Compliance with the FTC’s GLBA Safeguards Rule

Transcript

Steve Haley: Good afternoon and welcome to CompliancePoint’s webinar on the FTC’s GLBA Safeguards Rule compliance.

Today’s agenda, we’re going to cover the GLBA background, the safeguard rules, the nine elements associated with that, how you can prepare for the safeguard rules, a path to success for your organization, key takeaways and questions and answers.

So who are your presenters today? Well, my name is Steve Haley. I’m the practice director of cybersecurity services. I come to you today with over 20 years of experience in technology as well as various roles in cybersecurity and in technical operations. And our teammate, Ryan Williams, I’ll ask him to introduce himself and give him a little dissertation on his background.

Ryan Williams: Hello everybody. My name is Ryan Williams, Sr. I am a security consultant and project manager for the practice and I have 20 years of experience working for the Department of Defense enlisted in the Air Force as a network engineer, a project manager, anything you could think of under the sun. And a couple of years as an adjunct professor also within my career field. Thank you, Steve.

Steve Haley: Well, thank you, Ryan.

So who is CompliancePoint? For those that don’t know about CompliancePoint, we’re a professional organization that focuses on risk management, information security, privacy, and compliance.

We have the wonderful opportunity of having a very exceptional Net Promoter Score of 87. For those that aren’t familiar with the Net Promoter Score, this scoring is based off of a negative 100 to a positive 100 rating based on customer experience and the feedback that they provide based on the experience that we have provided them. So we’re very proud to have a world-class score of 87 and it just goes to show how centric our customers are to our organization.

So what do we focus on? Where’s our subject matter expertise? Well, it’s in actually a couple of areas or a few areas that we have bullet points below, which is PCI DSS, HITRUST, SOC 2, ISO, cybersecurity services, which could be pen testing, vulnerability management, those types of components, as well as data privacy, HIPAA, and TCPA, which is a different beast in itself.

So now we’re going to have the opportunity to have Ryan Williams Sr. kind of give us an overview of the GLBA background. Ryan will discuss the safeguard rule and how to prepare for the Safeguards Rule and then he’ll transition back for me and we’ll discuss a path forward for success to your organization and key takeaways.

Ryan Williams: Thank you, Steve.

So the Graham Leach-Spliley Act, GLBA for short, was enacted in 1999 by Congress. It was the safeguard rules that we’re going to kind of expound upon and talk about during the presentation. Those came into effect in 2003 and then the FTC made some amendments in 2021. But most importantly, on June 9th of this year, those rules go into enactment, right? They’ll have an effect on you as the audience and we kind of want to go through all of what that means to you and how you can go forward.

So a brief overview. So we have the GLBA is broken into the financial privacy rule. Again, those safeguard rules, which will go into greater detail and the pre-texting rule.

When it comes to those safeguard rules, I want you to keep in mind there are three objectives when it comes to your information security program. So one being to ensure the security and confidentiality of your customers, two, to protect against any anticipated threats or hazards to the security or integrity of such information. And then three, of course, being to protect against unauthorized access or use of such information that could result in substantial harm or inconvenience to your customers. So these are the standards you’re being held accountable for and have to be within your information security program.

So who will be affected by these rules? In this slide, we tried to capture as many organizations as we could. Obviously, this is not the end be all of the list, but out of these 13, if you happen to fall as one of these, whether it be accounting, bank and credit unions, a tax preparer, or even a university, you are subject to these rules as well. And then as we go through the slides, you’ll see kind of what those effects can have on you as either an institution or as an individual.

What is being protected by these rules? There’s no reason to have these rules unless they have some significant importance to your consumers.

So in this case, the safeguard rules and financial privacy rules are protecting the NPI or the non-public personal information of your consumers. So those are the addresses and birthdays, all the way to education records and tax information. So that’s what it’s trying to protect consumers against these things being put out there, either on the interwebs or in some other means.

