Categories
Compliance

What IT Managers Need To Know About GLBA Before December 2022

Did you know that the new GLBA Safeguards Rule take effect in just 5 short months? That’s right. As of December 9th, 2022, financial institutions must implement additional Safeguards in order to protect customer data. In this article, we’re taking a look at what’s NEW and what that means for IT Managers.

Related Article: “New Technical Security Assessment Requirements For GLBA”

Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act (GLBA) requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data. You can read the Act and specifically the Safeguards Rule in all it’s glory here: https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314?toc=1. The website even has a neat way to show the differences between the old version and the new version. You can check that out here: https://www.ecfr.gov/compare/current/to/2021-12-31/title-16/chapter-I/subchapter-C/part-314/section-314.4

5 Modifications to the GLBA Safeguards Rule

On January 10th 2022 the Federal Trade Commission (FTC) issued a final rule to amend the Standards for Safeguarding Customer Information (Safeguards Rule). The Final Rule contains five main modifications to the existing Rule, which are:

1. More information security requirements

The rule adds guidance (aka requirements) on how to develop and implement specific aspects of an overall information security program, such as access controls, authentication, and encryption.

2. Improve information security program accountability

It adds provisions designed to improve the accountability of financial institutions’ information security programs, such as by requiring periodic reports to boards of directors or governing bodies.

3. Exemptions from certain requirements

The following sections of the Rule do not apply to financial institutions that maintain customer information concerning fewer than five thousand consumers:

· Written risk assessment – [(b)(1)]

· Annual penetration test and semi-annual vulnerability assessment – [(d)(2)]

· Written incident response plan – [(h)]

· Annual report to your board – [(i)]

4. Expanded “financial institution” definition

It expands the definition of “financial institution” to include entities engaged in activities the Federal Reserve Board determines to be incidental to financial activities. This change adds “finders”—companies that bring together buyers and sellers of a product or service—within the scope of the Rule.

5. Added definitions & examples

Finally, it defines several terms and provides related examples in the Rule itself rather than incorporates them from the Privacy of Consumer Financial Information Rule (“Privacy Rule”).

What this means for IT managers

Compliance with GLBA may be a NEW requirement for you

The latest amendments to the Safeguards Rule expands the definition of “financial institution”, therefore, entities such as mortgage brokers, payday lenders, auto dealers, collections agencies, real estate appraisers, professional tax preparers, and many others are now be covered by the law.

You have NEW information security requirements to COMPLY with

The amended Safeguards rule adds several new elements to Section 3.14.3 Standards for safeguarding customer information. These are the new requirements that are mentioned in item #1 above. These are very similar to what NY DFS has required within their Cyber Regulation. They are:

1. Oversight

The individual responsible for overseeing and implementing your information security program no longer needs to be an employee. This can be a 3rd party, so long as there is proper oversight and direction of this individual. Keep in mind responsibility for security still lies with your firm!

2. Risk Assessment

Your information security program now needs to be based on a written Risk Assessment. That Risk Assessment must identify internal and external risks to the security, confidentiality and integrity of customer information and assesses the sufficiency of any safeguards in place to control those risks. The Rule also states that organizations must

periodically perform risk assessments with documented criteria for assessing, prioritizing and treating risks.

3. Security Safeguards

Implementation of additional security controls (safeguards) are also now required. Those are:

o Access control reviews & least privilege access

o Inventory and classification of data and systems

o Encryption of customer information

o Secure development practices for in-house built software

o Multifactor authentication

o Secure disposal of customer information, 2 years after use for most cases!

o Change management

o Monitor and log user activity

4. Technical Assessments

Continuous monitoring or an annual penetration test along with a vulnerability assessment once every six months, or after significant changes to the environment.

5. Ensure people are trained & kept up-to-date

Security awareness training is now a requirement along with maintaining qualified information security professionals as well as keeping them trained and up-to-date on the latest threats.

