What You Should Know About the FTC Updates to the GLBA Standards for Safeguarding Customer Information Rule
This blog was authored by my colleague Barbie Housewright, Manager – Cybersecurity.
Amendments to the Standards for Safeguarding Customer Information (Safeguards Rule) incorporate five key compliance changes for financial institutions. The new Rule provides additional detail to existing information security program criteria, increases accountability for program reporting, expands upon the definition of a financial institution, incorporates additional terminology definitions, and offers an exemption for smaller institutions.
Financial institutions maintaining fewer than five thousand consumers are exempt from the new standards; however, with an applicability date of January 10, 2022, and some requirements effective December 9, 2022, many institutions find themselves evaluating their information security programs and pursuing compliance resources and assistance.
Information Security Program
The new rule may require institutions to expand their information security program to incorporate the required elements specifically identified in the amendment. The goal of the information security program, as defined in the Rule, is to protect customer information from unauthorized disclosure, misuse, alteration, destruction, or compromise.
Elements
Qualified Individual
While the rule does not prohibit the delegation of tasks and responsibilities to multiple individuals, the amendment does require the appointment of a single qualified individual responsible for program oversight, implementation, and enforcement. The designated individual should maintain qualifications appropriate to the institution’s information system size and complexity. It is incumbent upon the institution to evaluate the information security needs and align an appropriately qualified individual.
A Qualified Individual may be an employee of the institution, an affiliate, or a third-party provider. When an outsourced individual is engaged, the institution retains responsibility for compliance and must designate a member of senior management to ensure the Qualified Individual maintains an information security program that meets the requirements of the Safeguards Rule.
Risk Assessment
A risk assessment is foundational to the development of a comprehensive information security program. The assessment should ascertain reasonably foreseeable internal and external security risks to the confidentiality, integrity, and availability of sensitive information. The risk assessment should also appraise the safeguards in place to control identified risks. The new rule adds an element of formality not previously present. The risk assessment must be documented and must meet defined methodology criteria. Periodic reexamination is also required, and annual minimum frequency is typically recommended. In addition, the new rule calls out key criteria that should be incorporated into the risk assessment and program including:
- Business asset management standards and practices
- Encryption of customer information
- Secure development standards and practices
- Multi-factor authentication
- Secure disposal standards and practices
- Change management standards and practices
- Monitoring and logging standards and practices
- Segregation of duties
Controls
The implementation of controls to diminish the risks identified in the risk assessment process is the next phase in the program development methodology. Some of the controls present in the Safeguards Rule prior to amendment included both technical and physical controls for protecting against unauthorized access to customer information, as well as the regular testing and monitoring of the effectiveness of key controls. The new rules further detail the necessity for real-time, continuous monitoring. In absence of continuous monitoring, annual penetration testing, and bi-annual vulnerability assessments can provide a compensating control. The rule further requires more frequent vulnerability assessment in systems with elevated risk of new vulnerability. Compensating controls must be reviewed and approved by the Qualified Individual.
Training
Ensuring institution staff and third-party providers are equipped to carry out the security standards and procedures necessitates a strong security awareness training program. In addition, it is critical to ensure security personnel are qualified to manage security risks and administer the information security program. Key information security personnel must receive continuous training to maintain awareness of changing threats and controls. The amendment incorporates a requirement that training be relevant and comprehensive to address identified security risks.
Third Party Risk Management
Previously, the Safeguards Rule required an assessment of service providers’ safeguards only at the onboarding stage. The new language expressly imposes requirements for the ongoing monitoring of service providers to ensure safeguards are adequate to protect customer information they access or possess.
Incident Response
The Commission believes that the creation of an incident response helps an institution to focus on prompt and appropriate response to security events, and mitigation of weaknesses in the information systems. The new rule defines requirements for an effective incident response plan. These requirements include formal incident response planning and a documented plan for responding to and recovering from any security event that has a material impact. The documented plan should establish response goals, recovery processes, and roles, responsibilities, and decision-making authority within the institution. The plan should be regularly tested, followed by remediation of identified weaknesses. Resources should be developed for formal reporting of security events and associated response activities. Finally, the plan should be updated with lessons learned from tests and actual events to better prepare the institution for similar events.
Annual Report
The final update to the Safeguards Rule is the requirement for the Qualified Individual to develop and deliver a written report of the status of the program. The report should provide a record of the basis of decision-making to support future decision making. The report must contain an overall status and any material matters related to the information security program. This amendment is supplied to ensure the Board of Directors or equivalent governing body is engaged and aware of the information security program. This requirement also ensures the Qualified Individual is accountable for the program.
How can CLA help?
Analyzing your information security program for compliance and implementing the requisite changes prior to the December 2022 deadline may seem complex and laborious. CLA’s Outsourced Information Security Advisors can help you evaluate and enhance your program in preparation for the applicability date. Our advisors are not only knowledgeable, but also experienced in the information security and financial industry compliance and equipped with resources to aid developing your program in a comprehensive, yet efficient manner.
Brittany has more than twelve years of experience and specializing in providing audit and accounting services to financial institutions. In addition to planning, managing and performing financial statement audits for institutions ranging in total assets from $10 million to $50 billion, she has performed engagements designed to test the adequacy of loan documentation and reserves, adherence to internal control policies, outsourced internal audit, and consulting engagements for various compliance requirements.
Comments are closed.