The Gramm-Leach-Bliley Act (GLBA) has established baseline privacy and cybersecurity standards for financial institutions subject to US Federal Trade Commission oversight.
Originally proposed in 2021, final amendments to the FTC’s Standards for Safeguarding Consumer Information, or the Safeguards Rule, now require organizations held to account under GBLA to meet new requirements for safeguarding consumer data, including how and when to report data breaches – and to implement penetration testing to stay compliant.
As of May this year, organizations impacted by the rule must report data breaches and other security events to the FTC. Here is everything you need to know.
What is the GLBA Safeguards Rule?
The Gramm-Leach-Bliley Act (GLBA), first introduced by the FTC in 1999, was originally intended to encourage modernization in the US financial services industry while setting a benchmark for how organizations offering financial services to consumers share and protect customer information. This aspect of the law is known as the Safeguards Rule.
As technology continues to evolve rapidly, the regulation’s privacy and protection standards have been amended to account for the changing face of the finance industry and modern cyber threats.
In October 2023, the FTC announced substantial changes to how organizations required to comply with GLBA must disclose and report security incidents, including data breaches. Businesses were granted six months to prepare for the amendment, which came into force on May 13, 2024.
Incident notifications: What has changed?
Briefly:
- Mandatory reporting to the FTC for breaches involving 500+ consumers.
- Notification within 30 days of discovering a breach.
- Definition of unencrypted data in the context of compromised encryption keys.
The Safeguards Rule requires that businesses “protect the security and confidentiality of customers’ nonpublic personal information.”
While organizations under GLBA have always been required to develop, implement, and maintain a robust security program to protect client data, the new amendment now requires financial institutions to inform the FTC of security events involving information belonging to at least 500 consumers.
Consumer data that is unencrypted is within the scope of security event notification. However, organizations should note that this means far more than simply records stored in plaintext: if a cyber attacker accesses an encryption key, consumer records are considered compromised and unencrypted under GLBA.
The FTC prefers to be informed as soon as possible, and organizations must do so no later than 30 days after discovering a data breach.
What information is covered by the GLBA Safeguards Rule?
The GLBA intends to protect nonpublic personal information (NPI) and customer data, including any record belonging to a consumer of a financial organization, whether recorded electronically or in another form.
NPI can include Personal Identifiable Information (PII) such as names, home addresses, Social Security numbers, banking information, insurance records, and more.
What organizations need to comply with GLBA?
It would be easy to assume that as a financially-focused piece of legislation, this means that only banks must be compliant with GLBA, the Safeguards Rule, and the new FTC notification requirements.
However, this is not the case. Non-banking financial institutions and organizations that engage in activities that are “financial in nature” may have to comply with GLBA. This includes mortgage lenders, financial services, account services, tax preparation firms, and investment advisors, although this list is far from exhaustive. A recent addition is “finders,” entities that bring together buyers and sellers who negotiate a transaction.
Even if your business is not required to register with the US Securities and Exchange Commission (SEC), you may still need to comply with GLBA.
GLBA penetration testing requirements
Cybersecurity must become an intrinsic part of corporate governance, and penetration testing is a critical component of more than GLBA compliance – it is now necessary to ensure data security, privacy, and cyberattack risk reduction.
As noted by the FTC, the Safeguards Rule “requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information.”
GLBA-compliant security programs are only considered suitable if they reflect a business's size and complexity. They must ensure the security and confidentiality of consumer data, reasonably protect this information against cyber threats and prevent unauthorized access to data that could result in substantial harm or inconvenience to customers.
Section 314.4 of the Safeguards Rule outlines the nine elements of a compliant security program. In summary, organizations are required to:
- Designate a qualified individual to implement and supervise the security program
- Conduct a risk assessment to determine foreseeable risks and cyber threats
- Adopt safeguards to reduce risk exposure
- Implement, monitor, and regularly test the effectiveness of existing safeguards
- Provide employees with security awareness training
- Monitor service providers to ensure they maintain reasonable security levels and controls
- Keep information security programs current and able to handle emerging threats
- Create an incident response plan
- Require the qualified individual responsible for supervising the security program to report to the Board of Directors
Penetration testing is a crucial component of these security programs and is part of a multi-layered security approach. Continual testing can uncover exploitable weaknesses and ensure they are remediated in a reasonable time frame – and before threat actors have the opportunity to infiltrate the network and steal data.
Given its importance, the FTC has defined how organizations should adopt penetration testing to ensure compliance and to demonstrate due diligence in protecting consumer data.
The US regulator requires GLBA-compliant organizations to regularly test the effectiveness of safeguards, and for information systems, “the monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments.” Typically, this will include one annual penetration test and two vulnerability assessments spaced six months apart.
Furthermore, under the Safeguards Rule, the FTC urges annual pen-testing reviews when significant changes to these systems are implemented in accordance with risk assessments. It adds that testing, either through continuous monitoring or via pentesting, should also be performed whenever there are “material changes to your operations or business arrangements.”
Of course, it is best to have a real-world perspective on your security hygiene before a security incident occurs, but as cyberattackers continue to find new ways to exploit corporate systems, this isn’t always the case.
In light of this reality, the regulator also says that organizations must conduct a test whenever “there are circumstances you know or have reason to know may have a material impact on your information security program.”
How Secure Ideas can assist you with GLBA compliance
Secure Ideas leverages its extensive expertise to help you achieve and maintain GLBA compliance efficiently and effectively.
Upon agreement with a client, our cybersecurity experts will perform a penetration test focused on the existing security posture and defense of information held in scope under GLBA, including internal and external network surfaces.
Our comprehensive network review culminates in a detailed assessment, an executive summary, and tailored recommendations to align your systems with GLBA standards and enhance your overall security.
To ensure our clients reach their compliance goals as quickly and efficiently as possible, Secure Ideas security consultants will examine in-scope network surfaces. Still, our efforts will be concentrated on attack paths to the data of interest for GLBA compliance.
Penetration testing simulates a real-world attack on a client's systems and data to identify vulnerabilities that hackers could exploit. Vulnerability assessments scan for known vulnerabilities across infrastructure and applications.
Client-Focused Benefits:
- Enhanced Security Posture: Identifying and addressing vulnerabilities fortifies your defenses against cyber threats, reduces the risk of breaches, and enhances your organization's security.
- Compliance Assurance: We can assist you in achieving GLBA compliance, providing peace of mind and reducing the risk of regulatory penalties.
- Reduced Risk: Regular testing and monitoring help you stay ahead of emerging threats, minimizing the risk of successful attacks and safeguarding your reputation.
- Expert Guidance: Our experienced cybersecurity professionals offer actionable insights and recommendations, helping you implement effective security controls tailored to your needs.
- Efficient Compliance Process: We streamline the compliance process, focusing on critical attack vectors and delivering targeted remediation strategies to expedite your path to GLBA compliance.
We prioritize the attack vectors most applicable to our clients and their data. As we are dedicated to streamlining the GLBA compliance process for our customers, we focus on only exploits and proof of concepts that pose a significant risk to GLBA systems.
Secure Ideas consultants will give you a real-world understanding and perspective on your cybersecurity posture. Contact us today to discuss your requirements with one of our experts.