TL;DR:
This article explores the GLBA Safeguards Rule risk assessment process, highlighting its importance in protecting sensitive financial information, ensuring regulatory compliance, and building consumer trust in an increasingly security-conscious world.
Safeguarding sensitive financial information is more critical than ever–which is why a growing number of regulations require organizations to develop comprehensive information security risk management programs.
The Gramm-Leach-Bliley Act (GLBA) Safeguards Rule is one such requirement, and a crucial aspect of its compliance process is conducting a thorough risk assessment.
A crucial aspect of GLBA compliance is conducting a thorough risk assessment.
This article will delve into the importance of a GLBA Safeguards Rule risk assessment and provide an overview of the steps required to identify, evaluate, and mitigate potential information security risks. By understanding this process, organizations can better protect their customers’ information, maintain regulatory compliance, and build consumer trust in a world where information security is paramount.
What is the Gramm-Leach-Bliley Act (GLBA)?
TL;DR:
The GLBA is a federal regulation governing financial institutions’ handling of customer information that will see updates in 2023, requiring organizations to prepare for changes to avoid non-compliance.
The Gramm-Leach-Bliley Act (GLBA) is a federal regulation to control how financial institutions (including higher education institutions) collect, store, and transmit customer information. Although the Federal Trade Commission (FTC) enacted the GLBA in 1999, updates to the regulation are coming in 2023–and organizations need to prepare for the changes or risk non-compliance.
What is the GLBA Safeguards Rule?
TL;DR:
The Safeguards Rule mandates comprehensive information security programs for financial institutions, and significant amendments will take effect on June 9, 2023.
The Safeguards Rule took effect in 2003 and ensures that financial institutions maintain administrative, technical, and physical safeguards for protecting the security of customer information with a comprehensive information security program. During a GLBA audit, auditors want to verify that your organization meets the Safeguard Rule standards.
The FTC recently issued final regulations to amend the Safeguards Rule with significant modifications. The effective date for the new requirements is June 9, 2023.
The effective date for the new requirements is June 9, 2023.
To learn more about updates to the GLBA Safeguards Rule, check out our 2023 Complete Guide.
Updates to the Safeguards Rule in 2023
TL;DR:
The updated Safeguards Rule expands data security requirements, offers guidance on information security programs, and exempts institutions collecting less customer information.
Changes to the Safeguards Rule expand on existing data security requirements at participating financial institutions and their third-party service providers.
The Final Rule contains the following significant modifications:
- It provides additional guidance for financial institutions to develop and implement an information security program.
- It exempts financial institutions that collect less customer information from specific requirements.
- It defines various terms and provides examples.
Even if the original Safeguards Rule didn’t cover your organization, your business operations have likely changed significantly in the last few years.
Even if the original Safeguards Rule didn’t cover your organization, your business operations have likely changed significantly in the last few years. Regularly consult the FTC’s definition of a “financial institution” as your operations transform to determine whether your organization is covered.
Who does the Safeguards Rule apply to?
TL;DR:
The GLBA Safeguards Rule applies to a broad range of financial institutions.
“Financial institutions” must comply with the GLBA Safeguards Rule–but this category includes many more organizations than just banks.
A financial institution is any company offering consumers financial products or financial services.
A financial institution is any company offering consumers financial products or financial services. GLBA compliance also applies to Title IV higher education institutions who handle student financial aid information. To learn more about GLBA compliance for higher education institutions, check out our recent article on the subject, GLBA Compliance in Higher Education, Complete Guide.
More specifically, entities required to comply with GLBA include, but are not limited to, mortgage lenders and mortgage brokers, “payday” lenders, finance companies, account services, check cashers, wire transferors, travel agencies, collection agencies, credit counselors, financial advisors, tax preparation firms, non-federally insured credit unions, investment advisors, and finders (i.e., companies that bring together buyers and sellers).
What is required under the Safeguards Rule?
TL;DR:
The Safeguards Rule mandates financial institutions and service providers to implement comprehensive information security programs with the aim of protecting customer information, ensuring its integrity, and preventing unauthorized access.
Under the Safeguards Rule, financial institutions–including higher education institutions–and service providers must develop, implement, and maintain a written, comprehensive information security program that contains administrative, technical, and physical safeguards.
A written, comprehensive information security program that contain administrative, technical, and physical safeguards is required.
The three objectives of the standards for safeguarding customer information are to:
- Ensure the security and confidentiality of customer information;
- Protect against threats or hazards to the security or integrity of that information; and
- Protect against unauthorized access to or use of that information resulting in harm or inconvenience to any customer.
