Update to FTC GLBA Safeguards Rule

On October 27, 2021, the FTC published revisions to Part 314: The Standards for Safeguarding Customer Information.  It outlines a set of requirements that “financial institutions” must adhere to in order to protect sensitive customer information.  It basically includes a deadline of 1 year, or October 27, 2022 for compliance - and we all know that date will be here quickly.

The good news: if you are a bank or federally insured credit union, you can sit this one out.  While we expect cyber regulations and guidance to continue to grow and become more prescriptive in the coming years in ALL industries, the new requirements do not affect banks or NCUA-insured credit unions.

The bad news: if your business is defined by the FTC’s new rules as a “financial institution” (read on for that list), then you need to become very familiar with the material outlined in this blog post as it will change (or maybe establish) how you MUST manage cybersecurity going forward.

The FTC defines a “financial institution” as:

• Mortgage Lenders
• Pay Day Lenders
• Finance Companies
• Mortgage Brokers
• Account Services
• Check Cashers
• Wire Transferors
• Travel Agencies (operated in connection with financial services)
• Collection Agencies
• Financial Advisors
• Tax Preparation Firms
• Non-Federally Insured Credit Unions

The Rule basically says that these businesses must develop and maintain a risk-based information security program (ISP) with administrative, technical, and physical controls to appropriately protect customer information. (Just some good ole’ fashioned information security there, folks!)

It goes on to spell out, in great detail, how that will be done.  I’ll try to cover those items as concisely as possible in this post.

BTW - I think what the FTC is doing here is removing room for interpretation as much as they can.  I’m sure they’ve heard businesses argue that they didn’t need such-and-such control because they did a risk assessment (in their head, mind you) and found it to be unnecessary.  It feels like they are tired of that game and are making this more black-and-white.  There was a TON of pushback on this new rule, but I feel it’s for good reason: sometimes people only take things seriously when it’s a law.  Unfortunately, cybersecurity happens to be one of those things for MANY people and businesses.

In order to develop, implement, and maintain an information security program, the rule requires that “financial institutions”:

1. Designate a “Qualified Individual” responsible for the information security program.  A couple of takeaways here: 1. THIS IS the FIRST thing they prescribe- that’s because all the other requirements should be managed by this role. Start here first when building your program. 2.  Notice that they went out of their way to make sure the person is “qualified”.  No fancy names here.  By appointing someone to this role, it’s like you are attesting to the fact that this individual is QUALIFIED.  It’s like the FTC read all of our Friday 5 blog posts when they were making this rule.  We’ve been saying for years that cybersecurity starts with solid leadership and the person needs to be QUALIFIED.  You don’t have your neighbor’s kid prepare your taxes or create your will.  It’s the same here.
   
   
   • Keep in mind, it’s not just IT people that are qualified to manage information security programs, it’s a different skill set.  They need to be able to do things like risk assessments and write policies and incident response plans, and deliver annual reports to your board. Keep this in mind when naming this role.
     
     
   • The good news is that the FTC gave businesses the option to either directly employ the “Qualified Individual” OR they can turn to a service provider to fill this role.  This would be a Qualified-Individual-as-a-Service (QIaaS) or Virtual Qualified Individual (VQI).
     
     
   • OK, shameless plug here: This kind of service for banks and credit unions is our flagship offering here at Bedel Security.  We’ve been developing, implementing, and maintaining their information security programs as a Virtual CISO service since 2015.  We are actively developing Qualified Individual Services to comply with the FTC GLBA Safeguards rule.  Email us at support@bedelsecurity.com to learn how we can help you.  – End shameless plug –
2. Perform a risk assessment of the various threats to customer information, assessing if you have the right safeguards in place OR if you need to add others.  Keep it updated as needed.  If you have less than 5,000 records, it doesn’t have to be written - If you are in this category, I highly recommend documenting SOMETHING - it’s hard to defend a conversation you had with yourself 8 months ago!
   
   
3. Regularly review access controls.
   
   
4. Inventory data, people, systems, and facilities - I recommend making this part of the risk assessment.
   
   
5. Encrypt all customer information in transit and at rest. Your “Qualified Individual” or VQI can approve other effective means of security - again, make sure that person or firm is “Qualified” so they do this properly.
   
   
6. Adopt secure application development practices (if applicable for you).
   
   
7. Implement MFA for access to systems.  This is another one where your “Qualified Individual” can sign off on equivalent security controls.
   
   
8. Develop secure destruction procedures for information that hasn’t been used for 2 years.
9. Adopt Change Management Procedures.
   
   
10. Monitor and log activity for users to detect unauthorized access.
    
    
11. Regularly test the effectiveness of your safeguards.  This is why banks have regularly scheduled audits by outside firms.  A written risk assessment comes in handy when doing this.  In fact, it’s going to be a real pain without one.
    
    
12. Perform an annual penetration test based on the risk assessment. If you have less than 5,000 records, this doesn’t apply to you.
    
    
13. Perform vulnerability assessments every 6 months based on the risk assessment. If you have less than 5,000 records, this doesn’t apply to you.
    
    
14. Utilize qualified information security personnel (either employees or contractors) to manage and maintain your program.
    
    
15. Ensure users and security personnel receive adequate training.
    
    
16. Oversee your vendors by having a process for selection based on these requirements, contractually requiring they maintain these controls, and periodic re-assessment of those vendors.
    
    
17. Regularly evaluate and adjust this program.
    
    
18. Establish an incident response program - what is your plan if information is lost or stolen? If you have less than 5,000 records, this doesn’t apply to you.
    
    
19. Require your “Qualified Individual” or VQI to annually report to your board of directors on the effectiveness of this program. If you have less than 5,000 records, this doesn’t apply to you.

I know - that’s a lot. If done properly, it has all the makings of a real-deal information security program. But it will be extremely difficult and very time-consuming for someone that doesn’t have experience building and maintaining an ISP. AND you only have 10 months to implement all the requirements.

My recommendation is to start by identifying your Qualified Individual or a Virtual Qualified Individual and have them implement these pieces in cooperation with your IT staff or IT provider. Don’t do it the other way around. Most IT staff and IT providers are not experienced in building and maintaining this type of program and you’ll be doing a lot of rework. Look for firms that specialize in virtual ISO, virtual CISO, or CISO-as-a-service offerings in highly regulated industries, such as banking.

If you have any questions on building a program like this, or would like to learn more about how a virtual CISO can fulfill your “Qualified Individual” requirements, drop us a note at support@bedelsecurity.com.