Call (716) 373-4467
10Oct

Changes to the Gramm Leach-Bliley Act (GLBA) Safeguard Rules

Heads Up Financial Institutions!

The Federal Trade Commission (FTC) announced the first cybersecurity updates to the Gramm Leach-Bliley Act (GLBA) Safeguards Rule since 2003. The new rule strengthens the required security safeguards for customer information. This includes formal risk assessments, access controls, regular penetration testing and vulnerability scanning, and incident response capabilities, among other things.

Most of these changes go into effect in December 2022, to provide organizations time to prepare for compliance. Below, details the changes in comparison to the previous rule.

Background on the Safeguards Rule

GLBA requires, among other things, a wide range of “financial institutions” to protect customer information. Enforcement for GLBA is split up among several different federal agencies, with FTC jurisdiction covering non-banking financial institutions in the Safeguards Rule. Previously, the Safeguards Rule left the implementation details of several aspects of the information security program up to the financial institution, based on its risk assessment.

The Safeguards Rule broad definition of “financial institutions” includes non-bank businesses that offer financial products or services — such as retailers, automobile dealers, mortgage brokers, non-bank lenders, property appraisers, tax preparers, and others. The definition of “customer information” is also broad, to include any record containing non-public personally identifiable information about a customer that is handled or maintained by or on behalf of a financial institution.

Updates to the Safeguards Rule

Many of the other updates’ concern strengthened requirements on how financial institutions must implement aspects of their security programs. Below is a short summary of the changes.

Overall Security Program

Current rule: Financial institutions must maintain a comprehensive, written information security program with administrative, technical, and physical safeguards to ensure the security, confidentiality, and integrity of customer information.

Updated rule: The updated rule now requires the information security program to include the processes and safeguards listed below (i.e., risk assessment, security safeguards, etc.).

Effective date: December 2022

Risk Assessment

Current rule: Financial institutions are required to identify internal and external risks to security, confidentiality, and integrity of customer information. The risk assessment must include employee training, risks to information systems, and detecting and responding to security incidents and events.

Updated rule: The update includes more specific criteria for what the risk assessment must include. This includes criteria for evaluating and categorizing of security risks and threats, and criteria for assessing the adequacy of security safeguards. The risk assessment must describe how identified risks will be mitigated or accepted. The risk assessment must be in writing.

Effective date: December 2022

Security Safeguards

Current rule: Financial institutions must implement safeguards to control the risks identified through the risk assessment. Financial institutions must require service providers to maintain safeguards to protect customer information.

Updated rule: The updated rule requires that the safeguards must include

  • Access controls, including providing the least privilege;
  • Inventory and classification of data, devices, and systems;
  • Encryption of customer information at rest and in transit over internal networks;
  • Secure development practices for in-house software and applications;
  •  Multi-factor authentication;
  • Secure data disposal;
  •  Change management procedures; and 
  • Monitoring activity of unauthorized users and detecting unauthorized access or use of customer information.

Effective date: December 2022

Testing and Evaluation

Current rule: Financial institutions must regularly test or monitor the effectiveness of the security  safeguards and make adjustments based on the testing.

Updated rule: Regular testing of safeguards must now include either continuous monitoring or periodic penetration testing (annually) and vulnerability assessments (semi-annually).

Effective date: December 2022

Incident Response

Current rule: Financial institutions must include cybersecurity incident detection and response in their risk assessments and have safeguards to address those risks.

Updated rule: Financial institutions are required to establish a written plan for responding to any security event materially affecting confidentiality, integrity, or availability of customer information.

Effective date: December 2022

Workforce and Personnel

Current rule: Financial institutions must designate an employee to coordinate the information security program. Financial institutions must select service providers that can maintain security and require service providers to implement the safeguards.

Updated rule: The rule now requires designation of a single “qualified individual” to be responsible for the security program. This can be a third-party contractor. Financial institutions must now provide security awareness training and updates to personnel. The rule now also requires periodic reports to a Board of Directors or governing body regarding all material matters related to the information security program.

Effective date: December 2022

Scope of Coverage

Updated rule: The FTC update expands on the definition of “financial institution” to require “finders” — companies that bring together buyers and sellers — to follow the Safeguards Rule. However, financial institutions that maintain customer information on fewer than 5,000 consumers are exempt from the requirements of a written risk assessment, continuous monitoring or periodic pen testing and/or vulnerability scans, incident response plan, and annual reporting to the Board.

Effective date: November 2021 (unlike many of the other updates, this item was not delayed for a year)

Incident Reporting

In addition to the above, the FTC is also considering requirements that financial institutions report cybersecurity incidents and events to the FTC. Similar requirements are in place under the Cybersecurity Regulation at the New York Department of Financial Services. If the FTC moves forward with these incident reporting requirements, financial institutions could expect the requirements to be implemented in early 2023.

Financial institutions with robust security programs will already be performing many of these practices. For them, the updated Safeguards Rule will not represent a sea change in internal security operations. However, by making these security practices a formal regulatory requirement, the updated Safeguards will make accountability and compliance even more important.

 

Interested in speaking with an experienced team member about the material covered in this article? Contact us today at 716-373-4467 x 115 or info@databranch.com to schedule your appointment.

comments powered by Disqus