Incoming: Proposed Changes to GLBA Cybersecurity Requirements
On March 5, 2019 The Federal Trade Commission (FTC) published a request for comment on a proposed amendment that adds cybersecurity requirements to the Gramm-Leach-Bliley Act (GLBA).
The FTC is proposing to add more detailed requirements to the Safeguards Rule, which governs the information security programs financial institutions must implement to protect customer data. You can see the current status of the public comments, here.
Cybersecurity Requirements to the Gramm-Leach-Bliley Act (GLBA)
Under the proposed amendment, the Chief Information Security Officer doesn’t have to be an employee of the financial institution but can be an employee of an affiliate or a service provider. This proposed change accommodates financial institutions that prefer to retain an outside expert or lack the resources to employ their own information security staff. GLBA currently requires the designation of an “employee or employees to coordinate [the] information security program.” This changed to require the designation of a single individual, referred to as a CISO, as responsible for overseeing and implementing the program. This would allow for the position to be open to a third-party provider.
Other Proposed Changes
- Adding requirements to financial institutions’ risk assessments, including that it must be written, describe how the information security program will address the identified risks, and be performed periodically.
- Requiring information systems to include audit trails designed to detect and respond to security events.
How Sedara Can Help You with GLBA
Sedara is a premier provider of information security services focusing on Compliance, vCISO, Risk Assessments, SIEM, EDR, and Pen-Testing. We know that it takes an innovative and flexible approach to provide meaningful, value-added security services to today’s businesses or organizations. By working with Sedara on a Cybersecurity Program, your organization will have the benefit of an experienced and dedicated cybersecurity team.
Contact Sedara for a Cybersecurity Assessment.
Subscribe to Sedara Declassified to get timely updates on new and evolving threats – and what to do about them – just like our clients do.