Understanding Updates to the GLBA Safeguards Rule

What makes the financial industry a favorite of cyber adversaries?

The spoils of a successful attack. 

Having access to clients’ hard-earned money and sensitive information, a data security breach can quite literally bankrupt a person or organization that did nothing more than place their trust in a financial institution. Recovery from an attack is a huge endeavor regardless of size, often taking more than a year and costing millions of dollars

It comes as no surprise cyber attacks on financial service providers have only increased in recent years

To meet the ever-present threat of data breaches and other cyber attacks, governments and regulatory entities have made data protection a  top priority in the financial services industry. The Gramm–Leach–Bliley Act’s (GLBA) Safeguards Rule is one of the many laws and regulations on the books designed to protect financial institutions and their clients from catastrophic cyberattacks and data breaches. 

Recently updated by the U.S. Federal Trade Commission (FTC), the newly amended Safeguards Rule changes who must comply with the GLBA and how financial firms manage and protect private data. 


In Brief: The GLBA & the FTC Safeguards Rule 

Also known as the Financial Modernization Act of 1999, the GLBA is a federal law governing financial institutions.

A partial repeal of the Glass-Steagall Act, the GLBA eliminated barriers for banks and other financial institutions from merging. Other provisions of the law set strict rules for how financial firms manage their network security and protect the private data they manage.  

What is the Safeguards Rule?

The Safeguards Rule is one of three GLBA provisions for data protection requirements. At its core, the Safeguards Rule sets standards for how financial institutions create, implement, and maintain cybersecurity and data protection frameworks. 


What’s New With the Safeguards Rule & Why Does it Matter? 

As times change, laws and regulations evolve. 

At the end of October, officials with the U.S. Federal Trade Commission updated the Safeguards Rule — a first in nearly two decades. Driven by the changing landscape of cybersecurity and the nature of cyber attacks, the newest iteration of the Safeguards Rule — dubbed the Final Rule — has four key changes that went into immediate effect:

1. Expanded Definition of “Financial Institution”

Perhaps the biggest change through the Final Rule, the FTC has increased the types of organizations it deems financial institutions. Under the updated definition, “finders” (organizations that bring buyers and sellers together and collect consumer data) and non-banks now must comply with GLBA regulations, including: 

  • Check-cashing businesses
  • Independent lenders
  • Professional tax preparers
  • Mortgage brokers
  • Credit reporting agencies 


2. Cybersecurity Program Guidance 

While the Safeguard Rule already required financial institutions to have some cybersecurity and data protection controls in place, the Final Rule expansion takes things to the next level. The Final Rule requires financial organizations to create a written information security plan, which includes: 

  • Risk assessments that identify in writing the criteria for: 
    • Gauging risks, both internal and external or from vendors and other partners
    • Testing cybersecurity and data privacy framework strength
    • Implementing changes to address identified risks for material weaknesses 
  • Development of a written incident response plan that includes:
    • Protocols for responding to a security breach
    • Reporting/documentation procedures during a breach
    • A defined chain of command and their responsibilities
    • An external and internal communications
    • Steps for remediating material weaknesses 
  • Continuous cybersecurity framework monitoring or periodic penetration tests and vulnerability assessments 
  • Customer data encryption 
  • Multi-factor authentication for those accessing internal information systems
  • Cybersecurity and data privacy employee training 


3. Increased Accountability & Transparency 

Making financial institutions more engaged in complying with the Final Rule updates, GLBA-covered organizations must:

  • Designate a “qualified individual” to oversee, implement, and enforce its information security program. 
  • Make periodic reports to their board of directors and other governing bodies on the state of their information security program. 


4. Partial Exemption Thresholds

Recognizing the potential monetary burden the amended GBLA compliance places on small businesses, the updated Safeguards Rule does provide some relief. Organizations that collect data for less than 5,000 consumers are exempt from compliance requirements for:

  • Written risk assessments
  • Incident response plan development & implementation
  • Data privacy program reporting to a board of directors 


Simplifying GLBA & Safeguards Rule Compliance

Though considered an overdue upgrade, the modernized Safeguards Rule has changed the landscape of the financial services industry. Organizations previously not held to GLBA compliance face new regulations. Those already held to GLBA compliance now need to implement additional cybersecurity controls. 

Regardless of past experience with GLBA compliance, partnering with a third-party cybersecurity firm provides much-needed expertise to master the new GLBA compliance standards.  

As experts in cybersecurity program design, cybersecurity compliance consulting firms can assist in meeting GLBA Safeguard Rule requirements, such as: 

  • Developing compliant network security and data privacy frameworks
  • Complete comprehensive risk assessments
  • Create thorough incident response plans
  • Periodically testing for vulnerabilities

In addition, a cybersecurity services provider is able to identify duplication between various cybersecurity regulations, such as those set by the Federal Financial Institutions Examination Council. This allows your organization to efficiently maintain compliance across a variety of regulations or standards. 


Cybersecurity and Financial Institutions, a Necessary Pairing 

While rules and regulations change due to the cyber threat landscape, the need for securing private data never does. 

In the financial sector, compliance with laws such as the GLBA and its Safeguards Rule is not about checking a box to avoid a fine — it protects your organization and its clients from financial ruin. 

Ensure Your Financial Organization is In-step With the GLBA & Safeguards Rule 

Work with our team to develop the necessary frameworks for GLBA compliance. 


Share This Post