GLBA Updates Reminder

The GLBA updates become effective in December. Make sure you’ve revised your policies and procedures to comply with new requirements. On January 10, the Federal Trade Commission (FTC) issued a final rule, amending the GLBA’s Safeguards Rule. As a practical matter, the amendment requires financial institutions to revise a series of their policies and procedures, from risk assessments to vendor oversights. The key updates of the GLBA Final Rule include:

• expanding the definition of ”financial institution,” including institutions that are directly engaged in financial activities along with entities involved in so-called “incidental” activities;
• improving the accountability of financial institutions’ information security programs by requiring the designation of a “qualified individual” responsible for overseeing and implementing the information security program;
• toughening requirements to risk assessments and periodic reports. Starting from January 10, the risk assessments must be completed in writing;
• expanding guidance on developing and implementing security programs with particular attention to encryption, multifactor authentication, secure disposal of customer information, etc.

Although the amended Safeguards Rule became effective on January 10, most new/amended provisions do not become effective until December 9, 2022. Thus, businesses have more than enough time to adapt to updated requirements. The main updates to the GLBA Safeguards Rule are analyzed in detail below in the text. So, keep reading to get more information on this cybersecurity topic.

Updated Definition of “Financial Institution” under GLBA

The updated Safeguards Rule expands the definition of “financial institution,” and besides institutions that are directly engaged in financial activities, it now includes entities engaged in so-called “incidental” activities. This change brings “finders”— companies that bring together buyers and sellers of a product or service — within the rule’s ambit. Thus, among others, entities are subject to the Safeguards Rule if they engage in the following:

• Traditional banking functions;
• Making, acquiring, brokering, or servicing loans or other extensions of credit;
• Real estate and personal property appraising;
• Collection agency services;
• Credit bureau services;
• Asset management, servicing, and collection activities;
• Leasing personal or real property;
• Real estate settlement servicing; and
• Bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate.

GLBA compliance requirements are also relevant to educational institutions. In one of our previous articles, All You Need to Know About GLBA Compliance in Higher Education, we explored the question of how should higher education institutions act to be GLBA compliant and what is the specific peculiarities of such compliance. Along with the wide range of businesses falling under the financial institutions’ category, the new Rule proposes partial exemption of those maintaining information on a limited number of consumers. Financial institutions that keep the customer information of fewer than 5,000 consumers are exempt from specific requirements. These include the obligation to conduct written risk assessments, annual board reporting, specific monitoring requirements, and a written incident response plan.

GLBA Updates on the “Security Event” Requirements

It is hard to miss that the new rule has become tougher when it comes to “security events” that trigger reporting. Notably, it defines these events as “ resulting in unauthorized access to, or disruption/misuse of, an information system, information stored on such system, or customer information held in physical form.” This definition contains at least two formulations testifying that the Safeguard Rule updates focus on strengthening cybersecurity within the financial field. First, the formulation “disruption or misuse of” is broad and leaves space for interpretation. In practice, it sweeps in incidents that do not include unauthorized access but yet still threaten the integrity of customer information and, thereby, require reporting. It is easy to guess that such a formulation would include ransomware as one of the top threats to organizations’ cybersecurity. Second, the wording “information held in physical form” includes events affecting paper or hard copy records, which are thought to be protected just as much as the information held in electronic form. With such formulations, the definition of “security event” is thus broader than the same definitions under typical data breach notification laws. To comply with the updates and meet the incident reporting requirements, financial institutions must have a written incident response plan that includes steps to respond to security events “materially affecting” customer information. They must also include information about security events in internal reporting.

New Requirements for the Information Security Program Coordination

The GLBA Safeguards Rule pays special attention to the organization’s security program. Previously, the Rule allowed coordination of the program by one or more employees by designation. The amended version, however, lays this responsibility on the shoulders of a single “qualified individual.” Frankly speaking, this requirement has made businesses a little bit nervous. But with the FTC’s explanations, everything fell into place. Understanding that hiring a chief information security officer (CISO) may be an unbearable burden for small institutions, the Commission noted that the rule prescribes no particular level of education, experience, or certification. Thus, financial institutions may designate any qualified individual appropriate for their business. The need to hire a seasoned CISO may be necessary only if the complexity or size of organizations’ information systems require the services of such an expert. In addition to the direct security program obligations, the “qualified individual” must report in writing to the board of directors of the financial institution.

Renewed Risk Assessment Requirements under GLBA

The risk assessment requirements have not gone unnoticed as well. The GLBA Safeguards Rule has always required financial institutions to build their information security programs based on the “identification and assessment of foreseeable risks to customer information.” (Note, the standard risk assessment process is described in detail in one of our previous articles, How to Conduct Risk Assessment?) In other words, organizations must carry out thorough risk assessments. This has not changed since January 10, 2022. However, some important updates were made. Thus, the current version of the Rule requires risk assessments to be in writing and include several important benchmarks. First, organizations must have appropriate criteria to evaluate identified security risks. Second, it is necessary to establish criteria to assess the “confidentiality, integrity, and availability” of customer information and information systems. Finally, there must be requirements that describe how identified risks are accepted or mitigated. While risk assessments must address these requirements, each financial institution can tailor its assessments to its structures and needs.

Specific Measures under GLBA

The renewed Safeguard Rule expands guidance on how to develop and implement an organization’s information security program. Financial institutions must include many specific measures in their programs to control the risks identified through assessments. These measures include:

• multifactor authentication for users accessing the organization’s information system;
• access controls and least privilege access for all customer information;
• encryption of customer information in transit and at rest;
• other measures required include data inventory and classification practices, change management; penetration testing and vulnerability assessment, incident response plan, etc.

Enhanced Security Training and Personnel Requirements

The updated Safeguards Rule has also tightened measures regarding security awareness training. It requires the personnel training to be updated over time based on risk assessment information or depending on changes in the financial institution’s practices. Such requirement enables personnel to receive “security updates and training sufficient to address relevant security risks.” Furthermore, verification is necessary to prove that training requirements have been met. As with information security programs, the Rule requires that personnel in security functions be “qualified” while allowing flexibility and mandating no certain type of qualification.

Oversight of Service Providers

Earlier, financial institutions could select appropriate service providers only by requiring them to maintain security and confidentiality by contract. The updated Rule also contains a provision that requires financial institutions to assess their service providers periodically. To remind you why overseeing third-party vendors is now an essential component of business survival, read our articles Supply Chain Attacks in Healthcare. The case of Shields, Eye Care Leader, and MCG Health and Supply Chain Attacks and Cybersecurity. Summing up the recent GLBA Safeguards Rule updates, financial institutions should reconsider a series of policies and procedures to comply. Although most new/amended provisions are not effective until December 9, 2022, covered businesses and affected entities should be proactive in implementing the significant operational requirements of the revised Safeguards Rule. Follow up on the recent legal updates, and feel free to contact Planet 9 if you have any questions. We’ll be happy to assist!