Understanding the GLBA Updates for Standards for Safeguarding Customer Information
The new GLBA updates go into effect this Friday, June 9, 2023. Are you ready?
In an ever-evolving digital landscape, the need to protect sensitive customer information has become paramount. The financial services industry, in particular, faces unique challenges in safeguarding data, given the constant threat of cyber attacks. To address these concerns, the Gramm-Leach-Bliley Act (GLBA) was enacted in 1999, establishing standards for protecting consumer financial information. As technology continues to advance, updates to GLBA (effective June 9, 2023) ensure that financial institutions remain resilient in the face of evolving cybersecurity risks. In this blog post, we explore the GLBA updates and their significance for the cybersecurity landscape.
Overview of GLBA
GLBA, also known as the Financial Services Modernization Act, requires financial institutions to explain their information-sharing practices and to safeguard sensitive customer data. This act mandates that institutions develop, implement, and maintain an information security program to protect consumer information.
The updates explicitly require financial institutions to develop, implement, and maintain a comprehensive information security program to:
- Ensure the security and confidentiality of customer information
- Protect against any anticipated threats or hazards to the security or integrity of such information
- Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer
The aim is to address emerging cybersecurity threats and ensure that financial institutions stay ahead of the curve.
The key elements of the GLBA updates are as follows:
Information Security Officer: GLBA requires financial institutions to “designate a qualified individual responsible for overseeing and implementing your information security program and enforcing your information security program.” Institutions need an Information Security Officer (ISO). This can be an employee, an affiliate, or even a service provider.
If an institution utilizes a service provider or an affiliate, it must still:
- Retain responsibility for compliance with GLBA
- Designate a senior member to be responsible for the direction and oversight of the Qualified Individual
- Require the service provider or affiliate to maintain an information security program that protects the institution in accordance with GLBA
In summary: the ISO will be responsible for owning the information security program and answering to the information owners (e.g., CEO, board, etc.).
Risk Assessment: Institutions’ information security programs must be based on periodic risk assessments. The updates emphasize the importance of conducting a thorough risk assessment to identify potential vulnerabilities and assess the level of risk associated with various data assets. This process enables organizations to prioritize their cybersecurity efforts and allocate resources effectively.
Security Controls: The updates reinforce the need for robust security controls to protect customer information and control risk. Institutions are required to implement and assess comprehensive administrative, physical, and technical controls. These controls must include access controls, data labeling and classification, encryption, secure SDLC for in-house developed applications, multi-factor authentication, secure disposal and data retention, change management, and policies and procedures.
Incident Response: Financial institutions must establish and maintain an incident response plan, detailing how they will detect, respond to, and recover from security incidents promptly. This proactive approach places increased emphasis on incident response and recovery capabilities to minimize the impact of potential breaches and ensure swift remediation.
Third-Party Oversight: Financial institutions often rely on third-party service providers to manage critical functions. The updates call for institutions’ enhanced oversight and due diligence when engaging with third-party service providers to manage critical functions. Institutions must assess the cybersecurity practices of their vendors, including the evaluation of contractual safeguards and ongoing monitoring of their performance.
Employee Training and Awareness: The updates stress the importance of regular training and awareness programs for employees, recognizing their vital role in maintaining cybersecurity. Financial institutions should provide comprehensive cybersecurity training to employees to ensure they are equipped to identify and respond to potential threats effectively.
Benefits of the GLBA Updates
The updates to GLBA offer several advantages to financial institutions:
Enhanced Cybersecurity: By implementing the necessary security controls and conducting risk assessments, financial institutions will significantly bolster their cybersecurity posture. This proactive approach reduces the likelihood of successful cyber attacks and strengthens overall resilience.
Improved Customer Trust: As customers become increasingly concerned about the security of their financial information, institutions’ compliance with GLBA updates demonstrates their commitment to data protection. By safeguarding customer data effectively, financial institutions can build trust and foster long-term relationships with their customers.
Regulatory Compliance: Adhering to the updated GLBA standards ensures that financial institutions remain compliant with evolving regulatory requirements. By staying ahead of compliance obligations, organizations can avoid costly penalties and reputational damage associated with non-compliance.
Competitive Advantage: In an industry where data breaches can have severe consequences, demonstrating a robust cybersecurity posture can be a competitive advantage. Financial institutions that prioritize data protection and invest in comprehensive security measures are more likely to attract and retain customers in an increasingly security-conscious market.
Need to ensure your organization is compliant with the GLBA updates? Our comprehensive services cover all update areas – from overall cybersecurity compliance to cyber risk and security control assessments to security training. To learn how Summit can help contact us.
