How Can Your Organization Achieve GLBA Compliance?
Whether you are looking to fulfill your obligations under the Gramm-Leach-Bliley Act (GLBA), or to protect your clients’ sensitive financial information more broadly, Delta Risk can help you.
We offer a comprehensive suite of cyber security services, including:
- ActiveInsight – Advisory services assess your current security program and identify GLBA compliance gaps. We can also test your defenses and train your workforce.
- ActiveEye – Managed security services and professional services can supplement your technical security operations.
- ActiveResponse – Our coach, hunt, and breach response services can help you identify and respond quickly to threats, and stay in compliance with the GLBA standards.
Financial institutions must comply with a wide variety of regulations, but the major cyber security regulation in the financial industry is the GLBA. Passed in 1999, the GLBA is also known as the Financial Services Modernization Act.
GLBA was notable because it repealed the longstanding prohibition on competition between banks and other securities companies that existed since Congress passed the Glass-Steagall act in 1933. Relevant to today’s cyber security issues, GLBA includes provisions to protect consumer financial information.
Most people are familiar with the act because it requires organizations to disclose their privacy policies to their customers. However, GLBA requires much more than disclosing privacy statements.
There are many federal regulators with overlapping jurisdiction in the financial sector. The Federal Financial Institutions Examination Council (FFIEC), a unified federal regulatory agency, provides guidance on GLBA compliance requirements to simplify the challenge of complying with GLBA requirements. Its members include:
- The Board of Governors of the Federal Reserve System (FRB)
- The Federal Deposit Insurance Corporation (FDIC)
- The National Credit Union Administration (NCUA)
- The Office of the Comptroller of the Currency (OCC)
- The Consumer Financial Protection Bureau (CFPB), as well as a representative of the State Liaison Committee (SLC).
Does GLBA Apply to Me?
GLBA applies to any financial institution. The act defines a financial institution as any organization that is “significantly engaged” in providing financial products or services. If your organization is a bank, mortgage broker, real estate firm, or insurance firm, GLBA applies to you. In addition to traditional financial institutions, GLBA can also apply to payday lenders, tax preparers, and courier services. It can even apply to car dealers and others lenders.
What Information Do I Have to Protect?
If you are a financial institution as defined by the act, you must safeguard nonpublic personal information (NPI), also known as personally identifiable information (PII). This can include information like:
- Names, addresses, phone numbers, Social Security numbers
- Bank account numbers, credit card numbers
- Income, credit history, or other information provided on an application
The GLBA limits how you share this information, who you share this information with, and what you must do to protect it.
How Must I Protect NPI GLBA Requirements?
The GLBA requirements are broken down into two main rules: The Privacy Rule and the Safeguards Rule. Specific security requirements are detailed in FFIEC and Federal Trade Commission (FTC) guidance.
The overall security requirement of GLBA, which appears in Section 501(b) of the act, states that financial institutions must protect the confidentiality, integrity, and security of NPI through administrative, technical, and physical safeguards. That means developing and implementing a comprehensive cyber security program, conducting a risk analysis, and monitoring and testing the program. These requirements are similar to those mandated in other industries, notably the healthcare sector.
Beyond the security program, GLBA requires financial institutions to:
- Ensure the security and confidentiality of customer information;
- Protect against any anticipated threats or hazards to the security or integrity of such records; and
- Protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.
This is where the FFIEC comes in to harmonize the steps federal regulators mandate or suggest you take to meet these requirements. This guidance suggests you:
- Document network configurations and changes
- Monitor and test your networks for anomalies
- Train employees on cyber security matter
- Track and report network activities
- Implement technical security measures such as encryption and access controls
- Develop an incident response plan
You are also responsible for making sure your affiliates and service providers take reasonable steps to safeguard consumer information.
Consequences of GLBA Non-compliance
The consequences of failing to comply with GLBA can be severe. For each violation, your organization could be fined up to $100,000. Officers and directors can also be fined up to $10,000 per violation. Failure to comply can also include criminal penalties, including imprisonment for up to five years.
In addition to direct consequences of noncompliance with GLBA, failure to implement sufficient cyber security measures can create a host of problems. Your organization may face claims from customers or class action lawsuits. Your board of directors could be held personally liable in a shareholder derivative suit. Most importantly of all, if you do not have adequate protections, your company’s reputation will suffer.
Compliance risk or not, it is imperative that you have the best cyber defense.