Proposed RevisionsUntil now, the Safeguards Rule, which first went into effect in 2003, provided general guidance requiring companies to develop, implement and maintain a “comprehensive information security program.” The proposed revisions now provide prescriptive requirements intended to provide greater protection to consumers and greater certainty to businesses. These changes include requiring:
- The designation of a Chief Information Security Officer (CISO), responsible for overseeing and implementing the program.
- The CISO to report at least annually to the board on issues related to the information security program.
- Additional requirements to risk assessments, mandating that the report be written, performed regularly and include recommendations for addressing identified risks.
- Accession control (physical security) to limit access to locations containing customer data to authorized individuals.
- Customer data to be encrypted at rest and in transit.
- Multi-factor authentication (MFA) for any individual accessing customer data.
- Audit logs to include information events designed to detect and respond to security events
- Regular testing and continuous monitoring of critical controls, systems, and procedures.
- Appropriate training and education.
- Key personnel take steps to maintain current cybersecurity knowledge.
- Companies to utilize qualified security personnel.
- Companies to oversee and assess service providers based on the risk they present to information security.
- Companies to implement and maintain an Incident Response Plan.
- Procedures that clearly define the secure disposal of customer information.
- Policies and procedures for change management.
- Policies and procedures for monitoring authorized and unauthorized access, use and modification of customer information.
Who Will Be AffectedThe proposed changes also expand the definition of “financial institutions” to include finders (those who charge a fee to connect consumers to lenders) and companies who engage in activities “incidental to financial activities.” As with any prescriptive cybersecurity guidelines, those organizations who have not previously been governed by GLBA, those that did not already have a strong governance plan as well as smaller entities will be affected the most.
Responses to the Proposed RevisionsUntil now, GLBA has offered general guidelines. It is unlikely that the proposed changes will be accepted with open arms. There are also concerns about the impact on smaller organizations as well as the FTC’s ability to measure and enforce these new guidelines. Those wishing to weigh in on the proposed changes have 60 days after the publication in the Federal Register.¹
- This is the opportunity to review your current information security program.
- If you haven’t already, reconsider your current partnerships and any processes by which you evaluate vendors.
- Establish a relationship with a reputable security vendor.
We can helpIf your organization is concerned about compliance or feels there may be a gap in your current security posture, we would love the opportunity to earn your business. You can speak with a member of our team by contacting us below.