Recently proposed changes to amend the Safeguards Rule and Privacy Rule of the Gramm-Leach Bliley Act (GLBA) would affect how U.S. financial institutions currently protect customer data, including implementing new cybersecurity measures and periodic reporting by the Chief Information Security Officer (CISO) to companies’ boards of directors.
Ensure compliance with proposed changes now
In light of the proposed changes, senior management and boards of directors of financial institutions should consider taking the following steps to ensure compliance:
- Communications with counsel can be protected by the attorney-client privilege, so consider involving counsel prior to engaging a third-party information security consultant to conduct a gap assessment of existing security controls against the revised changes. Notably, the revised rules require policies and procedures to secure physical devices and to monitor
activity of unauthorized user access or use of customer information. Financial institutions should obtain third-party assurances that existing control frameworks are operating and effective to determine how best to comply and what if any changes may be necessaryin light of the rule change. - Financial institutions should carefully examine existing third-party vendor agreements to ensure that data transfers are secured and agreements impose the appropriate control frameworks and requirements consistent with the revised rules and already-existing regulatory requirements.
- Financial institutions should update and revise existing incident response plans to ensure the plan is appropriately calibrated to account for the rule changes.
Changes in the proposed amendments
On March 5, the FTC narrowly voted (3-2) to move forward with proposed amendments to these rules. Specifically, the changes to the Safeguards Rule would require financial institutions to:
- Encrypt all customer data (whether in transit or at rest)
- Use multifactor authentication to control access to customer data
- Restrict physical access to locations containing customer information
- Implement policies for securing physical devices (such as laptops, phones
and tablets) containing customers’ personal information - Conduct
written risk assessments that describe how the information security program will address risks identified - Implement audit trails in systems to detect and respond to security events
- Develop procedures for the secure disposal of customer information
- Develop procedures for change management
- Implement policies and procedures “to monitor the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users”
- Conduct regular testing and continuous monitoring of relevant key controls, systems
and procedures - Establish incident response plans
The proposed amendments are based on the cybersecurity regulations of the New York Department of Financial Services, as well as the insurance data security model law issued by the National Association of Insurance Commissioners.
Expanded requirements to oversee service providers
The proposed changes would also expand the existing requirement to oversee service providers — financial institutions would have to periodically assess such service providers based on the information security risk they present and the adequacy of their safeguards.
This oversight would also now be ongoing and continuing, as opposed to only assessing safeguards at onboarding. Such ongoing monitoring may include investigation of red flags raised by the practices of service providers, or periodic assessment of service provider practices. The proposed changes would codify much of the already existing agency advice on monitoring third-party service providers.
Periodic reporting requirements also proposed
The FTC also proposed periodic reporting by the CISO to companies’ boards of directors as one method of ensuring compliance with these new measures.
Also under the proposal, any employee with access to customer information would have to undergo mandatory security awareness training. Additionally, companies would have to designate a single individual person responsible for coordinating the information security programs, which could be an employee, officer or an employee of an affiliate or service provider.
Small financial institutions — those maintaining customer information concerning fewer than 5,000 consumers — would be exempted from some but not all requirements of the amended rule.
A number of questions and issues remain unresolved by the proposed amendments, including whether the multifactor authentication requirements apply only to online access or also to in-person customer access at a branch or other physical location.
While the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 transferred much of the FTC’s privacy-related authority over financial institutions to the Consumer Financial Protection Bureau, the FTC’s Safeguards Rule still applies to U.S. financial institutions, and these proposed changes represent significant new regulations applicable to U.S. financial institutions.
The proposed amendments will be posted in the Federal Register for comment.