GLBA Compliance

Overview

  • GLBA applies to companies that provide financial products or services to consumers. This includes: banks, mortgage brokers, insurance firms, real estate appraisers, tax preparation businesses, check-cashing businesses, accountants, ATM op erators and others.

There are two main security- and privacy-related provisions under GLBA:

·         Safegard Rule

Introduced under Section 501(b) of GLBA and issued by the Federal Trade Commission (FTC), the rule aims to:

    • Ensure the security and confidentiality of customer records and information.
    • Protect against any anticipated threats or hazards to the security or integrity of such records.
    • Protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer.

·         Privacy Rule

Required by Section 504(a) of GLBA and also issued by the FTC, this rule:

    • Requires financial institutions to provide its customers with a notice of privacy policies and practices.
    • Prohibits financial institutions from disclosing nonpublic personal information about a consumer to “nonaffiliated” third parties, unless the consumer has agreed to share the information.
  • In particular, financial companies must have a written information security plan in place. As part of this plan, entities must, among other things: Identify and assess their risks to customer information, implement a “safeguards program” and regularly monitor and test it; and manage the selection of appropriate service providers.
  • <hr size=0 width=”100%” align=center>
  • Through its Information Security Examination Handbook, the FFIEC, in conjunction with its member agencies, has defined a process-based approach for complying with GLBA.

Among the guidance: financial institutions should test for vulnerabilities, monitor their network for anomalies, implement an incident response program, train staff on security awareness and ensure third-parties have adequate security controls in place.

In addition, the FFIEC has released “Authentication in an Internet Banking Environment (PDF) (PDF Supplement), which prescribes a risk management framework for financial institutions offering online banking. The guidance states that these entities should use adequate methods to authenticate the identity of customers as a way to protect against threats like phishing and account takeover.

  • While financial services companies traditionally are leaders compared to other industries when it comes to the effectiveness of their information security controls, they also remain a significant target of attackers due to the wealth of personal information under their control. Attackers constantly are developing new schemes to perpetrate fraud against these institutions. As Willie Sutton once said, when asked why he robs banks: “Because that’s where the money is.” The mindset is no different for cybercriminals.

Consequences

  • A number of federal and state agencies are responsible for enforcement of GLBA, depending on whom the potential violator is. They are: the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corp. (FDIC), the Office of Thrift Supervision, the National Credit Union Administration, the Securities and Exchange Commission, state insurance authorities, the Commodity Futures Trading Commission and the FTC.
Enforcement Agency Financial Institution
Office of the Comptroller of the Currency Federal branches and federal agencies of foreign banks
Board of Governors of the Federal Reserve System Member banks of the Federal Reserve System
FDIC Banks insured by the FDIC other than members of the Federal Reserve System
Office of Thrift Supervision Savings associations whose deposits are insured by the FDIC
National Credit Union Administration Federally insured credit unions
Securities and Exchange Commission Brokers and investment companies
State insurance authorities Insurers
Commodity Futures Trading Commision Commodities brokers
FTC Federal institutions not subject to jurisdiction of another agency
    • A financial institution can be fined up to $100,000 per violation.
    • The officers and directors face civil penalties of $10,000 per violation.
    • Criminal penalties of five years in prison, a fine, or both can be imposed.

Solutions

  • GTIS provides a comprehensive portfolio that can help organizations of any size respond to GLBA regulations.
Plan and Prepare

Conducting a Risk Assessment is the first step to identifying and implementing safeguards necessary to meet compliance. GTIS helps you find gaps that may exist between your current security posture and GLBA requirements. The customizable assessments, scaled individually for your financial institution, include identification of key assets and IT systems, assessment of controls and frameworks and a review of third-party providers and incident response programs.

Address Gaps and Vulnerabilities

GLBA requires companies to protect customer records and information, whether it’s being collected, stored or transmitted. Here are some of the ways we can help:

Data Loss Prevention

Allows you to discover and classify sensitive data and prevent it from leaving the network.

Network Access Control

Ensures managed and unmanaged devices connecting to the network comply with policies and do not introduce malware.

Two Factor Authentication

Offers a token-less, cloud-based mechanism to prevent password interception and ensure the identities of customers.

Web Application Firewall

Protects sensitive data against external attackers who may use vulnerabilities, such as SQL injection, to steal patient information.

SIEM

Helps you gain broad visibility of threats to your network and improve your compliance process through logging, monitoring, and analysis of events.

Incident Readiness and Response

Prepares your staff to proactively identify the indications of a breach and contain it quickly and effectively.

Security Awareness Education

Instructs your employees and contractors to understand the threat of social engineering and follow best practices for security, including the safe use of web and social media tools and password management.

Penetration Testing

Identifies and manages potential vulnerabilities in your networks, applications or databases.