The Federal Trade Commission (FTC) put significant updates into effect on January 10th, 2022, to strengthen the Standards for Safeguarding Customer Information (Safeguards Rule) under the Gramm-Leach-Bliley Act (GLBA) to protect consumer data collected by financial institutions.
The amendment applies to nonbank financial institutions and requires them to develop, implement, and maintain a comprehensive cybersecurity program in order to protect their customers’ information.
Nonbank financial institutions include entities that are engaged in activities that the Federal Reserve Board determined to be related to financial activities, such as automobile dealerships, mortgage brokers, lenders, consumer reporting agencies, etc.
More examples of financial institutions include businesses that often wire money to and from consumers, retailers that issue their own credit cards to consumers, and check cashing businesses.
Businesses like grocery stores that permit people to cash a check or a merchant that lets individuals “run a tab” do not fall under this category.
Financial institutions that have less than 5,000 consumers are exempt from the above requirements.
Required Cybersecurity Program Elements
Listed below are the FTC’s new required elements.
Designation of a Qualified Individual
All covered financial institutions are required to designate a Qualified Individual who is responsible for oversight of the cybersecurity program. This can be an employee, an affiliate, or a service provider such as a vCISO. It is important to find someone who can focus 100% on cybersecurity, and not IT.
Assessments must include criteria for the assessment of recognized security risks, confidentiality, and integrity of information systems.
All customer information held or transmitted in transit through external networks must be encrypted. If encryption is infeasible, the covered financial institution must secure the consumer’s information through alternative means that are approved by the Qualified Individual.
Must be implemented for any person accessing any information system.
Annual Penetration Testing and Vulnerability Assessments
Penetration testing is required every year, as per relevant identified risks. Vulnerability assessments are required every six months, which entails systemic scans or reviews of information systems to identify publicly known security vulnerabilities as per the risk assessment.
It is the responsibility of the covered financial institution to oversee service providers. Service providers – by contract – must implement safeguards for consumer information.
Annual Report to the Board of Directors
The Qualified Individual must report in writing the overall status of the cybersecurity program and other related matters to a covered financial institution’s board of directors (or other governing body).
The new Safeguards Rule is effective 30 days after the publication date in the Federal Register.
Certain requirements will be effective one year after the date of publication, including:
- Written risk assessments
- Designation of a Qualified Individual
- Yearly penetration testing
- Biannual vulnerability assessments
- Periodic assessment of service providers
- Written incident response plan
- Annual reports to the board of directors or governing body by the Qualified Individual
It’s important to cover these rules and regulations for your organization, otherwise, you may make it on this list.
If you’re looking for more in-depth information, you can check out the Federal Register’s website.
Never Miss an Update
Subscribe to Sedara Declassified to get timely updates on new and evolving laws–and what to do about them–just like our clients do.