So here’s the slide I was talking about. So you don’t want to be this person, right? You see them banging their head on the desk. So failure to comply can have significant penalties for negligence and the fines can be very steep. So as you can see, $100,000 per violation for the institution, or if you, as an officer or director, were to mishandle this information, it could be a $10,000 fine for you as well as five years of imprisonment. So obviously there are some severe consequences to not following the new rules.

So a little bit of additional information, right? Because you came here to hear us kind of break down the topic and be those subject matter experts. So we want to give you something you can walk away with and you can start looking at today.

So for the additional information, it’s best practice by both the FTC as well as the Federal Student Aid Department to use the NIST 800-171 Rev. 2. So that is the 110 requirements and 320 controls that that encompasses. It kind of sets the framework for you to build off of and make sure that your specific institution is abiding by these new rules.

So what can impact you as early as next week, right? So we’re tracking the June 9th date to being when you need to have the ball rolling or be compliant with these rules.

So how does the safeguard rule apply to you?

So those safeguard rules for your institution went into effect obviously in 2003 and now in 2023 as early as next week, you’ll need to be working towards having an information security program that meets those three objectives we talked about as well as it’s compliant with the nine elements that we’ll cover shortly.

So there are some exceptions. Again, you came here for all of this good information, right? So we want to make sure that we set you up for success and let you know that in the fine print, there are some exceptions that may apply to you and your institution. So if you were to look at the Title 16 and then it has all of those codes behind it, so 314.4, subsection B, et cetera, you will see that this only applies to financial institutions that maintain customers’ information with fewer than 5,000 consumers, right? So if you have fewer than 5,000 consumers, then some of these rules do not apply to you.

You’ll still want to stay tuned to see the path to success and all those good things. However, you can wipe your brow a little bit. You may not be subject to every single stipulation and rule that applies from here on out.

So here are those nine safeguard rule elements that we promised. So it all starts with having a qualified individual who is responsible for overseeing and implementing your program, right? You want to make sure that you have a person who understands your institution and how those rules apply to you, as well as they can monitor and basically manage the project of being in line with the safeguard rules and making sure your information security program manages those risks as well as makes those assessments for you, your vendors, and so on that we’ll get into.

So how can you prepare? Here we kind of comprise a compliance checklist for the GLBA, which goes over nine steps that you can do to begin to prepare, assess, and remediate those things that you need to make your information security program the best it can be.

Again, best practice is to map your assessments against the NIST standard, preferably the NIST 171 Rev 2 to utilize that NIST RMF framework. That way you’re in line moving forward.

As we move down the checklist, you’ll see that it goes into testing, monitoring, and detecting, right?

So that’s the compliance orchestration where you’re going through your testing, your monitoring, your detecting of new risks. You’re making sure that your monitoring and testing stays continuous, and you have periodic pen testing and vulnerability assessments as well. We’ll kind of go into those details as we move forward.

So very key to any security program is the training of your employees, right? Your employees are those insider threats, whether it be on purpose or out of just not being educated towards the standards, right? You don’t want them mishandling the NPI or clicking on malicious links and things of that nature and losing that information. So again, that’s paramount.

Also is the monitoring and assessing of your vendors. So those third parties that may need some of your information or you may need to share information with, you have to make sure they’re above board as well because that can also cripple your program.

And then the end of the checklist. So this is the conducting periodic penetration tests and vulnerability scans to identify those new security gaps as they emerge because as we all know, cybersecurity is an ever-changing and evolving landscape.

It’s also a good idea to identify those roles and responsibilities and make them clear to those stakeholders that need to engage in that way because we do know that if the task belongs to everyone, then no one will do it, right? So you have to make sure people have a clear understanding of what their responsibilities are and then is also to be prepared to adopt new controls and to address those gaps as they come up, right?

So again, the landscape’s ever-changing, it’s ever-shifting, and you have to make sure that you stay as flexible as possible.

