On October 27, 2021, the Federal Trade Commission announced new updates to the Gramm-Leach-Bliley Act (GLBA) regulations applicable to non-banking financial institutions, such as automotive dealerships. The updated standards demand that institutions strengthen their data security safeguards in order to better protect consumer financial information. The new FTC restrictions go into full effect as of December 2022.
What Types of Businesses Are Now Defined as “Financial Institutions”?
First and foremost, this amendment expands the classification of a “financial institution,” organization subject to GLBA, to encompass businesses engaging in ” activities incidental to a financial activity.” This primarily refers to mortgage brokers and representatives who match borrowers with lenders. The GLBA now applies to payday loan companies, auto dealers, collections agencies, and many other businesses that previously were exempt.
Financial institutions have been working with GLBA requirements and developing security programs to comply with them for many years. Mortgage brokers and other parties currently covered by GLBA might not have the same experience, though. We anticipate that many of these firms’ information security practices will have substantial holes.
The 7 Rs of Updated GLBA Security Requirements
We have put together a high-level overview of what non-banking institutions need to remember as this compliance deadline approaches. It’s organized into 7 factors, which all begin with the letter R.
The first main area of concern with the amended regulations concerns accountability. According to the updated Safeguards Rule, the information security program must be overseen by a single competent person. The qualified individual (QI) will be in charge of managing and carrying out the program.
What is a Qualified Individual? The Federal Trade Commission defines the QI as someone with information security training and knowledge. The qualified individual does not have to be an employee of the non-bank institution but could be an employee of an affiliate or a service provider, such as a virtual chief information security officer (vCISO). This requirement aims to ensure that a qualified person is steering the ship, so to speak.
Once assigned this role, he or she oversees the security program and must submit regular reports (at least once per year) to the board of directors or other governing bodies. The QI is charged with reporting on all security incidents that have occurred over the previous year.
In more specific terms, the role of the QI involves:
- Evaluating the information security program,
- Ensuring that the intuition is following the law,
- Overseeing the program, and
- Reporting on compliance.
If the organization relies on a service provider, that organization is still the entity responsible for meeting compliance requirements. For this reason, the security firm must be reputable, and a senior member of your staff should be designated to oversee compliance activities on behalf of the organization. The service provider will report directly to this designated point person.
Going forward, one of the main differences with FTC GLBA compliance is the need to have a written incident response plan on file. Developing a complete incident response plan means defining:
- Clear roles, responsibilities, and levels of decision-making authority,
- Internal procedures for handling security incidents,
- Information sharing and communication between internal and external parties, and
- Documentation and reporting of security incidents.
In cybersecurity, making a plan, and even implementing controls, is never enough; the features of a security program must be put to the test. Some of the specific information security control mandates outlined in the revised Safeguards Act include regular vulnerability scanning and penetration testing.
- Vulnerability Scanning – Compliance requires at least two vulnerability assessments per year, every six months. In addition, vulscans should be run whenever there are material changes to business operations and whenever there are circumstances that may have a significant impact on your information security programs, such as a move or facility acquisition.
- Penetration Testing – Compliance requires annual penetration testing of the institution’s systems. This type of testing is more rigorous, intended not only to identify but also to exploit network weaknesses. The aim is to determine the degree to which an attacker or criminal could gain access to the system. Pen testing demonstrates exactly how cyber-criminals would infiltrate the systems and what information they could access from there.
Using these regular testing methods, the qualified individual can pinpoint areas that need improvement and evaluate the effectiveness of security controls. The information gained from vulnerability and penetration testing will then need to be included on the written risk assessments.
Related article: How Often Should Vulnerability Scanning be Performed?
Organizations to which the FTC rules apply must perform regular risk analyses. Risk assessments must be documented and include criteria for:
- Determining if current security measures are adequate;
- Identifying and categorizing security both internal and external risks;
- Evaluating risks to the confidentiality, integrity, and availability of information systems and customers’ personal information; and
- Training employees on identifying and responding to security incidents;
- Reducing or accepting identified risks.
Access and authentication controls must be implemented and regularly reviewed by organizations in order to prevent unauthorized access to customer information and to restrict authorized users’ access to only that which is required for proper business operations. This is often referred to as the “principle of least privilege.”
The new requirements for non-banking institutions will now include the use of encryption for all data both in transit and at rest, employee cybersecurity awareness training, and multi-factor authentication.
These institutions must implement multi-factor authentication for all users accessing any information system unless the qualified individual has approved (in writing) the use of reasonably equivalent or more secure access controls.
The Qualified Individual will now be required to produce a written report for the governing body of the institution at least once a year. The report must list any significant issues pertaining to the information security program as well as information on the overall state of the data security program and adherence with the Safeguards Rule.
Reporting on FTC compliance will now require documented risk assessments that identify, evaluate, and categorize all risks present. Annual reports gather information and make it available for others to view. They provide a review of data security assessments, the integrity of the information systems, and how risks are being addressed.
The culmination of these measures is remediation. Regular scans and testing give insight as to the issues that need to be addressed. Then, in the reporting process, the IT personnel and security practitioners are able to outline a plan for remediating issues in the future. This includes
- Setting standards for correcting any identified vulnerabilities in information systems and controls;
- Determining how the incident response plan will be evaluated and revised following security events;
- Defining which measures are needed to help prevent security problems in the future.
Related article: 5 Practical Ways to Increase Your Information Security Posture.
How AWA Can Help
For best results, when it comes to security and compliance, trust experienced professionals. All of the reports and risk assessments demanded by the amended FTC Gramm-Leach-Bliley Act regulations should really be performed by cyber security experts who also understand your business and industry.
Start the conversation with the security team at AWA today.