The Graham Leach Bliley Act (GLBA) is one of the central regulations for financial service companies.
Among other things, GLBA requires covered entities to establish, implement, monitor, and maintain a written information security program. This written plan should address ensuring the security and confidentiality of customer data, protecting against threats to the safety and integrity of data, and limiting unauthorized access to information that could harm customers if it were released. When the cybersecurity program has been effectively established and maintenance protocols have been put in place, the organization will have a proactive security approach while maintaining readiness as required by GLBA.
The two key rules within the GLBA are The Financial Privacy Rule (16 CFR Part 313) and The Safeguards Rule (16 CFR Part 314). Both rules dictate how covered institutions manage customer data; the Financial Privacy Rule governs data collection and disclosure while the Safeguards Rule controls data security. Additionally, institutions covered by the Rule must take steps to ensure that their service providers and affiliates protect customer data as well.
1. Designate a Coordinator for the InfoSec Program
First, a company must designate a coordinator for the information security program.
The coordinator, often given the Chief Information Security Officer title, will implement and supervise programs to ensure the company addresses information security risk in a comprehensive manner. The program should address at least the following three topics:
- Employee and management training
- Information systems and processing
- Protection from, detection of, and response to attacks
2. Identify Internal and External Data Risks
The company needs to identify internal and external security risks that could result in theft, misuse, alteration, or destruction of data. Companies may do this internally but frequently smaller companies hire consultants to perform comprehensive security reviews.
3. Design, Implement, and Build a Program to Test Safeguards
Next, the company should design, implement, and build a program to test their information security safeguards. Third party consultants can provide independent security assessments as well as provide penetration testers to attack the network. The program should run on a regular basis to stay up to date as security threats evolve and advance.
4. Oversee Third Party Providers
It is also crucial for security teams to oversee third party providers. Several recent major hacks have been the result of inadequate supervision of third parties. GLBA spells out two ways covered entities should interact with their vendors:
- When selecting vendors, covered entities should ensure the third parties can design and maintain effective safeguards.
- The covered entity should require the vendor to maintain and update the safeguards so they remain effective.
5. Review and Amend the Program
Finally, GLBA requires companies to review and amend the program. GLBA calls out a few reasons why a company may need to update their security program:
- Operational changes
- Testing failures
- New regulations