GLBA Risk Assessments
When non-compliance is not an option.
In October of 2021, the Federal Trade Commission (“FTC”) issued guidance on Standards for Safeguarding Customer Information (‘‘Safeguards Rule’’) which affects the GLBA Risk Assessments. To read more about these changes, refer to our Blog Post “Is your Financial Institution aware of the FTC’s Final Rule Implemented in January 2022? ”
Simply said, section 501 (b) of Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.
Financial institutions are categorized as companies that offer consumers financial products or services like loans, financial or investment advice, or insurance.
Additionally, the Federal Trade Commission (FTC) considers most institutions that participate in the Department of Education’s student financial assistance programs as “financial institutions” and must also comply with the GLBA. These institutions must protect student information, specifically, information provided to institutions by the Department of Education or obtained through the Department of Education’s student financial assistance programs.
Non-compliance of GLBA can result in a variety of fines and up to five years imprisonment for each violation—not to mention the reputational risk of the financial institution receiving negative press/media attention, etc.
Elevate’s IT Compliance and IT Security Consultants are continuously up-to-date on the guidance from the Federal Financial Institutions Examination Council (FFEIC) and accompanying enforcement agencies (e.g. FDIC, Federal Reserve, FTC, OCC, etc.).
Our GLBA 501(b) compliance services include:
Ensure your workforce and board of directors are aware of their responsibilities towards compliance.
Elevate’s methodology for the GLBA Risk Assessment is based on a phase approach with the following steps:
- Asset Inventory: Elevate will work with our clients to document the inventories and the classification of assets to ensure mission critical assets are evaluated and classified.
- Threat Analysis: Elevate will work with our clients to determine existing and emerging threats, system vulnerabilities, and existing controls to reduce risks are identified for the information assets in scope. Furthermore, the likelihood of occurrence, severity of impact as well as the risk level will be evaluated.
- Controls/Safeguard Analysis: During this phase Elevate performs the evaluation of controls implemented by our financial services clients to reduce risks to an acceptable level. The sufficiency of implemented controls will be reviewed by Elevate, and it is during this phase that recommendations to mitigate identified remaining risks are developed.
- Reporting and Recommendations: Elevate provide actionable recommendations and the required elements of reporting towards GLBA compliance.
GLBA Proposed Amendments to Safeguards Rule
In March 2019, the Federal Trade Commission (FTC) published a set of proposed amendments to the Standards for Safeguarding Customer Information under the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule.
The FTC’s proposed amendments to the Safeguards Rule would add more detailed requirements on how financial institutions must protect customer information. The proposed amendments are generally consistent with the insurance data security model law issued by the National Association of Insurance Commissioners (NAIC) and the New York Department of Financial Services (NYDFS) cybersecurity regulations.
Under the amendments, applicable financial institutions would be required to:
Designate a single qualified individual to serve as the Chief Information Security Officer (CISO):
The proposed amendment would no longer allow financial institutions to designate more than one employee to manage the information security program. The CISO can be an employee of an affiliate or a service provider rather than an employee of the financial institution. The financial institution would still however need to:
- retain responsibility for compliance with the Rule;
- designate a senior member of its personnel to be responsible for direction and oversight of the CISO, and
- require the service provider or affiliate to maintain an information security program that protects the financial institution in accordance with the Rule.
Conduct information security risk assessments:
The risk assessments must be written in accordance with criteria for evaluating the individual risks the institution faces based on their particular information systems and the customer information they possess. Additionally, the risk assessment must describe how the financial institution will mitigate or accept any identified risks and how the financial institution’s information security program will address those risks.
Design and implement various elements within the information security program, including:
- Access controls to authenticate authorized users of information systems.
- Inventories of data, personnel, devices, systems, and facilities.
- Access controls to restrict access to physical locations containing customer information.
- Encryption of all customer information in transit and at rest.
- Secure development practices for applications developed in-house and used for transmitting, accessing, or storing information.
- Multi-factor authentication for any individual accessing customer information or internal networks that contain customer information.
- Audit trails to detect and respond to security events.
- Procedures for the secure disposal of customer information in any format that is no longer necessary for their business operations or other legitimate business purposes.
- Change management procedures for additions, deletions, or modifications to the information systems.
- Monitoring for authorized user activity and unauthorized access, use, or tampering of customer information.
- Providing employee Security Awareness Training for all personnel that has the ability to handle, access, or dispose of customer information.
- Reporting by the CISO, at least annually, to the institution’s Board or equivalent.
The development of the Safeguards Rule seems to reflect the best practices found in information security. Elevate’s IT Compliance and IT Security Consultants stay well versed on best practices and will continue to closely monitor the GLBA proposed amendments. Contact Elevate to learn more about how our GLBA Risk Assessment and Virtual CISO service can help your company.