On December 9, 2021, the Federal Trade Commission (the “FTC”) issued an updated Safeguards Rule that strengthens the information security safeguards that non-banking financial institutions regulated by the FTC are required to implement to protect their customers’ financial information. The current Safeguards Rule, which has been in effect since 2003, requires financial institutions to create and maintain an information security program to protect customer information. When key provisions of the updated Safeguards Rule (the “Final Rule”) become effective in December 2022, these financial institutions will be required to include several additional elements in their information security programs, and more businesses may be subject to its provisions. In addition, the FTC proposed new breach notification requirements that would obligate FTC-regulated financial institutions to notify the Commission within 30 days of a security incident affecting at least 1,000 consumers.