Written information security program
Training
Employee and specialized role-based training
Breach notice
Some events reported no later than 30 days after discovery

Who should care about the Safeguards Rule?

The FTC Safeguards Rule applies to certain financial institutions under FTC jurisdiction, a category that can include businesses that do not think of themselves as banks. FTC guidance discusses examples such as motor vehicle dealers that arrange financing.

Covered businesses need a written information security program appropriate to their size, complexity, activities, and customer information sensitivity.

What training should be documented?

FTC guidance points to employee training and specialized training for employees, affiliates, or service providers with hands-on responsibility for carrying out the information security program.

Training should connect to real safeguards: phishing, passwords, MFA, access controls, secure data handling, incident reporting, service provider risk, and the organization's internal process.

Where National Course Portal fits

The Cybersecurity Awareness Training course can provide a documented baseline for all employees who need general cyber-risk awareness.

Covered institutions should supplement it with their written information security program, role-based procedures, incident response workflow, access control policies, and Qualified Individual oversight.

Action Checklist

  1. 1Confirm whether the business is a covered financial institution.
  2. 2Maintain a written information security program.
  3. 3Train employees on practical cyber-risk behaviors.
  4. 4Provide specialized training to people carrying out the program.
  5. 5Document completion dates and training topics.
  6. 6Pair training with incident response and breach notification workflows.

FAQ

Does the FTC Safeguards Rule require cybersecurity training?

FTC guidance identifies employee training and specialized training for people responsible for carrying out the information security program as important safeguards.

Is there an annual Safeguards Rule training deadline?

The rule is program-based rather than tied to one universal annual training date. Many businesses use annual refreshers to document ongoing safeguards.

Is general cybersecurity awareness enough?

General awareness helps, but covered institutions also need a written information security program and role-specific safeguards.

Official Sources

This guide is general information for employer planning. It is not legal advice, and employers should confirm requirements with counsel, the regulator, or the requesting agency before relying on any course for a specific obligation.