Incoming: Proposed Changes to GLBA Cybersecurity Requirements
On March 5, 2019 The Federal Trade Commission (FTC) published a request for comment on a proposed amendment that adds cybersecurity requirements to the Gramm-Leach-Bliley Act (GLBA). The FTC is proposing to add more detailed requirements to the Safeguards Rule, which governs the information security programs financial institutions must implement to protect customer data.
You can see the current status of the public comments here.
Under the proposed amendment, the Chief Information Security Officer need not be an employee of the financial institution but can be an employee of an affiliate or a service provider. This proposed change is meant to accommodate financial institutions that may prefer to retain an outside expert or lack the resources to employ their own information security staff qualified to oversee a program. GLBA currently requires the designation of an “employee or employees to coordinate [the] information security program.” This is being changed to require designation of a single individual, referred to as a CISO, as responsible for overseeing and implementing the program. This would allow for the position to be open to a third party provider.
Other proposed changes include:
Sedara is a premier provider of information security services focusing on Compliance, vCISO, Risk Assessments, SIEM, EDR, and Pen-Testing. We know that it takes an innovative and flexible approach to provide meaningful, value-added security services to today’s businesses or organizations. By working with Sedara on a Cybersecurity Program, your organization will have the benefit of an experienced and dedicated cybersecurity team.
Contact Sedara for a Cybersecurity Assessment
- Adding requirements to financial institutions’ risk assessments, including that the assessment must be written, describe how the information security program will address the identified risks, and be performed periodically.
- Requiring information systems to include audit trails designed to detect and respond to security events.