If you are a Title IV institution, compliance with the revised Safeguards Rule and implementation of the data security controls set forth in the revised Rule is now a required segment of your annual financial audit.

The Federal Trade Commission's (FTC) amendment to the Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA) became effective on June 9, 2023. The comprehensive amendment updated data security requirements for financial institutions, including all Title IV institutions of higher education. The U.S. Department of Education has increased enforcement authority by requiring auditors to verify an institution's compliance with components of the Safeguard Rule.

In March, the U.S. Department updated the Guide for Financial Statement Audits of Propriety Schools and For Compliance Attestation Examination Engagements of Proprietary Schools and Third-Party Servicers Administering Title IV Programs  (“Audit Guide”). The Audit Guide is effective for fiscal years beginning on or after January 1, 2023, and will be in place for all audits conducted in 2024 and beyond.

The Audit Guide reinforces that Title IV institutions must adhere to the strict cybersecurity requirements set forth in the Safeguards Rule including a requirement to “develop, implement, and maintain a written, comprehensive information security program.” The objective is to “Determine whether the school designated an individual to oversee, implement, and enforce the school's information security program and whether the school's written information security program addresses six additional required elements.”

In addition to verifying that the institution has designated a qualified individual, the auditor must also verify:

  1. The information security program is based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks;
  2. Design and implementation of eight safeguards set forth in the regulation to control the risks the school or servicer identifies through its risk assessment;
  3. Regular testing or otherwise monitoring the effectiveness of the safeguards implemented;
  4. Implementation of policies and procedures to ensure that personnel are able to enact the information security program;
  5. How the school or servicer will oversee its information system service providers; and
  6. The evaluation and adjustment of an institution's information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the information security program.

An institution's failure to implement an information security program with the required elements by June 9, 2023 (the effective date of the Safeguards Rule) may result in an audit finding. If an institution has not implemented an information security program with the required elements by December 31, 2023, the institution will receive an audit finding and must submit a Corrective Action Plan (“CAP”). Moreover, FSA's Cybersecurity Team and the Federal Trade Commission (FTC) will be informed of the audit findings regarding the Safeguards Rule and may request additional information to assess the level of risk to student data.

In an Electronic Announcement issued in February 2023 regarding cybersecurity compliance, the Department stated that a finding of non-compliance will be resolved as part of the Department's determination of an institution's administrative capability. Additionally, repeated non-compliance may result in administrative action impacting Title IV participation.

Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.