Here's a sobering fact: 80% of small and medium businesses think they're compliant with the FTC Safeguards Rule. But when audited, most fail the basic controls required by law.
It's December 2025, and we're seeing the same compliance gaps that got businesses in trouble three years ago. The difference now? The penalties are steeper, the audits are more frequent, and cyber insurance companies are getting pickier about what they'll actually cover.
If you're running a financial services business: and that definition is broader than you think: you can't afford to wing this anymore. Let's dive into what's still going wrong and how to fix it.
The 7 Requirements Most SMBs Still Overlook
1. Multi-Factor Authentication (But Not Where You Think)
Most businesses have MFA on their main systems but forget about secondary access points. Your accounting software, cloud backups, and vendor portals all need MFA protection. The FTC doesn't care if it's your "less important" system: if it touches customer data, it needs to be locked down.
2. Comprehensive Logging and Monitoring
Here's what we see constantly: businesses that can tell you who logged into their main server but have no idea who accessed their customer database last Tuesday. The Safeguards Rule requires you to track and monitor access to customer information systems. That means audit logs, access reviews, and regular monitoring: not just for your core systems, but everywhere customer data lives.
3. Annual Risk Assessments (Not Just IT Checklists)
Too many SMBs treat risk assessments like IT inventory lists. A real risk assessment under the Safeguards Rule evaluates your entire information security program, identifies vulnerabilities in your processes (not just technology), and creates actionable remediation plans. If your last "risk assessment" was just checking off that you have antivirus software, you're missing the point.
4. Vendor Management and Third-Party Oversight
Your payment processor got breached? Your cloud storage provider had a security incident? Under the Safeguards Rule, that's still your problem. You need written agreements with service providers handling customer data, regular security assessments of their practices, and contingency plans when they fail. Most SMBs sign vendor contracts without ever asking about their security controls.
5. Encryption Everywhere (Not Just Sometimes)
Encrypting your main database isn't enough. Customer data needs encryption at rest AND in transit. That includes emails with customer information, backup drives, cloud storage, and data moving between your systems. We regularly find businesses with encrypted servers but unencrypted email communications containing sensitive customer data.
6. Written Information Security Policies
The "we know what we're doing" approach doesn't cut it anymore. You need documented policies covering data handling, access controls, incident response, and employee responsibilities. These can't be generic templates: they need to reflect your actual business processes and be updated regularly.
7. Ongoing Employee Security Training
One-time cybersecurity training during onboarding isn't compliance. The rule requires ongoing education about identifying and responding to security threats. Your team needs to know how to spot phishing attempts, handle customer data properly, and report security incidents immediately.
Why "My IT Guy Handles That" Is Your Biggest Risk
Here's the most dangerous phrase we hear from small business owners: "My IT guy handles all that cybersecurity stuff."
The FTC Safeguards Rule requires a "Qualified Individual" to oversee your information security program. This person needs to report directly to your board or senior management and have the authority to implement security measures across your organization.
Your part-time IT contractor who fixes computers and manages your network probably doesn't have the compliance expertise, business authority, or time to manage a comprehensive information security program. They might be great at keeping your systems running, but compliance requires business process knowledge, risk management skills, and ongoing regulatory awareness that most technical contractors simply don't provide.
The Insurance Reality Gap
Cyber insurance companies are getting much stricter about what they'll cover and what security controls they require. Here's the disconnect we see constantly:
What your policy requires: MFA on all systems, regular backups tested within 30 days, employee security training, incident response plans, and documented security policies.
What most SMBs actually have: MFA on some systems, backups that haven't been tested in months, one-time security training from 2022, no formal incident response plan, and security "policies" that are really just common sense practices that aren't written down anywhere.
When you file a claim, insurance companies investigate whether you were following the security practices required by your policy. If they find gaps: and they will: your claim gets denied, and you're stuck with the full cost of recovery plus potential regulatory fines.
Real Breaches From Simple Failures
Last year, a regional accounting firm lost 15,000 customer records because they were using the same password for their main system that they'd been using since 2018. No MFA, no password rotation policy, no access monitoring. The breach cost them $2.3 million in remediation, legal fees, and lost business.
Another SMB got hit because their backup system wasn't encrypted and their cloud storage provider had a security incident. They thought their data was safe because it was "in the cloud." The FTC fined them $500,000 for failing to ensure their service providers met Safeguards Rule requirements.
We see this pattern constantly: businesses that think basic cybersecurity measures are enough, but compliance requires systematic, documented, and regularly updated security programs.
The Real Cost of Non-Compliance in 2025
FTC enforcement actions are becoming more frequent and expensive. The average fine for Safeguards Rule violations is now $100,000 to $500,000 for first-time offenders. But that's just the beginning.
Add in breach notification costs (required within 30 days of discovery), customer notification expenses, credit monitoring services, legal fees, lost business, and reputation damage, and you're looking at costs that can easily exceed $1 million for a mid-sized business.
Cyber insurance might cover some breach costs, but it won't cover regulatory fines or lost business from customers who no longer trust you with their data. And if you weren't following required security practices, your insurance company might deny your claim entirely.
How to Close the Compliance Gap Fast
The good news? Most compliance gaps can be addressed systematically with the right approach:
Start with a comprehensive risk assessment that evaluates your entire information security program, not just your technology. This identifies exactly where you stand and what needs immediate attention.
Document everything. Your security policies, procedures, training records, access controls, and incident response plans all need to be written down and regularly updated.
Implement systematic monitoring. You need to know who's accessing customer data, when, and why. Regular access reviews and audit logs aren't optional: they're required.
Get your vendor relationships sorted. Every third party handling customer data needs proper security agreements and regular oversight.
Train your team regularly on both technical security measures and compliance requirements. One-and-done training doesn't meet the ongoing education requirement.
Establish proper governance. Someone with business authority needs to own your information security program and report to senior management on compliance status.
The key is treating this as a business program, not just an IT project. Compliance requires ongoing attention, regular updates, and systematic documentation that most businesses don't naturally maintain without proper structure.
Your Next Steps
If you're not 100% certain you could pass an FTC or cyber insurance audit today, you need to act now. The regulatory environment isn't getting more lenient, and the cost of non-compliance keeps increasing.
If you're not 100% certain you could pass an FTC or cyber insurance audit today, book a Cybersecurity Risk Assessment. We'll show you exactly where the gaps are: in both data and dollars.
Don't wait for an audit, a breach, or an insurance claim denial to discover your compliance gaps. The businesses that get this right in 2025 are the ones that treat cybersecurity compliance as a systematic business requirement, not an IT afterthought.