What are the nine elements of the Safeguards Rule?
TL;DR:
The Safeguards Rule outlines nine essential elements for an organization’s information security program, including designating a qualified individual, conducting risk assessments, implementing safeguards, monitoring effectiveness, staff training, service provider monitoring, keeping the program current, having a written incident response plan, and reporting to the board of directors.
The Safeguards Rule identifies nine elements your organization’s information security program must include. They include:
- Designating a qualified individual to implement and supervise your information security program.
- Conducting a risk assessment.
- Designing and implementing appropriate safeguards to control the risks identified through your risk assessment, including:
- Implement and periodically review your access controls.
- Know what you have and where you have it.
- Encrypt customer information on your system and when it’s in transit.
- Assessing your apps.
- Implement multi-factor authentication (MFA) for anyone accessing customer information on your system.
- Dispose of customer information securely.
- Anticipate and evaluate changes to your information system or network.
- Maintain a log of authorized users’ activity and check for unauthorized access.
- Regularly monitoring and testing the effectiveness of your safeguards.
- Security awareness training for your staff.
- Continuous monitoring of your service providers.
- Keeping your information security program current.
- Creating a written incident response plan.
- Requiring your qualified individual to report to your board of directors.
For steps to implementing the GLBA Safeguards Rule, check out our 2023 Complete Guide.
This article looks more closely at the risk assessment portion of these requirements so your organization can ensure it’s prepared to ace its GLBA audit.
Why conduct a Risk Assessment?
TL;DR:
Risk assessments are critical to identify potential risks and threats to customer information, and serve as evidence of compliance for auditors and guides institutions in addressing security gaps.
According to the FTC, “You can’t formulate an effective information security program until you know what information you have and where it’s stored.” The FTC also recommends completing an IT asset inventory and conducting a risk assessment to determine foreseeable internal and external risks and threats to the security, confidentiality, and integrity of customer information.
Your risk assessment must be written and include criteria for evaluating those risks and threats.
Your risk assessment must be written and include criteria for evaluating those risks and threats.
For your auditors, this risk assessment will serve as a powerful, evidential document of your compliance. For your institution, it will serve as a guide to current gaps that must be addressed.
As you conduct your risk assessment, consider how customer information could be disclosed without authorization, misused, altered, or destroyed. Since the risks to information security constantly change, the Safeguards Rule also requires you to conduct periodic reassessments.
Risk Assessment Process
TL;DR:
The FTC’s risk assessment requirements are flexible so financial institutions can adopt a suitable approach, but we recommend taking the following steps to ensure GLBA compliance.
Conducting a risk assessment will look different depending on the complexity of your institution. The FTC’s risk assessment requirements are intentionally general, so financial institutions will be allowed to meet them “in whatever way they choose, using whatever method or approach works best for them.”
Conducting a risk assessment will look different depending on the complexity of your institution.
For a more comprehensive overview and access to our GLBA Audit Spreadsheet crosswalking the GLBA Safeguards Rule requirements and the Office of the Comptroller of the Currency (OCC) Examination Procedures, download our guidebook, Ace your GLBA Audit: The Step-By-Step Guidebook.
Preparing for the Risk Assessment
TL;DR:
Start by understanding the requirements, selecting a framework, scoping your organization by identifying relevant units, and creating a questionnaire tailored to your covered units.
Begin by ensuring that you thoroughly understand the GLBA requirements. Figure out what the GLBA Safeguards Rule requires from your organization and map out the potential implications.
Ensure that you thoroughly understand the GLBA requirements, choose a cybersecurity framework to guide you, and scope your organization entirely.
Choose a cybersecurity framework to guide you. Your risk assessment can be based on any security framework, but it must be written and include criteria for evaluating risks and threats. Some common security frameworks for risk assessments include ISO 27001, CIS, NIST CSF, NIST SP 800-53, and NIST 800-171.
Next, scope your organization. You may have more than one GLBA-covered unit, meaning that not every unit will be covered similarly. Ensure that you’ve:
- Identified all units collecting, storing, or transmitting customer information.
- Identified unit heads and IT staff at the different organizational units and started communicating the plan to comply and conduct a risk assessment.
- Create a questionnaire specific to your covered units.
Questions to include on the Questionnaire
TL;DR:
Craft a questionnaire with yes-no questions addressing Safeguard Rule standards.