And that brings us to a path to success. So this is the point where I hand the ball back over to Steve so he can kind of give you all of those nugs of wisdom and take it from here.

Steve Haley: Well, thank you, Ryan. I really appreciate that.

In this section, we’re going to go over a path to success that organizations can take to help solve some of these challenges that we have associated with GLBA and the safeguard rules that have to be applied for compliance with those elements.

Now, as we all know, there’s more than one way to solve problems in an organization, and this may not be the correct for every business, but this is a path that organizations come to us where we assist them in being successful with GLBA.

First and foremost, some of the areas that we help with is security program leadership, design, and oversight. What we find when we consult with organizations is a lack of understanding in or, you know, overall leadership in how to design and provide oversight for programs such as GLBA.

One of the first things that we want to do in this area is really provide a risk assessment and understand where you are at a point in time as it relates to the elements with the safeguard as well as your overall security program. From there, you know, some of the services also include like a virtual CISO service that is designed to be very flexible for your organization and meet your needs, really from the security program perspective all the way into, you know, some of your compliance programs to include GLBA.

Specifically associated with GLBA we focus on the safeguard rule design, implementation, and management, right? This is really where we want to assist you or you can come to us to assist you with your gap analysis and risk assessments. Out of that, we always like to take a prioritized approach to a corrective action plan, that is those action items that you as an organization can take to remediate items associated with the risks that have been identified with GLBA implementation or management overall.

Another area that you should expect to have to make some adjustments to that we can assist with is really with security policies, procedure, documentation. With any types of standards or changes in our industry and they come hot and heavy, especially if you are dealing with multiple frameworks or standards, is the need to be able to provide the clarity and guidance to your organization on the controls enhancement adherence and specifically for GLBA since this is the topic that we are talking about today.

Our staff has that experience to get that done for you and those are only three of the areas that we can help.

There is a couple of more before we get into the next sections of our presentation. So again, more requirements associated with the safeguard rule and the elements associated with it is incident response plan development. We assist organizations in really either modifying, enhancing or designing their incident response program that is going to provide the direction needed for your staff and organization to remediate and recover from an incident. This is a requirement with GLBA but actually a best practice for your organization to have as well and also define those roles and responsibilities within your organization of who has to do what, where and why.

There is a critical component of an incident response plan which then kind of really leads into business continuity and disaster recovery. Business continuity kind of goes a little bit beyond incident response and covers a lot of other things associated to the business and the effective continuity of the business which should focus on the entire enterprise, its people, its buildings, working environments and even computing resources. And again, how in case of an event, you will be able to keep the lights on and the doors open in case of some type of either cyber event, a weather-related event or even as we all know, a pandemic. So very important component there as well.

And then annual tabletop exercises is really, this is going to test the effectiveness of your incident response plan or your business continuity plan and you can even tie that into ransomware readiness assessments and things of that nature. It is a very cost-effective solution to be able to test how your organizations are going to respond to an event and again, aligns with the requirements associated with GLBA.

So additional services and things that most organizations may not have the skill set to be able to accommodate and this is again, another area that we can assist with or I would recommend that you at least partner with someone to assist you with these if you do not have the skill set.

And that’s in overall vulnerability management as well as penetration testing both internally and externally to get you good saturation and understanding the health of your cybersecurity program and where vulnerabilities and risks may lie.

The other thing is you also want to understand the implementation of those safeguard elements. Not everybody has the astuteness or the background or experience to understand how to effectively implement those controls and we as an organization can help you down that journey and get you to that path of success.

As you look at the end of the elements, one of the biggest things is really monitoring those services and monitoring your program as a whole. We can assist in that through program management through either services or technologies. We do rely on or bring into the mix a virtual GRC solution, something that affects. You can get the holistic or what I call horizontal visibility into each of those areas that are required and then obviously information security program documentation which is a requirement of GLBA as well is to make sure that all of your information security plan is documented and is actually presented to the board.

