Heads up financial institutions: the Federal Trade Commission (FTC) announced the first cybersecurity updates to the Gramm Leach-Bliley Act (GLBA) Safeguards Rule since 2003. The new rule strengthens the required security safeguards for customer information. This includes formal risk assessments, access controls, regular penetration testing and vulnerability scanning, and incident response capabilities, among other things.

Several of these changes go into effect in November 2022, to provide organizations time to prepare for compliance. Below, we’ll detail the changes in comparison to the previous rule.

Background on the Safeguards Rule

GLBA requires, among other things, a wide range of “financial institutions” to protect customer information. Enforcement for GLBA is split up among several different federal agencies, with FTC jurisdiction covering non-banking financial institutions in the Safeguards Rule. Previously, the Safeguards Rule left the implementation details of several aspects of the information security program up to the financial institution, based on its risk assessment.

The Safeguards Rule broad definition of “financial institutions” includes non-bank businesses that offer financial products or services — such as retailers, automobile dealers, mortgage brokers, non-bank lenders, property appraisers, tax preparers, and others. The definition of “customer information” is also broad, to include any record containing non-public personally identifiable information about a customer that is handled or maintained by or on behalf of a financial institution.

Updates to the Safeguards Rule

Many of the other updates concern strengthened requirements on how financial institutions must implement aspects of their security programs. Below is a short summary of the changes. Where applicable, we include citations to both the updated rule (starting at page 123) and the previous rule (at 16 USC 314) for easy comparison.

Overall security program

  • Current rule: Financial institutions must maintain a comprehensive, written information security program with administrative, technical, and physical safeguards to ensure the security, confidentiality, and integrity of customer information. 16 USC 314.3(a)-(b).
  • Updated rule: The updated rule now requires the information security program to include the processes and safeguards listed below (i.e., risk assessment, security safeguards, etc.). 16 USC 314.3(a).
  • Approx. effective date: November 2022

Risk assessment

  • Current rule: Financial institutions are required to identify internal and external risks to security, confidentiality, and integrity of customer information. The risk assessment must include employee training, risks to information systems, and detecting and responding to security incidents and events. 16 USC 314.4(b).
  • Updated rule: The update includes more specific criteria for what the risk assessment must include. This includes criteria for evaluating and categorizing of security risks and threats, and criteria for assessing the adequacy of security safeguards. The risk assessment must describe how identified risks will be mitigated or accepted. The risk assessment must be in writing. 16 USC 314.4(b).
  • Approx. effective date: November 2022

Security safeguards

  • Current rule: Financial institutions must implement safeguards to control the risks identified through the risk assessment. 16 USC 314.4(c). Financial institutions must require service providers to maintain safeguards to protect customer information. 16 USC 314.4(d).
  • Updated rule: The updated rule requires that the safeguards must include
    - Access controls, including providing the least privilege;
    - Inventory and classification of data, devices, and systems;
    - Encryption of customer information at rest and in transit over internal networks;
    - Secure development practices for in-house software and applications;
    - Multi-factor authentication;
    - Secure data disposal;
    - Change management procedures; and
    - Monitoring activity of unauthorized users and detecting unauthorized access or use of customer information. 16 USC 314.4(c)(1)-(8).
  • Approx. effective date: November 2022

Testing and evaluation

  • Current rule: Financial institutions must regularly test or monitor the effectiveness of the security safeguards, and make adjustments based on the testing. 16 USC 314.4(c), (e).
  • Updated rule: Regular testing of safeguards must now include either continuous monitoring or periodic penetration testing (annually) and vulnerability assessments (semi-annually). 16 USC 314.4(d).
  • Approx. effective date: November 2022

Incident response

  • Current rule: Financial institutions must include cybersecurity incident detection and response in their risk assessments, and have safeguards to address those risks. 16 USC 314.4(b)(3)-(c).
  • Updated rule: Financial institutions are required to establish a written plan for responding to any security event materially affecting confidentiality, integrity, or availability of customer information. 16 USC 314.4(h).
  • Approx. effective date: November 2022

Workforce and personnel

  • Current rule: Financial institutions must designate an employee to coordinate the information security program. 16 USC 314.4(a). Financial institutions must select service providers that can maintain security and require service providers to implement the safeguards. 16 USC 314.4(d).
  • Updated rule: The rule now requires designation of a single “qualified individual” to be responsible for the security program. This can be a third-party contractor. 16 USC 314.4(a). Financial institutions must now provide security awareness training and updates to personnel. 16 USC 314.4(e). The rule now also requires periodic reports to a Board of Directors or governing body regarding all material matters related to the information security program. 16 USC 314.4(i).
  • Approx. effective date: November 2022

Scope of coverage

  • Updated rule: The FTC update expands on the definition of “financial institution” to require “finders” — companies that bring together buyers and sellers — to follow the Safeguards Rule. 16 USC 314.2(h)(1). However, financial institutions that maintain information on fewer than 5,000 consumers are exempt from the requirements of a written risk assessment, continuous monitoring or periodic pentesting and/or vulnerability scans, incident response plan, and annual reporting to the Board. 16 USC 314.6.
  • Approx. effective date: November 2021 (unlike many of the other updates, this item is not delayed for a year)

Incident reporting next?

In addition to the above, the FTC is also considering requirements that financial institutions report cybersecurity incidents and events to the FTC. Similar requirements are in place under the Cybersecurity Regulation at the New York Department of Financial Services. If the FTC moves forward with these incident reporting requirements, financial institutions could expect the requirements to be implemented later in 2022 or early 2023.

Financial institutions with robust security programs will already be performing many of these practices. For them, the updated Safeguards Rule will not represent a sea change in internal security operations. However, by making these security practices a formal regulatory requirement, the updated Safeguards will make accountability and compliance even more important.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.