6. Evaluate service Providers

You must now take steps to periodically assess your service providers based on the risk they present and the continued adequacy of their safeguards.

7. Have a written incident response plan

A written incident response plan (IRP) that’s designed to help you promptly respond to and recover from any security event, that could materially impact your organization or customer data, is also now a requirement. Elements of your IRP must include communications, roles and responsibilities, documentation of incidents and lessons learned.

8. Annual report to your board

The individual responsible for your security program must now report in writing at least annually to your board of directors or equivalent governing body. This report must describe the overall status of the security program including compliance to GLBA as well as identify any material risks and the recommended remediations for such risks.

When this takes effect

If you’re reading this before December of 2022, and you feel like you’re missing the mark on some of these. There’s good news! There is still time to implement these Safeguards, since these do not go into effect until December 9th, 2022.

Effective as of December 9th, 2022:

· Oversight of the security program from a qualified individual – [314.4(a)]

· Written risk assessment – [(b)(1)]

· Security Safeguards – [(c)(1) through (8)]

· Annual penetration test and semi-annual vulnerability assessment – [(d)(2)]

· Ensure people are kept up-to-date, including security awareness training and professional security training – [(e)]

· Periodic assessment of service providers – [(f)(3)]

· Written incident response plan – [(h)]

· Annual report to your board – [(i)]

What you should do now

If you’re not sure where you stand with these requirements and how they fit into your security program, that’s ok. Whether compliance with the new Safeguards Rule is new for you or not you likely already have some of these requirements already in place. Here’s a simple 3 step process you can use to evaluate where you stand with the amended Safeguards Rule.

1. Evaluate – Begin by reviewing each of the elements described in the Safeguards rule and evaluate whether or not your current security program meets the requirement.

2. Identify – Identify and document gaps, which are, places where your current processes do not meet the requirement.

3. Implement – Then develop a plan to implement those missing pieces over the next 5 months. Make sure you’re setting deadlines and tracking key milestones to make sure you stay on track. It’s not an easy task, but a doable one.

Our team of Cybersecurity professionals here at SecurIT360 conduct hundreds of Security and Gap Assessments every year and if at any point you’re unsure where you stand, you want help identifying those gaps, or are looking for advice on how to best implement these requirements, please reach out to us. We would be more than happy to help.

Categories
Compliance

UPDATED GLBA Safeguards Rule Implements NEW Technical Security Assessment Requirements

Did you know that the new GLBA Safeguards Rule that takes effect in December 2022 includes new requirements for technical security assessments? If you’re a financial institution that must comply with GLBA, then this article is for you. We’re going to review what those technical security assessments are, what they mean for you, and how to best implement them into your security program. 

Related Article: “What IT Managers Need To Know About GLBA Before December 2022”

What is Gramm-Leach-Bliley Act (GLBA)?

The Gramm-Leach-Bliley Act (GLBA) requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data. You can read the Act and specifically the Safeguards Rule in all its glory here: https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314?toc=1. The website even has a neat way to show the differences between the old version and the new version. You can check that out here: https://www.ecfr.gov/compare/current/to/2021-12-31/title-16/chapter-I/subchapter-C/part-314/section-314.4

GLBA Safeguards Rule Amendments

On January 10th, 2022 the Federal Trade Commission (FTC) issued a final rule to amend the Standards for Safeguarding Customer Information (Safeguards Rule). The Final Rule contains five main modifications to the existing Rule. In this article, we’re going to take a look at a small subset of the first modification. The Penetration Testing and Vulnerability Assessments requirement.

NEW REQUIREMENT – Penetration Testing and Vulnerability Assessments

The first modification to the existing rule adds additional “guidance”, aka Safeguards or security control requirements. Most notably in the context of this discussion is the requirement to implement either continuous monitoring OR annual penetration testing and semi-annual vulnerability assessments. Most organizations are going to opt for the penetration test and vulnerability assessments, and that is what we’re going to be talking about from here on out.

