The GLBA updates become effective in December. Make sure you’ve revised your policies and procedures to comply with new requirements.
On January 10, the Federal Trade Commission (FTC) issued a final rule, amending the GLBA’s Safeguards Rule. As a practical matter, the amendment requires financial institutions to revise a series of their policies and procedures, from risk assessments to vendor oversights.
The key updates of the GLBA Final Rule include:
Although the amended Safeguards Rule became effective on January 10, most new/amended provisions do not become effective until December 9, 2022. Thus, businesses have more than enough time to adapt to updated requirements.
The main updates to the GLBA Safeguards Rule are analyzed in detail below in the text. So, keep reading to get more information on this cybersecurity topic.
The updated Safeguards Rule expands the definition of “financial institution,” and besides institutions that are directly engaged in financial activities, it now includes entities engaged in so-called “incidental” activities. This change brings “finders”— companies that bring together buyers and sellers of a product or service — within the rule’s ambit.
Thus, among others, entities are subject to the Safeguards Rule if they engage in the following:
GLBA compliance requirements are also relevant to educational institutions. In one of our previous articles, All You Need to Know About GLBA Compliance in Higher Education, we explored the question of how should higher education institutions act to be GLBA compliant and what is the specific peculiarities of such compliance.
Along with the wide range of businesses falling under the financial institutions’ category, the new Rule proposes partial exemption of those maintaining information on a limited number of consumers. Financial institutions that keep the customer information of fewer than 5,000 consumers are exempt from specific requirements. These include the obligation to conduct written risk assessments, annual board reporting, specific monitoring requirements, and a written incident response plan.
It is hard to miss that the new rule has become tougher when it comes to “security events” that trigger reporting. Notably, it defines these events as “ resulting in unauthorized access to, or disruption/misuse of, an information system, information stored on such system, or customer information held in physical form.” This definition contains at least two formulations testifying that the Safeguard Rule updates focus on strengthening cybersecurity within the financial field.
First, the formulation “disruption or misuse of” is broad and leaves space for interpretation. In practice, it sweeps in incidents that do not include unauthorized access but yet still threaten the integrity of customer information and, thereby, require reporting. It is easy to guess that such a formulation would include ransomware as one of the top threats to organizations’ cybersecurity.
Second, the wording “information held in physical form” includes events affecting paper or hard copy records, which are thought to be protected just as much as the information held in electronic form.
With such formulations, the definition of “security event” is thus broader than the same definitions under typical data breach notification laws. To comply with the updates and meet the incident reporting requirements, financial institutions must have a written incident response plan that includes steps to respond to security events “materially affecting” customer information. They must also include information about security events in internal reporting.
The GLBA Safeguards Rule pays special attention to the organization’s security program. Previously, the Rule allowed coordination of the program by one or more employees by designation. The amended version, however, lays this responsibility on the shoulders of a single “qualified individual.” Frankly speaking, this requirement has made businesses a little bit nervous. But with the FTC’s explanations, everything fell into place.
Understanding that hiring a chief information security officer (CISO) may be an unbearable burden for small institutions, the Commission noted that the rule prescribes no particular level of education, experience, or certification. Thus, financial institutions may designate any qualified individual appropriate for their business. The need to hire a seasoned CISO may be necessary only if the complexity or size of organizations’ information systems require the services of such an expert. In addition to the direct security program obligations, the “qualified individual” must report in writing to the board of directors of the financial institution.
The risk assessment requirements have not gone unnoticed as well. The GLBA Safeguards Rule has always required financial institutions to build their information security programs based on the “identification and assessment of foreseeable risks to customer information.” (Note, the standard risk assessment process is described in detail in one of our previous articles, How to Conduct Risk Assessment?) In other words, organizations must carry out thorough risk assessments. This has not changed since January 10, 2022. However, some important updates were made.
Thus, the current version of the Rule requires risk assessments to be in writing and include several important benchmarks. First, organizations must have appropriate criteria to evaluate identified security risks. Second, it is necessary to establish criteria to assess the “confidentiality, integrity, and availability” of customer information and information systems. Finally, there must be requirements that describe how identified risks are accepted or mitigated. While risk assessments must address these requirements, each financial institution can tailor its assessments to its structures and needs.
The renewed Safeguard Rule expands guidance on how to develop and implement an organization’s information security program. Financial institutions must include many specific measures in their programs to control the risks identified through assessments. These measures include:
The updated Safeguards Rule has also tightened measures regarding security awareness training. It requires the personnel training to be updated over time based on risk assessment information or depending on changes in the financial institution’s practices. Such requirement enables personnel to receive “security updates and training sufficient to address relevant security risks.” Furthermore, verification is necessary to prove that training requirements have been met. As with information security programs, the Rule requires that personnel in security functions be “qualified” while allowing flexibility and mandating no certain type of qualification.
Earlier, financial institutions could select appropriate service providers only by requiring them to maintain security and confidentiality by contract. The updated Rule also contains a provision that requires financial institutions to assess their service providers periodically.
To remind you why overseeing third-party vendors is now an essential component of business survival, read our articles Supply Chain Attacks in Healthcare. The case of Shields, Eye Care Leader, and MCG Health and Supply Chain Attacks and Cybersecurity.
Summing up the recent GLBA Safeguards Rule updates, financial institutions should reconsider a series of policies and procedures to comply. Although most new/amended provisions are not effective until December 9, 2022, covered businesses and affected entities should be proactive in implementing the significant operational requirements of the revised Safeguards Rule.
Follow up on the recent legal updates, and feel free to contact Planet 9 if you have any questions. We’ll be happy to assist!