New GLBA Security Requirements: What You Need to Know
What is the Gramm-Leach-Bliley Act (GLBA)
On October 27, 2021, the US Federal Trade Commission (FTC) amended its Safeguards Rule (16 CFR Part 314: Standards for Safeguarding Customer Information) under the Gramm-Leach-Bliley Act (GLBA) to strengthen its information security requirements for non-bank financial institutions. It also expands the scope of businesses covered under the rule. The goal is to better protect the American public from the impacts of cyberattacks and data breaches, such as identity theft and other financial losses and disruptions.
What is the GLBA Safeguards Rule?
As part of their business activities, many organizations acquire and often share consumers’ sensitive financial data. To introduce basic consumer privacy controls in this context, the US Congress in 1999 implemented the GLBA, also called the Financial Services Modernization Act of 1999.
Through its Safeguards Rule, the GLBA requires non-bank financial institutions to implement and maintain an information security program to protect consumers’ sensitive financial data. The FTC enforces the Safeguards Rule through the FTC Act, rather than through civil penalties.
Does the Updated Rule Now Apply to My Business?
GLBA has always applied to companies offering financial products and services like loans, debt collection, insurance or investment advice. The new amendments to the Safeguards Rule broaden the definition of “financial institution” to make it more consistent with related regulations.
The biggest change is the inclusion of entities whose activities are “incidental” to other financial activities. This explicitly includes “finders” that connect buyers and sellers of financial products and services, such as lead generators that help consumers choose a financial services provider for car insurance or a home mortgage loan. However, the changes will not apply to finders that only engage in non-consumer transactions and hence don’t acquire “customer information.”
When Is The Deadline For Compliance?
Officially, the amended rule went into effect in late November 2021, 30 days after it was published in the Federal Register. But most of the new security requirements won’t take effect until November 2022.
Key Changes In The New Rule
In general, the amended Safeguards Rule adds more specificity and prescriptivity to the flexible, process-oriented approach of the original rule, such that it parallels the New York Department of Financial Services (NYDFS) Cybersecurity Regulation and the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law. This has been a goal of the FTC for some time and reflects years of public feedback.
Major new requirements for covered financial institutions under the Safeguards Rule include:
- Adoption of a comprehensive, documented information security program focused on protecting customer data.
- Designating a “qualified individual”—in essence a Chief Information Security Officer (CISO)—to implement and oversee the organization’s information security program. This person can be an employee or contractor/consultant.
- Regular written risk assessments, to include evaluation and assessment criteria, requirements for mitigating, accepting or transferring identified risks, and other specifics. The risk assessment and its findings are intended to be the foundation of the information security program, not just a check-the-box exercise.
- Written reports made by the “qualified individual” to the board/governing body at least once per year.
- Yearly penetration tests and twice-yearly vulnerability assessments, which must address concerns identified in the risk assessment.
- Documenting a comprehensive incident response plan.
- Encryption of customer data both at rest and in transit, or the implementation of effective compensating controls.
- Multifactor authentication (MFA) for systems that store or handle customer data, or the implementation of effective compensating controls.
- Authentication and access controls as needed to implement the “principle of least privilege” around accessing customer data.
- Third-party risk management to ensure that vendors can protect any customer data they handle, including mandating appropriate safeguards in contracts and periodically assessing vendor risk.
- Data retention and disposal controls to facilitate secure disposal of customer data within two years of the data of its last use, unless retention is required or needed for valid business reasons.
- Additional controls to support data classification, secure web development, IT change management, employee security awareness training, and more.
For financial firms that maintain customer data for less than 5,000 consumers, there is a “small business exemption” within the Safeguards Rule amendments. These SMBs are exempted from several of the above requirements, including a written risk assessment, a written incident response plan and an annual written report to the board, as well as the penetration testing and vulnerability assessments.
Like other entities within the US federal government—and around the world—the FTC is looking to strengthen the information security and privacy postures of businesses under its purview. In an industry that is already heavily regulated, these amendments both clarify expectations and put even greater pressure on firms to track and comply with ongoing regulatory changes.
On an operational level, the Safeguards Rule amendments explicitly put best-practice risk assessment at the center of a firm’s cybersecurity and privacy program. The program’s controls, processes, policies and other elements must be validated based on risk assessment outcomes.
Covered businesses should “gap assess” their current cybersecurity and privacy programs as soon as possible, and then develop a roadmap to achieve timely compliance.
To connect with an expert about the new Safeguards Rule and its impact on your business, contact Pivot Point Security.