GLBA Cybersecurity Requirements: What Your Organization Needs to Do

On June 9, 2023, new Gramm-Leach-Bliley Act (GLBA) cybersecurity requirements that reflect updates to the Safeguards Rule component of the law went into effect. Financial institutions need to have a plan in place to ensure compliance with the new obligations. The types of businesses that are considered financial institutions in the GLBA include, but aren’t limited to:

• Banks
• Mortgage lenders
• Higher education institutions that participate in federal student financial aid programs
• Loan brokers
• Debt collectors
• Real estate appraisers
• Financial advisors

The Safeguards Rule requires institutions to have an information security program that protects customer data. The latest version of the rule is comprised of nine elements that organizations need to satisfy. Annual GLBA audits are required to prove compliance is being maintained. Here’s a look at all nine elements and how your organization can adhere to them to meet the GLBA cybersecurity requirements.

The Nine Safeguards Rule Elements

Element 1: Designate a qualified individual responsible for overseeing and implementing your information security program and enforcing your information security program.

Your organization can meet this requirement with an employee or service provider, such as a Virtual CISO. A specific degree, certification, or title is not required for the position. Whether you go with an internal or external person, be sure to put someone in place who has proven experience implementing and managing an effective information security program.

Element 2: Conduct a risk assessment to identify internal and external risks to customer information security, confidentiality, and integrity.

The risk assessment your business conducts needs to be written and include the following:

• Criteria for the evaluation and categorization of identified security risks or threats
• Criteria for the assessment of the confidentiality, integrity, and availability of your information systems and customer information, including the adequacy of the existing controls in the context of the identified risks or threats
• Descriptions of how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks

Periodic reassessments are required to account for operational changes and the emergence of new threats.

Element 3: Design and implement controls to address the risk identified in the assessment. This is a robust element of the Safeguards Rule that requires your organization to:

• Implement and periodically review access controls, including technical and physical controls, to:
  • Authenticate and permit access only to authorized users
  • Limit authorized users’ access only to customer information that they need to perform their duties
  • Ensure customers can only access their own information
• Know your data, how it’s collected and transmitted, and where it is stored. Keep accurate records of all systems, devices, platforms, and personnel involved in data management.
• Encrypt all customer information that is stored or transmitted. If encryption isn’t feasible, alternative controls are allowed if reviewed and approved by your Qualified Individual.
• Assess the security of all applications your organization uses that transmit, access, or store personal data.
• Implement multi-factor authentication for any individual accessing any information system. The Qualified Individual can approve (in writing) the use of equivalent or more secure access controls as an alternative.
• Implement a secure system to dispose of personal data no later than two years after the data was last used. There is an exception for necessary business or legal purposes.
• Adopt procedures to address changes to your information system or network (For example, how will your organization address the risk created by the installation of a new server)
• Log the activity of authorized users and implement procedures to monitor for unauthorized access.

Element 4: Regularly test and monitor the effectiveness of your controls.

Your organization must continuously monitor and test that your information security program can effectively detect cyber-attacks. If continuous monitoring can’t be performed, your organization must conduct annual penetration testing and vulnerability scans every six months.

Element 5: Train your staff. Organizations must provide their employees with training that meets the following requirements:

• Security awareness training that covers risks identified in the risk assessment
• Training must be managed by qualified information security personnel, either internal or from an external service provider
• The training program must be updated to reflect current risks

Element 6: Monitor potential risks from service providers. When selecting and working with third-party vendors, your organization must:

• Ensure the service provider has appropriate safeguards in place to protect personal data
• Include security expectations in the contract
• Periodically assess that the service provider is meeting the security requirements

Element 7: Keep your information security program up to date. Your organization’s security controls need to be agile. Update them based on the data from your risk assessments, monitoring, penetration testing, and vulnerability scans. Be aware of emerging cyber threats and change or adopt new safeguards to address them.

Element 8: Develop a written incident response plan for the response and recovery following a cyber event.  Your organization’s response plan needs to include the following:

• The goals of the incident response plan
• The internal processes for responding to a security event
• The roles, responsibilities, and levels of decision-making authority
• External and internal communications and information-sharing actions
• Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls
• Documentation and reporting regarding security events and related incident response activities
• The evaluation and revision as necessary of the incident response plan following a security event

Element 9: Your organization’s Qualified Individual must report to the Board of Directors or a senior officer at least once a year. The report needs to be in writing and contain the following information:

• The overall status of the information security program and your compliance
• Material matters related to the information security program, including risk assessment, risk management, and control decisions, service provider arrangements, results of testing, security events or violations and management’s responses, and recommendations for changes in the information security program

Risks of GLBA Non-compliance

Failure to comply with the GLBA can be severe, with penalties as large as $100,000 per violation for institutions. Officers and directors could face a $10,000 fine and up to five years in prison.

There are specific consequences postsecondary education institutions face for not meeting GLBA cybersecurity requirements. If the Federal Student Aid’s Postsecondary Institution Cybersecurity Team determines an institution or servicer is not adequately protecting student information, the Cybersecurity Team may temporarily or permanently disable the institution or servicer’s access to the Department’s information systems. Additionally, if the Cybersecurity Team determines an institution’s controls are ineffective or has a history of non-compliance, it may refer the institution to the Department’s Administrative Actions and Appeals Service Group for consideration of a fine or other administrative action. 

At CompliancePoint we have the expertise and experience to walk your organization through every aspect of the the GLBA cybersecurity requirements. We have also helped organizations of all sizes achieve compliance with other security standards, including NIST, ISO 27001, PCI DSS, and SOC 2. Reach out to us at connect@compliancepoint.com to learn more.