Update to GLBA safeguards rule: What you need to know
Financial institutions are at the forefront of cybersecurity challenges due to the sensitive nature of the data they handle. As the frequency and sophistication of cyberattacks increase, so does the need for robust regulatory safeguards, requiring organizations to bolster their information security program. One critical regulation that has been the focus of recent attention is the Gramm-Leach-Bliley Act (GLBA), a law designed to protect consumer financial information held by financial institutions.
We’ll cover why GLBA matters and walk through what recent amendments to the Safeguards Rule could mean for your organization.
The Gramm-Leach-Bliley Act (GLBA): A brief overview
Enacted in 1999, the Gramm-Leach-Bliley Act, also known as the Financial Services Modernization Act, is a U.S. federal law that imposes several requirements on financial institutions, including information systems.
At its core, the GLBA requires these institutions to communicate their information-sharing practices to their customers clearly and implement measures to protect sensitive data.
This law applies to banks and all companies that offer consumer financial products or services like loans, financial or investment advice, or insurance.
It helps to enforce the need for financial institutions to have a comprehensive information security program, including security awareness training and other GLBA Safeguards Rule enforcement.
Diving deeper into the GLBA’s three pillars
The GLBA is framed within three sections, each of which plays a vital role in the overall architecture of the Act:
- The Financial Privacy Rule: Stipulates how financial institutions collect and disclose private financial information. It puts in place measures to ensure that consumers can opt-out if they do not want their information shared with certain third parties.
- The Safeguards Rule: Mandates that a financial institution design and implement information security programs to protect customer information. It focuses on risk assessment, management, and control, ensuring customer information is kept secure throughout its lifecycle. Risk assessments are a critical component of a healthy cybersecurity strategy. Organizations need to have a written incident response plan detailing the response and recovery plan to a cybersecurity breach.
- The Pretexting Provisions: These provisions make it illegal to access private information using false pretenses, a practice known as pretexting. This section of the GLBA is designed to deter and penalize those who attempt to defraud or deceive financial institutions to gain access to customer information.
Recent amendments to the GLBA
Given the expanded scope of cyber threats, the GLBA’s Safeguards Rule has recently been updated to strengthen financial institutions’ privacy and security requirements. Announced by the Federal Trade Commission (FTC) in the last quarter of 2021, these changes aim to align the GLBA with more rigorous security frameworks that require financial institutions to have even tighter controls and more swift responses.
Safeguards Rule updates
- Access controls: The amended rule calls for a periodic review of both technical and physical safeguards protecting physical access controls to limit access to authorized users and restrict access to necessary customer information.
- Multi-factor authentication (MFA): The updated Safeguards Rule necessitates the implementation of MFA to access any information system or the introduction of other equivalent or stronger controls to address relevant security risks.
- Data and systems inventory: Financial institutions are now required to maintain an up-to-date inventory of data, the systems where it is collected, stored, or transmitted, and an understanding of the relevant portions of applicable systems and their importance.
- Encryption: The revised rule mandates the encryption of all customer information, both in transit and at rest, to ensure that data remains secure throughout its lifecycle.
- Secure applications: The updated rule also requires the adoption of secure development practices for applications developed in-house and mandates the assessment of externally developed applications to ensure they meet security standards.
The revised rule introduces a more stringent definition of a risk assessment, including standards for evaluating and categorizing security threats and risks, plus assessing the adequacy of security safeguards. The risk assessment needs to elaborate on how the identified risks will be mitigated or accepted and must be documented in writing.
Incident response plan
Financial institutions must now establish a documented plan for responding to any security event affecting customer data’s confidentiality, integrity, or availability.
Workforce and personnel
The updated rule requires the designation of a qualified individual to be responsible for the security program, which can include third-party service providers. Institutions must now provide security awareness training and updates to staff. The rule also mandates periodic reports to a Board of Directors or governing body regarding all material matters related to the information security program.
Testing and evaluation
Regular safeguards testing must now be continuously monitored or include annual penetration testing and semi-annual vulnerability assessments.
The real-world risks of non-compliance
Non-compliance with GLBA can lead to substantial fines and reputational damage. Regulatory bodies have been known to impose hefty penalties on institutions that fail to comply with the GLBA’s requirements. Beyond the financial loss, non-compliance can also lead to a loss of trust among customers, which can be even more detrimental in the long run.
The GLBA can impose significant penalties:
- Financial institutions can be fined up to $100,000 for each violation.
- Officers and directors of financial institutions can be fined up to $10,000 for each violation.
- The institution and individuals may also face imprisonment for up to five years.
- Additional penalties may be imposed by states, with financial institutions liable for up to $5,000 per violation, and individuals liable for up to $5,000 per violation and imprisonment for up to one year.
The crucial role of passwords in GLBA compliance
While the GLBA does not specify specific technologies a business has to use, it does state that financial institutions must take steps to safeguard their customer’s data. Securing the traditional username and password combination is a key part of this – institutions covered by the Act need to adhere to contemporary best practices for authenticating access to personal data.
A key player offering guidance around passwords and information security is the National Institute of Standards and Technology (NIST). The NIST’s Special Publication 800-63-3B includes several important recommendations for password security:
- It advises against character composition rules, as they are deemed an unnecessary burden for end-users.
- It recommends changing passwords only if there is evidence of compromise.
- It suggests screening new passwords against a list of known compromised passwords.
Following these guidelines can help financial institutions create stronger password policies and meet the spirit of GLBA compliance.
GLBA Safeguards Rule update: Key points to keep in mind
1. What implications do the changes in the Safeguards Rule have for data security in financial institutions?
The updated Safeguards Rule has a profound impact on the data security practices of financial institutions. It introduces stringent security frameworks such as multi-factor authentication, encryption of customer information, and maintaining an up-to-date data inventory. These changes heighten the focus on safeguarding customer information and adapting to evolving cyber threats.
2. How does the GLBA’s amended Safeguards Rule affect ‘finders’ in financial markets?
The updated rule expands the definition of ‘financial institution’ to include ‘finders,’ which are companies that connect buyers and sellers in financial markets. This means that ‘finders’ are now required to adhere to the Safeguards Rule, significantly impacting their handling of customer data and their overall operational processes.
3. How can a strong password policy assist financial institutions in achieving compliance with the updated GLBA requirements?
Organizations can use software with password management and compliance features that align with the GLBA requirements and the recommended best practices from bodies like the National Institute of Standards and Technology (NIST). These features include real-time breached password checks and proactive password security measures that can significantly enhance a financial institution’s data security strategy and contribute to GLBA compliance.
Boost your cybersecurity with Specops Password Policy
As an organization, adhering to best practices and regulatory requirements can be challenging, especially when using tools that lack the necessary functionality. For instance, many organizations today use Microsoft’s Active Directory as their identity and access management solution.
However, Active Directory does not have native functionality to provide robust features such as breached password protection. The below example shows a Windows Server 2022 domain controller and the still archaic password policies contained by default.
This is where Specops Password Policy steps in. This solution enhances Active Directory with robust controls over password settings. It includes a real-time breached password check that prevents users from selecting compromised passwords.
Financial institutions must take all necessary steps to protect customer information and robust password policies are a critical aspect of this protection. Strengthening password security is an essential step towards enhancing your overall security posture and protecting the sensitive financial data of your customers. Using Specops Password Policy, organizations can significantly increase their password security and proactively protect sensitive customer information.
Try Specops Password Policy for free to strengthen your organization’s password security and help meet GLBA compliance.
(Last updated on July 19, 2023)