One key addition to the FTC’s Safeguards Rule in 2021 was a requirement for non‑bank financial institutions to implement more specific, modern cybersecurity controls—such as encryption of customer data, access controls, and written procedures for how that data is shared and protected.

Quick Scoop: Core Change in 2021

In 2021, the Safeguards Rule was updated so it no longer just asked institutions to have “reasonable” security, but spelled out concrete expectations. This included requirements like encryption of customer information in transit and at rest, stronger access controls, and periodic assessment of service providers’ security practices.

One Clear Example: Encryption

One of the clearest additions was a mandate that customer information be encrypted both when stored and when sent over external networks. This change reflects the reality that encrypted data is much harder for attackers to use, even if they manage to access it.

Broader Scope and Duties

The 2021 amendments also broadened who counts as a “financial institution” under the rule, pulling in more non‑bank entities such as certain tax preparers and fintech providers. Along with this broader scope came additional responsibilities, like more formal risk assessments, written incident response planning, and ongoing oversight of vendors that handle customer data.

TL;DR:
One major 2021 addition to the Safeguards Rule is the requirement to use modern cybersecurity practices—especially encryption of customer data at rest and in transit—along with clearer, more detailed obligations around access controls, vendor oversight, and formal security programs.

Information gathered from public forums or data available on the internet and portrayed here.