GLBA Proposed Amendments to Safeguards Rule
By: Orlando Santa Cruz and Angela Polania
In March 2019, the Federal Trade Commission (FTC) published a set of proposed amendments to the Standards for Safeguarding Customer Information under the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule.
The FTC’s proposed amendments to the Safeguards Rule would add more detailed requirements on how financial institutions must protect customer information. The proposed amendments are generally consistent with the insurance data security model law issued by the National Association of Insurance Commissioners (NAIC) and the New York Department of Financial Services (NYDFS) cybersecurity regulations.
Under the amendments, applicable financial institutions would be required to:
- Designate a single qualified individual to serve as the Chief Information Security Officer (CISO). The proposed amendment would no longer allow financial institutions to designate more than one employee to manage the information security program. The CISO can be an employee of an affiliate or a service provider rather than an employee of the financial institution. The financial institution would still however need to:
- retain responsibility for compliance with the Rule;
- designate a senior member of its personnel to be responsible for direction and oversight of the CISO, and
- require the service provider or affiliate to maintain an information security program that protects the financial institution in accordance with the Rule.
- Conduct information security risk assessments. The risk assessments must be written in accordance with criteria for evaluating the individual risks the institution faces based on their particular information systems and the customer information they possess. Additionally, the risk assessment must describe how the financial institution will mitigate or accept any identified risks and how the financial institution’s information security program will address those risks.
- Design and implement various elements within the information security program, including:
- Access controls to authenticate authorized users of information systems.
- Inventories of data, personnel, devices, systems, and facilities.
- Access controls to restrict access to physical locations containing customer information.
- Encryption of all customer information in transit and at rest.
- Secure development practices for applications developed in-house and used for transmitting, accessing, or storing information.
- Multi-factor authentication for any individual accessing customer information or internal networks that contain customer information.
- Audit trails to detect and respond to security events.
- Procedures for the secure disposal of customer information in any format that is no longer necessary for their business operations or other legitimate business purposes.
- Change management procedures for additions, deletions, or modifications to the information systems.
- Monitoring for authorized user activity and unauthorized access, use, or tampering of customer information.
- Providing employee Security Awareness Training for all personnel that has the ability to handle, access, or dispose of customer information.
- Reporting by the CISO, at least annually, to the institution’s Board or equivalent.
The development of the Safeguards Rule seems to reflect the best practices found in information security. Elevate’s IT Compliance and IT Security Consultants stay well versed on best practices and will continue to closely monitor the GLBA proposed amendments. Contact Elevate to learn more about how our GLBA Risk Assessment and Virtual CISO service can help your company.