GLBA is About to Get a Cybersecurity Upgrade

If you aren’t a regular reader of the Federal Register, you may have missed a proposed upgrade for safeguarding customer information.

Background

GLBAWhen the Gramm Leach Bliley Act, fondly known as GLBA, was enacted in 1999 we were worried about Y2K, a gallon of gas cost $1.22, and SpongeBob SquarePants had just premiered on Nickelodeon. The term “cybersecurity” had yet to be used in the ubiquitous context it is today. GLBA was introduced to require financial institutions to provide customers with information about privacy practices and opt out rights.

By 2002, we had the first American Idol winner (Kelly Clarkson) and the Safeguards Rule (issued under Title V of GLBA) requiring a comprehensive security program. The Safeguards Rule provided a general framework still in use today, requiring financial institutions to have a written information security program that was appropriate to the type of information handled, and to protect against unauthorized access to customer data.

The Upgrade

A lot has changed since 2002. By 2010 a gallon of gas was up to $2.73, Apple had released the iPad, and data breaches (either through hacks or carelessness) were becoming commonplace. And in 2016, the FTC started looking at whether more specific requirements were needed under the Safeguards Rule.

New York State’s Department of Financial Services(DFS) issued 23 NYCRR 500 – Cybersecurity Requirements for Financial Services Companies – in 2017, a regulation we have written about and worked with extensively in our client base. After a phased approach, the New York regulation is now fully in effect for companies regulated by DFS.

Upgrades to the Safeguards Rule are based on 23 NYCRR 500, and the insurance data security model law.

Our Top 10: What’s New

    1. 1. The definition of financial institution now includes finders. It already included car dealers, mortgage brokers, and investment advisers, plus organizations many people wouldn’t consider financial institutions, like accountants, check printers, and career counselors specializing in finance personnel.
    2. 2. A requirement for multi-factor authentication AND does not allow for SMS text messages as a factor.
    3. 3. There must be one employee (versus the old “employees”) appointed to coordinate the information security program. The person doesn’t have to have the CISO title, but has to act like one. They also have to provide written reports to the company’s Board of Directors.
    4. 4. Risk Assessments: Infosec programs must be based on a risk assessment of systems and data, and document the criteria used for evaluation. Mitigation plans must also be identified, and risk assessments must be performed periodically to re-examine risks as threats change.
    5. 5. Encrypt all customer information both in transit and at-rest. In transit has become fairly common, at-rest less so.
    6. 6. Practice secure software development practices.
    7. 7. Conduct security awareness training for all employees, plus additional training for employees with more access.
    8. 8. Implement an audit trail capable of detecting compromise.
    9. 9. Develop a written incident response plan.
    10. 10. Assess service providers (not new); monitor and re-assess service providers over the life of the contract (new).

Our Analysis

Having worked with many clients implementing the 23 NYCRR 500 rule, these proposed amendments are manageable and necessary. Does that mean easy? Or cheap? It depends. A framework is just that – the structure we build around to create a security program. Clarifying what a security program must include forces organizations to think strategically and identify what is most important to protect.

As proposed, the amendments to the Safeguards Rule force companies to examine the WHY but still provide a lot of flexibility in the HOW. It doesn’t require the purchase of the latest and greatest cyber defense technology. It doesn’t require you to outsource or appoint a third party as your CISO (although we hope you consider it). It eliminates or reduces some requirements for organizations with less than 5,000 records. And with the internal reporting requirement, it forces leadership, whether it be a board or executives, to accept responsibility for consumer data and for operating the system at an acceptable level of risk.

Our Advice

If your business falls under the definition of financial institution, review the proposed standards here. Learn more about 23 NYCRR 500 here, or read the regulation here. Then start thinking about gaps you may have in your security program, and unmitigated risks. Managing risks and improving security maturity doesn’t happen overnight, but it will happen if there’s a plan in place. Every proposed change is a step toward making your business more resilient, if implemented thoughtfully.

You can also comment on the proposed revisions, as long as you do so by June 3, 2019.