/*
Customise Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorised as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

Performance cookies are used to understand and analyse the key performance indexes of the website which helps in delivering a better user experience for the visitors.

Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.

/*]]>*/

GLBA Compliance Deadline: June 9th, 2023

May 22, 2023

WHAT IS THIS?? A reminder to  higher education and financial institutions subject to the Gramm-Leach-Bliley Act (GLBA): the deadline to comply with FTC’s revised Standards for Safeguarding Customer Information, aka “The Safeguards Rule,” is here. Covered institutions must comply with the GLBA Compliance Safeguards Deadline by June 9, 2023. 

This revised rule expanded the definition of “financial institution” to cover entities engaged in activities that are incidental to financial activities, including “finders” – companies that bring together buyers and sellers of products and services. This revised rule is more onerous and looks almost identical to the NYDFS Cybersecurity Regulation. For a list of those types of companies that must comply, view them here.

News on the Safeguards Rule

In December 2021, the FTC broadened the Safeguards Rule by creating more detailed requirements. They include;

  • Designate a “qualified individual” to oversee a financial institution’s information security program and have the qualified individual provide written reports to the institution’s board of directors (or other governing body) about the overall status of the information security program and compliance with the Safeguards Rule;
  • Develop a written cyber risk assessment and incident response plan;
  • Provide written reports to the institution’s board of directors (or other governing body) about the overall status of the information security program and compliance with the Safeguards Rule;
  • Encrypt customer information in transit and at rest (or use alternative compensation controls where encryption is infeasible);
  • Implement multifactor authentication (MFA) for all individuals who access systems that process customer information or that are connected to systems that process customer information;
  • Adopt secure development practices for in-house developed software and processes for assessing the security of externally developed applications;
  • Regularly test the security program, including through continuous monitoring measures such as penetration testing and vulnerability assessments; and
  • Oversee service providers, including by periodically assessing service providers’ security practices.

The requirements went into affect in January, 2022, however the FTC extended the GLBA Compliance Safeguards Deadline until June 9, 2023.

Complying with the Safeguards Rule: 3 High Priority Actions

For many covered financial institutions, compliance with the Safeguards Rule may require significant planning, stakeholder engagement, implementation, change management, and documentation. For institutions still working to bring their security programs into compliance with the rule, we recommend the five priority actions listed below. While these actions are by no means comprehensive, they address foundational Safeguards Rule requirements and can be leveraged to address the remainder of the rule over time.

Appoint a Qualified Individual

The Safeguards Rule (both original & new versions) requires institutions to “designate a qualified individual responsible for overseeing and implementing your information security program and enforcing your information security program.” The qualified individual can be an employee of the institution, its affiliate, or a service provider (i.e.TEKRiSQ). In many cases, the institution’s qualified individual will be its chief information security officer, chief compliance officer, or someone in a similar role. Many businesses do not have in-house cybersecurity staff, and therefore may seek to outsource this person. The qualified individual should have the appropriate experience and authority to oversee the institution’s security program. They must make necessary changes to that program, and report candidly to the board of directors or other governing body about the institution’s security compliance and risks. An information security program must include technical safeguards and measures, but  also administrative &physical ones. Qualified individuals must have broad visibility into and influence over activities across the company. This can be achieved through an annual NIST-based cyber risk assessment.

Conduct a Cyber Risk Assessment

Find a qualified individual. The Safeguards Rule dictates you must conduct a periodic risk assessment. These help to  demonstrate the sufficiency of information security programs, and/or outline recommendations. The rule expressly requires businesses to run their information security programs based on the recommendations of risk assessments and to  implement security safeguards to remediate risks those assessments identify.

Recent fines highlights the importance of conducting a risk assessment. In May 2023, the New York Department of Financial Services (NYDFS) fined bitFlyer USA $1.2M for, among other things, failing to conduct a risk assessment under the NYDFS Cybersecurity Regulation. NYDFS found that although bitFlyer USA had conducted an IT audit of its systems, that audit did not provide the company insight into its security risks or how to mitigate those risks. Accordingly, the company failed both to conduct a compliant risk assessment and to base its security safeguards on that assessment. The FTC expressly modeled the new Safeguards Rule after the NYDFS Cybersecurity Regulation, so the NYDFS action against bitFlyer USA should be precedent for future FTC actions enforcing the Safeguards Rule’s risk assessment requirements.

Deploy Security Safeguards

Once a risk assessment is complete, businesses should deploy specific Safeguards recommended for compliance, including:

    • Access Controls– Password Management, DNS Blocking & Filtering, etc
    • Encryption Methods– both in transit & at rest (or other methods if encryption is infeasible)
    • MFA– Multifactor authentication for accessing customer information and related systems
    • Backup– Data retention and disposal- often encompassing a suitable, tested backup strategy
    • Activity Monitoring & Logging– often involving the managing of endpoints

 

Other Tips: Triage Third-Party Risks

Third-party cybersecurity risk has been a major area of focus for federal and state regulators. The Safeguards Rule covers two types of third-party risks. First, those arising from service provider relationships and second, those arising from software supply chains. To address service provider risk, the Safeguards Rule requires financial institutions to take a three-pronged approach. Institutions must oversee service providers by vetting their security practices up front, requiring them to maintain security safeguards by contract, and periodically reassessing their security compliance and practices.

Establish Processes To Monitoring Effectiveness

The Safeguards Rule requires businesses to “regularly test or otherwise monitor the effectiveness of” their security safeguards. To monitor information systems, the Safeguards Rule provides a choice. Institutions either shall conduct “continuous monitoring” or shall undergo penetration testing annually. They also suggest performing vulnerability assessments at least every six months. The FTC described “continuous monitoring” in its proposal to adopt the new Safeguards Rule . They say “any system that allows real-time, ongoing monitoring of an information system’s security, including monitoring for security threats, misconfigured systems, and other vulnerabilities.”

Time to Get Moving!

With under a month left before GLBA Compliance Safeguards Deadline when the full Safeguards Rule goes into effect, you need to get busy now with compliance.  Let TEKRiSQ help you comply in 30 minutes