So those areas that we at CompliancePoint can assist with, if you found that this has been valuable, we would love the opportunity to help you. If you still need additional help and you have your own partnerships, obviously you should use this presentation to help guide those discussions with them as well.

So key takeaways that are coming out of today’s webinar and again I want to say thank Ryan for reviewing what the safeguard was and giving us that nice background of GLBA as a whole and again if you’re under 5,000 customers there are some exceptions into the elements themselves, but again devils in the details. There are sub-items or sub-controls that are associated with each element and you should pay attention to those.

But again we’ve provided you with some key takeaways. We hope that this is beneficial and we’ll get into that right now. The most important and I have it number one on here for a reason is really understand the regulations and how they’re going to apply to you. This isn’t just by doing a risk assessment. It’s actually reading the documentation and understanding what the scope of these elements and how they apply to your organization. That’s going to really lead up to the best roadmap and path that you can take to help mitigate the risks associated with that, which then leads into number two, which is conduct a risk assessment.

As we talked earlier, you can use the NIST risk management framework. It will provide you guidance in that as well. And I would again strongly recommend that you align to a NIST standard, not just to the nine elements that are associated with GLBA. And that NIST standard is being strongly recommended. That is the NIST 800-171 rev 2. I don’t think that’s going to be going away. If they’re strongly recommending it now, it’s probably only going to gain more traction. So it may be in your best interest to start looking at that standard and how that may apply to your organization as well. Then ensure that the controls are effectively implemented and in place in your organization to reduce that risk.

Now, as in any type of control, there may be instances where you can’t implement certain controls based upon business decisions, technical considerations. The biggest thing is to either look for a mitigating, some type of mitigation and or documentation so that you have a path to be able to address it in the near future or some type of compensating control could help you with that as well.

Protect yourself from insider threats. Again, that goes back to train your staff, right? Trust but verify. This is where policy and training and trust and verify and visibility are all important.

 Make sure your service providers are GLBA compliant. That’s important as well, right? Especially with the risks associated today. If you look at the news, almost every day you’re seeing where there are breaches or things of that nature and really it’s coming from the third party. So having some type of third party risk management program is going to be critical for the success with GLBA but also to help reduce the risk in the organization overall.

There are tools that can help you with that. We can help you with that as well if you have any questions on any of that. But understanding the risk of your service providers or third parties is extremely important.

Confirm that you’re complying with the privacy rule requirements. I know today’s focus was on the safeguards rule but the privacy rule is very important as well and should not be overlooked.

Update your disaster recovery and business continuity plans. We discussed that in the other slide. People need to understand what is expected of them if an event happens and the business needs to be able to keep the doors open or the technology running should that event occur so that you can continue to do business.

We discussed this a little bit earlier. Number eight, prepare a written information security plan. Again, another GLBA requirement. It should be fairly robust. There is a balance to these types of documents but you should put the level of effort in required and have a fairly robust information security plan that you can present and report to the next one which is the board.

You got to report on the health of your information security program as a whole as well as how it aligns to the GLBA. That is a very important component. Again, it is a requirement for GLBA.

Then like any other security program compliance framework, always review, revise, and improve. Implement a maturity model or a maturity program of how the organization can get better time over time over time. A lot of times that is usually done by doing annual or assessments or things like that. But again, you are required to go back to number nine. You are required to report annually on the effectiveness of your GLBA safeguard controls and elements that are in place.

Thank you for joining CompliancePoint on our webinar today. We are very grateful that you took the time out of your schedule to be able to join us today.

You can connect to CompliancePoint through connect@compliancepoint.com. That is our email address and probably the quickest way to connect with us if you would like or you can use the QR codes that are provided in the slide below.

Another good way to either follow us on Twitter, LinkedIn, subscribe to our newsletter, which is actually awesome and provides a lot of good content every month, or visit our website.

