WHAT IS THIS?? A reminder to higher education and financial institutions subject to the Gramm-Leach-Bliley Act (GLBA): the deadline to comply with FTC’s revised Standards for Safeguarding Customer Information, aka “The Safeguards Rule,” is here. Covered institutions must comply with the GLBA Compliance Safeguards Deadline by June 9, 2023.
This revised rule expanded the definition of “financial institution” to cover entities engaged in activities that are incidental to financial activities, including “finders” – companies that bring together buyers and sellers of products and services. This revised rule is more onerous and looks almost identical to the NYDFS Cybersecurity Regulation. For a list of those types of companies that must comply, view them here.
News on the Safeguards Rule
In December 2021, the FTC broadened the Safeguards Rule by creating more detailed requirements. They include;
- Designate a “qualified individual” to oversee a financial institution’s information security program and have the qualified individual provide written reports to the institution’s board of directors (or other governing body) about the overall status of the information security program and compliance with the Safeguards Rule;
- Develop a written cyber risk assessment and incident response plan;
- Provide written reports to the institution’s board of directors (or other governing body) about the overall status of the information security program and compliance with the Safeguards Rule;
- Encrypt customer information in transit and at rest (or use alternative compensation controls where encryption is infeasible);
- Implement multifactor authentication (MFA) for all individuals who access systems that process customer information or that are connected to systems that process customer information;
- Adopt secure development practices for in-house developed software and processes for assessing the security of externally developed applications;
- Regularly test the security program, including through continuous monitoring measures such as penetration testing and vulnerability assessments; and
- Oversee service providers, including by periodically assessing service providers’ security practices.
The requirements went into affect in January, 2022, however the FTC extended the GLBA Compliance Safeguards Deadline until June 9, 2023.
Complying with the Safeguards Rule: 3 High Priority Actions
For many covered financial institutions, compliance with the Safeguards Rule may require significant planning, stakeholder engagement, implementation, change management, and documentation. For institutions still working to bring their security programs into compliance with the rule, we recommend the five priority actions listed below. While these actions are by no means comprehensive, they address foundational Safeguards Rule requirements and can be leveraged to address the remainder of the rule over time.
Appoint a Qualified Individual
The Safeguards Rule (both original & new versions) requires institutions to “designate a qualified individual responsible for overseeing and implementing your information security program and enforcing your information security program.” The qualified individual can be an employee of the institution, its affiliate, or a service provider (i.e.TEKRiSQ). In many cases, the institution’s qualified individual will be its chief information security officer, chief compliance officer, or someone in a similar role. Many businesses do not have in-house cybersecurity staff, and therefore may seek to outsource this person. The qualified individual should have the appropriate experience and authority to oversee the institution’s security program. They must make necessary changes to that program, and report candidly to the board of directors or other governing body about the institution’s security compliance and risks. An information security program must include technical safeguards and measures, but also administrative &physical ones. Qualified individuals must have broad visibility into and influence over activities across the company. This can be achieved through an annual NIST-based cyber risk assessment.
Conduct a Cyber Risk Assessment
Find a qualified individual. The Safeguards Rule dictates you must conduct a periodic risk assessment. These help to demonstrate the sufficiency of information security programs, and/or outline recommendations. The rule expressly requires businesses to run their information security programs based on the recommendations of risk assessments and to implement security safeguards to remediate risks those assessments identify.
Recent fines highlights the importance of conducting a risk assessment. In May 2023, the New York Department of Financial Services (NYDFS) fined bitFlyer USA $1.2M for, among other things, failing to conduct a risk assessment under the NYDFS Cybersecurity Regulation. NYDFS found that although bitFlyer USA had conducted an IT audit of its systems, that audit did not provide the company insight into its security risks or how to mitigate those risks. Accordingly, the company failed both to conduct a compliant risk assessment and to base its security safeguards on that assessment. The FTC expressly modeled the new Safeguards Rule after the NYDFS Cybersecurity Regulation, so the NYDFS action against bitFlyer USA should be precedent for future FTC actions enforcing the Safeguards Rule’s risk assessment requirements.
Deploy Security Safeguards
Once a risk assessment is complete, businesses should deploy specific Safeguards recommended for compliance, including:
- Access Controls– Password Management, DNS Blocking & Filtering, etc
- Encryption Methods– both in transit & at rest (or other methods if encryption is infeasible)
- MFA– Multifactor authentication for accessing customer information and related systems
- Backup– Data retention and disposal- often encompassing a suitable, tested backup strategy
- Activity Monitoring & Logging– often involving the managing of endpoints
Other Tips: Triage Third-Party Risks
Third-party cybersecurity risk has been a major area of focus for federal and state regulators. The Safeguards Rule covers two types of third-party risks. First, those arising from service provider relationships and second, those arising from software supply chains. To address service provider risk, the Safeguards Rule requires financial institutions to take a three-pronged approach. Institutions must oversee service providers by vetting their security practices up front, requiring them to maintain security safeguards by contract, and periodically reassessing their security compliance and practices.
Establish Processes To Monitoring Effectiveness
The Safeguards Rule requires businesses to “regularly test or otherwise monitor the effectiveness of” their security safeguards. To monitor information systems, the Safeguards Rule provides a choice. Institutions either shall conduct “continuous monitoring” or shall undergo penetration testing annually. They also suggest performing vulnerability assessments at least every six months. The FTC described “continuous monitoring” in its proposal to adopt the new Safeguards Rule . They say “any system that allows real-time, ongoing monitoring of an information system’s security, including monitoring for security threats, misconfigured systems, and other vulnerabilities.”
Time to Get Moving!
With under a month left before GLBA Compliance Safeguards Deadline when the full Safeguards Rule goes into effect, you need to get busy now with compliance. Let TEKRiSQ help you comply in 30 minutes