Ideally, your questionnaire should include yes-no questions that can measure compliance with each of the Safeguard Rule standards. Each question should also allow for units to provide clarification for their response.
It can be challenging to know what questions to ask, how many to include, or how to word them.
It can be challenging to know what questions to ask, how many to include, or how to word them. You can leverage the GLBA Audit Spreadsheet inside our Definitive Step-by-Step Guidebook to Ace your GLBA Audit to help you create your questionnaire and better understand how an auditor might audit for the standards.
How to conduct the Risk Assessment
TL;DR:
Choose a risk assessment method that efficiently identifies compliance gaps, organizes findings, allows for follow-up assessments, and exports data for auditors, whether manually, through consultants, or a GRC tool.
You can conduct a control-based risk assessment manually with spreadsheets and email, outsource the process to consultants, employ legacy Governance, Risk, and Compliance (GRC) tools, or leverage a streamlined surveying platform like Isora GRC GRC from SaltyCloud.
There’s no “right” way to conduct a risk assessment–only more efficient, cost-effective ways.
Ultimately, there’s no “right” way to conduct any compliance assessment–there are only more efficient, cost-effective ways. Whatever method you choose, ensure that:
- You can quickly identify compliance gaps and address relevant security risks
- All findings are accurate and organized
- You can conduct follow-up risk assessments
- You can export data for auditors
What to do with Risk Assessment findings
TL;DR:
Analyze risk assessment findings, prioritize critical gaps, collaborate with units on mitigation, track improvements over time, and create clear reports to share with stakeholders and auditors to demonstrate compliance.
Study your risk assessment findings and document any gaps. Prioritize the more critical gaps and work with the individual covered units on mitigation. Compare the findings with any previous findings to measure improvements over time. Create formatted, digestible reports that you can share with your stakeholders, governing body, and auditors to prove compliance.
Consequences for GLBA non-compliance
TL;DR:
GLBA non-compliance can result in significant fines for both institutions and individuals, criminal penalties, restricted access to information systems, potential security events, and reputational damage.
If GLBA non-compliance is proven during an audit, the ramifications can be business-altering and, in some cases, life-altering. GLBA non-compliance penalties include:
- Fines of USD$100,000 per violation for financial institutions found in violation.
- Fines of USD$100,000 per violation for individuals found in violation.
- Criminal penalties include imprisonment for up to five years for individuals found in violation.
The ramifications of GLBA non-compliance can be business-altering and, in some cases, life-altering.
Suppose, for instance, a higher education institution is found non-compliant. In that case, the Federal Student Aid’s (FSA) Postsecondary Institution Cybersecurity team may also disable the institution’s access to the Department of Education information systems.
However, the most detrimental consequence of GLBA non-compliance is a security event. In the case of a successful cyberattack, a perpetrator may leak or steal important customer information.
Institutions that fail to take appropriate measures to safeguard customers’ financial information may pay significant ransoms to retrieve that data. Even then, there is no guarantee that the attacker will return the information after receiving the money. Such non-compliance can also severely harm an organization’s reputation.
How Isora GRC from SaltyCloud can help
TL;DR:
Isora GRC from SaltyCloud is the powerfully simple GLBA Safeguards Rule solution, making regulatory compliance easier while helping organizations improve their cyber resilience.
The quest for GLBA Safeguards Rule compliance is complex as organizations strive to protect customer data while navigating shifting threats and regulations.
Knowing where GLBA-covered data resides, if it’s protected, and whether it meets GLBA compliance standards requires an agile and lightweight solution that transcends outdated GRC platforms and tedious manual spreadsheets.
Isora GRC from SaltyCloud is the powerfully simple solution changing how organizations and their information security teams manage information security governance, risk, and compliance (GRC). A new intuitive, automated, and collaborative platform designed by GRC experts, Isora GRC helps organizations ace compliance audits, build information security culture, and strengthen cyber resilience at scale.
- Ace your GLBA compliance audit with collaborative surveys, risk assessments, dynamic dashboards, and insightful reporting for auditors, leadership and employees.
- Improve your organization’s security posture with maturity models, preloaded security frameworks, and remediation tracking.
- Protect GLBA-covered and other sensitive data with a comprehensive host inventory, robust API integrations, and continuous assessments.
- Minimize third-party risk with a complete vendor inventory, risk assessment surveys, and approval workflows.
Join dozens of information security teams partnering with Isora GRC from SaltyCloud to build a risk and compliance program they can trust.
Discover how Isora GRC from SaltyCloud can streamline your GLBA Safeguards Rule compliance.