Again, we really thank you for being here today. We hope we provided you value. As I stated, we will send out this slide deck so that those takeaways and the checklist that Ryan reviewed could be utilized within your organization.

If there are any questions that anybody would like to ask, Ryan and I are here to help answer your questions. If you are shy, again, you can email us at connect@compliancepoint.com. Thank you for your time.

We have our first question that has come in. The question is, trying to understand my company’s requirements related to GLBA since it was brought up by one of our larger clients. They’re a third-party service provider for a few financial institutions that want to understand what their obligations are. That’s the first question for today.

As a service provider, if you are providing services to a third-party institution, you are required to comply with the GLBA-9 elements. Out of that, you want to be cognizant of what data you’re passing back and forth and what access is being obtained into the environment. They do classify. If you want to look at the documentation, I would strongly recommend that. Service providers are those that are providing electronic or other types of services to a financial institution that may have NPI information associated with that.

Next question. Does the FTC have direct jurisdiction over financial institutions for privacy matters?

This is a little bit of a difficult question to answer because as far as direct jurisdiction, I can’t really answer that one, but I do know that the FTC has been enforcing matters associated with privacy to those types of financial institutions, and that does include fines from my understanding.

Next question.

I work for a university and I’m trying to wrap my head around which departments will a GBLA compliance program impact outside of IT?

Ryan, I think I’d like to turn this one over to you for your answers on this particular question if you don’t mind.

Ryan Williams: That’s a great question, actually. So if I understand it correctly, the short answer is yes, it will have an impact on several of your institutions within the university.

The longer answer being academic and administrative offices, so those offices that are handling electronic and printed records, so personnel records, financial records, student records, as well as the transmission of those records, confidential information to, let’s say, the government or other universities. Those will be also under this, so you’ll have to have a really strong InfoSec program and policies as well as training for those individuals who are handling that information. It will probably also affect your centers and institutions on campus, so any of those institutions that are directly handling the MPI of students to provide them services of some sort.

And then I would also say probably, or not probably, but definitely, when it comes to individuals, like we had the slide with the person banging their hair on the desk, that will be your, or hopefully it won’t be your faculty to include directors and coordinators, probably program directors and principal investigators, those people who are electing MPI of your students and faculty, as well as those who are contracted to use and access that information and to pass it to non-campus entities such as the federal government or banks and things of that nature.

All of those pieces of the university, as well as those people who are within those organizations and institutions, will all be impacted by the GLBA rules that are coming up.

Steve Haley: Well, great, Ryan. Thank you for that very robust answer.

We have another question from somebody in the audience. Are there any requirements to perform any external independent assessment to certify compliance or does an internal assessment or board reporting suffice?

Ryan, would you like to field this one as well?

Ryan Williams: Sure, Steve.

So I guess the answer would be it depends on the organization that holds the information and how they want to comply with the standard.

So when it comes to external independent attestation, I would say yes. They will most likely fall within that level of compliance. And then it’s finding a partner who can actually perform the assessment as well as the pen test and vulnerability scans if that applies to use an organization.

Did I miss anything, Steve?

Steve Haley: There is a reporting structure that does go up as well.

But thank you, Ryan. That was a real appreciated answer.

Just a reminder that we will be sending out the slide deck from this presentation out to all audience members after this. And again, if you’d like to connect with CompliancePoint, we have some stuff on the screen that you can actually visit us through the QR codes.

Want to thank everybody. We do not have any more questions at this time. So looks like we’re going to get a few minutes back today. So we want to thank everybody for attending today. We hope you found this valuable.

If there’s any questions or concerns, please feel free to reach out to us. You know, I’m a stickler for wanting to answer questions in a timely manner. I don’t just let them fall by the wayside. You know, it’s very important that we collaborate together as we go through these types of standards.

And really, again, hope that you found today’s webinar valuable. And should you need any assistance, we’re here to help. Thank you so much.