Updates to GLBA’s Standards for Safeguarding Information

By Pawel Wilczynski June 10, 2023

What is GLBA?

The Gramm-Leach-Bliley Act (GLBA) is one of the most mature regulations in financial services. Originating in 1999, with multiple updates over the last two decades, it set the foundation for data protection obligations. GLBA established oversight of the regulation by the financial services regulators for banking entities and the Federal Trade Commission (FTC) for “non-banks.”

GLBA consists of three separate sections that financial institutions should pay attention to:

• The Financial Privacy Rule – Regulates the collection and disclosure of private financial information
• The Safeguards Rule – Stipulates that financial institutions must implement security programs to protect such information
• The Pretexting Provisions – Prohibits the practice of pretexting (accessing private information using false pretenses)

Why is everyone talking about this now?

The FTC finalized updates to GLBA’s Standards for Safeguarding Information, which became effective January 10, 2022. The most significant changes to the rule do not become effective until June 9th, 2023, the deadline was extended by six months from the original date, December 9th, 2022. As of December, organizations that are impacted have about six months to get the newest set of requirements analyzed and processes implemented.

Is my business considered a financial institution under GLBA?

The updated GLBA rule clarified the types of services that fall under the non-bank scope in GLBA. The types of businesses impacted are based on their business model and how they may be offering or enabling a financial product or service to a consumer for personal, family or household purposes. Examples of these types of products or services include but are not limited to bank-related banking services:

• A retailer that extends credit by issuing its own credit card directly to consumers
• An automobile dealership that, as a usual part of its business, leases automobiles on a non-operating basis for longer than 90 days
• A personal property or real estate appraiser
• An entity that provides real estate settlement services
• A mortgage broker
• A business that prints and sells checks for consumers, either as its sole business or as one of its product lines
• A business that regularly wires money to and from consumers
• A check cashing business
• An accountant or other tax preparation service business
• A business that operates a travel agency in connection with financial services
• An investment advisory company and a credit counseling service company
• A company acting as a finder in bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate

Additionally, based on related guidance from the Department of Education, all Title IV higher education institutions whether public, private non-profit, or for-profit must comply with GLBA cybersecurity requirements as a condition of participation in Title IV funding.

What are the new requirements?

To the traditional banking sector, most of the requirements issued are not new. The FTC modeled its updated guidance to bring the non-bank sector obligations into alignment with the banking sector. However, if your company has not been considered a financial institution, until GLBA expanded the definition of the financial institution, take note of the below listed requirements as specified § 314.4.

1. Comprehensive Information Security Program based on a [written] risk assessment

New requirements are driving greater accountability for the information security program. Qualified individuals must conduct a written risk assessment and provide periodic reports to the organization’s board of directors or similar governing body. The primary purposes of an Information Security Program are to ensure the security and confidentiality of customer data, and protect against any anticipated threats or hazards.

2. Periodic assessments of third parties that are involved in delivering the services

The updated rule requires periodic assessments of third parties that are involved in delivering the services. Third Party Risk Management (TPRM) programs, due diligence standards and vendor classification structures should be reviewed to address the expanded technical controls.

3. Establish a written incident response plan

Establish a written incident response plan that outlines how you would respond to, and recover from, any security event affecting the confidentiality, integrity, or availability of customer information in your organization’s systems.

4. Perform annual penetration testing

Organizations must perform an annual penetration test of the company’s relevant information systems, with the scope determined each given year based on relevant identified risks in accordance with the risk assessment.

5. Design and implement safeguards to control the risks identified through risk assessment

Access controls are designed to protect against the unauthorized acquisition of customer information, and to ensure that only authorized users have access to customer data. These controls include technical and, as appropriate, physical controls to authenticate and permit access only to authorized users.

Some of the specified controls:

• Protect all customer information via encryption
• Implement and periodically review access controls
• Implement multi-factor authentication
• Monitor and log the activity of authorized users
• Adopt secure development practices for in-house developed applications
• Perform secure disposal of customer information
• Periodically review data retention policies

6. Require a Qualified Individual to report in writing, regularly and at least annually, to board of directors or equivalent governing body

New requirements require the designation of a qualified individual to be accountable for the program. Companies must designate a Qualified Individual responsible for overseeing and implementing their information security program. The Qualified Individual may be employed by you, an affiliate, or a service provider. You must also require the service provider or affiliate to maintain an information security system that protects you in accordance with this part.

What are the exceptions?

Financial institutions that maintain customer information concerning fewer than five thousand consumers do not have to comply with some sections of the act. Specifically, those companies do not have to conduct risk assessments, penetration tests, and vulnerability assessments. Additionally, their Qualified Individuals do not need to report to the board of directors or equivalent governing body.

Conclusion

The updated Gramm-Leach-Bliley Act introduces a number of new requirements that apply to a larger subset of businesses that are included in the newly expanded definition of a financial institution. Entities impacted by the legislation will need to ramp up their cybersecurity measures in order to meet the June 9, 2023 deadline. The good news is that GLBA updated its requirements to keep up with the current technological advances, the threat landscape and other cybersecurity regulations, such as the New York DFS Cybersecurity Regulation. Together, these regulations cover an increased number of businesses, including medium size businesses, increasing overall information security maturity across an increased number of industry verticals.

How (can you get help)?

Chances are that your company has some measures in place to safeguard customer personal information. Companies can conduct GLBA readiness assessments using internal staff or a trusted partner or choose a hybrid model where they would hire a trusted vendor, but utilize their internal staff to leverage their knowledge and experience.

For more information, please contact Pawel Wilczynski, or your BNN advisor.