Cybersecurity poses an ever-present and persistent threat to every industry, especially the financial sector. Financial services deal with the most critical of all data, i.e., sensitive financial information, which includes credit card details, account data, or transaction information, to name a few. The impact of any security breach tends to leave after-effects on the impacted business for weeks, months, and, in some cases, years.
Therefore, it is critical for every organization to stay abreast of relevant data protection regulations and standards. One such regulation that financial services must pay attention to for compliance is the Gramm-Leach-Bliley Act (GLBA). The GLBA mainly consists of three sections i.e. the Financial Privacy Rule, GLBA Safeguards Rule, and Pretexting provisions.
The Privacy Rule addresses the collection and disclosure of financial information, the GLBA Safeguards Rule mandates security measures for protecting personal information, and the Pretexting provisions target unauthorized attempts to access customers' sensitive information. The law aims to protect customers’ nonpublic personal information (NPI), inform them about their rights, and be transparent about how their information is collected, processed, and shared with third parties.
This blog focuses on one of the three important categories discussed in the Act, i.e., the GLBA Safeguards Rule. Read on to learn more about the important provisions discussed in the Safeguards Rule and comply accordingly.
Quick Overview of the GLBA Safeguards Rule
The Standards for Safeguarding Customer Information (the Safeguards Rule), issued by the Federal Trade Commission (FTC), took effect in 2003. The Safeguards Rule aims to ensure that covered entities must develop, implement, and maintain reasonable administrative, technical, and physical measures to safeguard customers’ NPI from any harm, such as unauthorized access, destruction, and damage.
The covered entities include financial institutions that are engaged in any financial activity. Following are the examples of financial institutions:
- Retailers with credit cards
- Automobile dealership
- Property Appraiser
- Mortgage Broker
In 2021, the FTC subsequently amended the Safeguards Rule with a set of more stringent data protection requirements.
The revised rule requires all covered entities to establish a robust security program, designate qualified individuals for information system security, conduct risk assessments, and periodically report to governing bodies. These provisions aim to improve financial institutions' accountability and better protect customer information against current and emerging threats.
9 Important Obligations Under the GLBA Safeguards Rule
1. Appoint a Qualified Individual
The Rule requires financial institutions to appoint a qualified individual to be responsible for ensuring compliance and keeping the board informed. The qualified individual can be an employee of your company or can work for an affiliate or service provider. The person does not need a particular degree or title. What matters is real-world knowledge suited to the covered entity’s circumstances. If this requirement is met using a service provider or an affiliate, the covered entity shall:
- Retain responsibility for compliance with the Rule;
- Have to designate a senior member of their personnel responsible for direction and oversight of the qualified individual; and
- Require the service provider or affiliate to maintain an information security program that protects them and their information in accordance with the requirements of the Rule.
The amended Safeguards Rule provides a clearer prescription regarding assessing a risk-based security program by conducting a written risk assessment, which must be periodically reviewed. It must include:
- A criteria for the evaluation and categorization of identified security risks or threats faced by them.
- A criteria for the assessment of the confidentiality, integrity, and availability of the information systems and customer information, including the adequacy of the existing controls in the context of the identified risks or threats faced by them.
- Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks.
3. Implement Specific Data Security Controls
The Rule requires financial institutions to implement specific security measures to control the threats identified by the risk assessment. These security measures may include:
a. Access Controls
Implement role-based access controls (RBAC) and periodically review access policies to monitor access activities. Covered entities shall provide necessary access only to authorized persons to safeguard information from unauthorized acquisition.
b. Inventory Management
Create a comprehensive inventory of all the systems, resources, and applications used across the organization. Manage the inventory concerning the risk strategy and business objectives of the organizations. It will help the organizations to design strategies to achieve the desired results.
c. Encryption
Encrypt all the data, including data at rest and in motion. Where encryption is not feasible, secure the data by implementing alternate controls approved by the qualified individual.
d. App Security Assessment
Secure app development practices must be observed for in-house apps that store, process, and share customer information. In the event of a third-party application, proper procedures must be established for assessing their security.
e. Multi-factor Authentication
Multi-factor authentication must be a prerequisite for any personnel accessing any information system. However, there’s an exception to this rule. Financial institutions may implement any alternative, reasonably equivalent security controls if the qualified individual approves it in writing.
f. Data Retention Policies
Financial institutions must not retain customer’s information for more than two years. A set of policies needs to be maintained to enable the secure disposal of customer information once it reaches the provided expiration period. Retention policies must also be regularly reviewed to ensure unnecessary data retention.
g. Change Management
Create and maintain change management policies to evaluate and manage shifts or changes in the IT infrastructure of the entity.
h. User Activity Monitoring
Create and implement policies and controls to monitor the activities of authorized individuals and prevent unauthorized access.
4. Conduct Periodic Testing & Monitoring of Safeguards
Financial institutions shall conduct periodic penetration tests to monitor the effectiveness of the implemented safeguards.
a. Annual Penetration Testing
The organizations shall conduct annual penetration tests on the basis of the identified risks during assessments.
b. Vulnerability Assessments
Regular vulnerability assessments, conducted bi-annually, systematically scan our information systems to identify known security vulnerabilities. These assessments are also performed in response to material changes in our operations or business arrangements and any circumstances that may impact our information security program.
5. Organize Training Sessions
Financial institutions must also provide periodic security awareness training, especially to personnel directly involved in the information security program. Apart from that, organizations must further provide security updates and training to security personnel. These training sessions ensure that the security personnel maintain and observe appropriate security practices.
6. Monitor Service Providers
Financial institutions must monitor their vendors (service providers) diligently. Vendors’ systems must be properly assessed based on the risk they present. Financial institutions must also ensure that their vendors maintain adequate security measures to protect data.
7. Ensure Constant Re-evaluation
The information security program must be periodically reviewed to stay abreast with the evolving threat vectors. Constant evaluation further allows organizations to make appropriate adjustments based on current risks.
8. Have a Written Incident Security Plan
Covered entities must prepare a well-written and comprehensive incident response plan. The response plan must cover every aspect of a security event materially affecting the confidentiality, integrity, or availability of customer information. This incident response plan shall include:
- The goals of the incident response plan;
- The internal processes for responding to a security event;
- The definition of clear roles, responsibilities, and levels of decision-making authority;
- External and internal communications and information sharing;
- Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls;
- Documentation and reporting regarding security events and related incident response activities; and
- The evaluation and revision as necessary of the incident response plan following a security event.
9. Report to the Organization’s Board of Directors
The qualified individual shall provide written reports, regularly or at least annually, to the organization’s board of directors or governing body. The report shall include details about the overall assessment of the information systems, its compliance with the law, risk assessment, risk management, and recommended changes in the information security system.
Final Thoughts
The Gramm-Leach-Bliley Act (GLBA) Safeguards Rule provides financial institutions with a critical framework for protecting customers’ data. The Safeguards Rule has evolved to address the dynamic nature of emerging threats and challenges. By complying with these standards, organizations ensure compliance and customer data protection and build trust.
Download our whitepaper to learn more about the intricacies of the Safeguards Rule. The whitepaper provides detailed insights into the following:
- New entities and data covered by the new GLBA Amendments
- Operational obligations of all covered entities
- How to comply with the new GLBA's Safeguard Rule
Download Whitepaper Now
