The Federal Trade Commission (FTC) recently announced an update to the Gramm-Leach-Bliley Act’s (GLBA) Safeguards Rule. According to the rule, certain financial institutions must meet several data security requirements to protect customers’ personal financial information and the institutions' own sensitive data.
These amendments were intended to take effect on December 9, 2022, but on November 15, the FTC announced a delay to the Safeguards Rule provisions by six months. This gives institutes until June 9, 2023, to update their data security to comply with the new ruling. If you’d like to read more for yourself, you can do so on the FTC’s official site.
Expanded Definition of a Financial Institution
The definition of a financial institution “means any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k). An institution that is significantly engaged in financial activities, or significantly engaged in activities incidental to such financial activities, is a financial institution. This new definition now extends to businesses such as:
The FTC published the amended Safeguards Rule on December 9, 2021, and some portions of the amendments to the Rule came into effect on January 10, 2022. The remaining provisions were scheduled to go into effect on December 9 of the same year, but the FTC delayed the effective date. This was in response to a public comment letter submitted by the Small Business Administration claiming a need for more qualified personnel to implement the information security programs.
Financial institutions now have some breathing room to implement these changes before the ruling fully takes effect this June. These delayed amendments include:
Qualified Security Individual
A covered financial institution must designate a qualified individual to be responsible for implementing and overseeing the information security program. The amended Safeguards Rule allows institutions to use third-party services as their qualified individual, as not all companies that fall under the financial umbrella may have resources to find a person or would prefer to pool resources to share management over the data security.
The Safeguards Rule provides new requirements on how financial institutions that maintain customer information for 5,000 consumers or more must conduct risk assessments which now include new stipulations. First, the evaluation criteria for and categorization of the threats or security risks the institution faces. Second, the criteria for the assessment of integrity, confidentiality, and availability of the institution's information systems and customer information. Finally, the requirements describe how identified risks will be mitigated or accepted based on the risk assessment and how the security program will deal with the risks.
Financial institutions will be required to implement technical and physical access controls that authenticate only authorized users, along with limiting authorized users’ access to information based on their duties and functions. Institutions must also implement other access requirements like multifactor authentication.
Financial institutions will be required to encrypt all customer data, whether in transit or at rest. If encryption isn’t feasible for certain institutions, they can secure the information through alternative measures as long as the controls are reviewed and approved by the qualified individual.
Financial institutions are required to provide all personnel with security awareness training and update any existing training to reflect identified security risks. Additional training should be given so personnel are able to address relevant security risks.
Incident Response Plan
Institutions that maintain information for 5,000 or more consumers must establish a written incident response plan that addresses:
Financial institutions that maintain information for 5,000 or more consumers will be required to have continuous monitoring in place to detect changes in information systems that could result in vulnerabilities. Alternatively, they could use annual penetration testing or vulnerability assessments every six months, including systemic scans or reviews.
Institutions are required to develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last time the data was in use unless it’s required for business operations. They are also required to review data retention policies to minimize the retention of data.
Preparing for Change
If you fall under the new definition of a financial institution and don’t have the means of maintaining your data security internally, it may be time to look for external sources. IntegriTel is a telecom, IT, and cybersecurity expert that handles all of your new data security needs with ease. We can monitor your services, keep you up to date with the latest compliance requirements, and ensure that all of your data and your customer’s data is protected at all hours of the day. If you need a digital security solution, contact IntegriTel today.
Comments are closed.