Annual Penetration Testing

The new Rule states that you must have a penetration test performed once a year.

you shall conduct: (i) Annual penetration testing of your information systems determined each given year based on relevant identified risks in accordance with the risk assessment;”

Unlike continuous monitoring, the Rule does include a definition for Penetration Testing. I’ve highlighted the important parts to pay attention to:

a test methodology in which assessors attempt to circumvent or defeat the security features of an information system by attempting penetration of databases or controls from outside or inside your information systems.

To be honest, that’s quite an interesting definition of a penetration test. It’s not how I would have written it, but nonetheless, that’s what we have to work with. Now let’s focus on the important parts.

According to the Rule, the penetration test must:

  1. Include attempts to circumvent (aka: evade, bypass, etc.) or defeat(aka: disable, impair etc.) security features

  2. Include attempts to penetrate, from inside or outside

Semi-annual Vulnerability Assessments

The new Rule also states that you must perform semi-annual vulnerability assessments.

you shall conduct: (ii) Vulnerability assessments, including any systemic scans or reviews of information systems reasonably designed to identify publicly known security vulnerabilities in your information systems based on the risk assessment, at least every six months; and whenever there are material changes to your operations or business arrangements; and whenever there are circumstances you know or have reason to know may have a material impact on your information security program

Unlike penetration testing, the Rule does not include a definition for vulnerability assessment.

According to the Rule, the vulnerability assessment must:

  1. Be performed twice a year, OR after any material (aka: significant) change to the business, network or infrastructure

  2. Be able to identify publicly known security vulnerabilities

When this takes effect

If you have not performed a penetration test or vulnerability assessment yet this year, then, according to only the GLBA Safeguards Rule, you’re ok. The effective date for these assessments is not until December 9th, 2022, which is when the other requirements in the Safeguards Rule take effect.

What does this all mean?

The GLBA Safeguard Rule was constructed in such a way to instruct organizations on the difference between a vulnerability assessment and a penetration test. We’ve written about the differences before in this article, so we won’t go into detail here. However, put simply, a vulnerability assessment is meant to discover any and all vulnerabilities, and a penetration test is meant to discover and validate via “penetrating”(aka exploiting) those vulnerabilities in order to prove the effectiveness, severity, and impact of those vulnerabilities to the organization.

It is likely no surprise that our security recommendations would fall in line with the GLBA Safeguard Rules because annual penetration testing and regular vulnerability assessments are best practices. We recommend clients have an annual internal and external penetration test performed as well as regular vulnerability assessments. Some clients, who have the resources, even opt to perform these vulnerability assessments quarterly. This is something that our cybersecurity professionals assist clients with on a regular basis.

Not only are we seeing regulatory requirements modified to specifically address this, but cyber insurers are also looking for these assessments to be done regularly. As a matter of fact, for some insurers, it could be a determining factor for getting a cyber insurance policy or not.

What to do next?

Again, if you have not performed a penetration test or vulnerability assessment yet this year, then, according to only the GLBA Safeguards Rule, you’re ok. For now. However, in reality, your organization is likely subject to other regulations and/or requirements so there’s a good chance you may have already had or plan to have a penetration test and vulnerability assessment performed this year. That’s great!

If you’ve never had a penetration test or a vulnerability assessment before and the GLBA Safeguards Rule is all new to you, that’s ok too! Start planning those assessments now. Many firms that offer penetration testing services book several months, sometimes 6-8 months out. So, begin planning, budgeting and scheduling of those activities now. If you are planning a penetration test and you’re not sure what to expect, check out our blog post that talks about what to expect during your upcoming external penetration test.

Lastly, our Offensive Security Team here at SecurIT360 conducts hundreds of penetration tests every year and if at any point you’re unsure where you stand, you want help identifying those gaps, or are looking for advice on how to best implement these requirements, please reach out to us. We would be more than happy to help.