The Federal Trade Commission (FTC) is making significant updates to the GLBA Safeguards Rule. On March 5, 2019, the FTC posted separate notices regarding proposed changes to the Safeguards Rule and Privacy Rule, with an open comment period through June 3, 2019.
The original GLBA Safeguards Rule provided general requirements and guidance for information security program expectations, avoiding detailed descriptions of controls. Financial institutions have been operating under these expectations for over a decade, but the FTC now sees the benefit of more detailed guidance. This updated approach aligns with the New York Department of Financial Services (NYDFS) Cybersecurity Regulation and National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law, which were both released in 2017.
The original GLBA Safeguards Rule provided general requirements and guidance for information security program expectations, avoiding detailed descriptions of controls.
GLBA Safeguards Rule: Proposed updates
For much of the Safeguards Rule, these updates bring GLBA expectations in line with existing best practices recommended by Federal Financial Institutions Examination Council (FFIEC) examiners — such as aligning customized information security training with an organization’s risk profile, overseeing service providers based on unique risk levels, and establishing a formal incident response plan. However, in some areas, the proposed updates could raise expectations for many financial institutions beyond current control environments. These include:
- Assigning the CISO role to only one qualified individual. The proposed updates will no longer allow the designation of multiple employees.
- Completing a full data inventory. This would require a mapping of all devices and networks containing customer information.
- Data encryption. Encryption will be required for all customer data at rest or transmitted over external networks (allowing CISO signoff if compensating controls are implemented instead).
- Multifactor authentication. This will be required for any individual accessing customer information (with a similar option for CISO signoff on compensating controls).
- Vulnerability management. This includes either effective continuous monitoring or required annual penetration testing, as well as biannual vulnerability scanning.
In some areas, the proposed updates could raise expectations for many financial institutions beyond current control environments.
There are heavy correlations between these recommended safeguards and recent NYDFS/NAIC updates, as well as FFIEC handbooks and the Cybersecurity Assessment Tool (CAT). However, depending on the final verbiage, these expectations may become requirements, compared to FFIEC CAT expectations at higher maturity levels or risk-based best practices. Once the updates are enacted, there will be a six-month window before some of the changes become effective. This is potentially tight timing for organizations needing to encrypt all customer data at rest and add multifactor authentication to each location.
Expanding the definition of financial institutions
These updates may also expand the potential organizations defined as “financial institutions,” including fintech companies, educational institutions, auto dealers, and accounting firms completing tax returns, to name a few. It’s assumed these proposed changes are in efforts to align against the NIST framework and close the gap between common frameworks. Whether you’ve applied GLBA to your organization for the last 16 years, or are surprised to see your industry listed in the document, it’ll be interesting to see how many industry lines the final version blurs together.
Preparing for GLBA Safeguards Rule updates
Assuming the final version of the GLBA update will remain similar to the current draft, we recommend financial institutions start, or more heavily prioritize existing plans, related to the following key areas:
- Conduct a data inventory. Use either automated tools to identify personally identifiable information (PII) on the network, or interviews with various departments, for a complete data inventory. You can expand on existing business impact analysis or risk assessment efforts involving departmental interviews to document known locations where confidential customer information is stored.
- Identify encryption capabilities. Once customer data locations are known, your organization most likely has encrypted these locations through existing internal controls and vendor security layers. For any unknowns, we recommend investigating whether customer information can be removed/redacted, or how data can be encrypted.
- Add multifactor authentication. Using the list above of customer data locations, we also recommend expanding the discussion to note the layers of authentication required to access each system (by employees, customers, vendors, etc.). Where multifactor isn’t in place, we recommend investigating the capabilities to add device-based, token-based, or biometric authentication layers.
- Document exceptions and action plans. Where encryption and multifactor expectations can’t be implemented in time, we recommend documenting these known exceptions and action plans to improve security. In some cases, the CISO may be able to sign off on existing compensating controls as sufficient. Whether being 100 percent in compliance, pivoting to rely on compensating controls, or requiring additional time to comply, documenting that picture for regulators should help reduce questions and communicate that your organization is aware of your responsibilities.
We’ll continue to monitor comments provided to the FTC, review the approved version, and provide an update once the final version is ready. In the meantime, please reach out to us with any questions on the preparation efforts your organization can start now.