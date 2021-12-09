Law firms Baker, Donelson, Bearman, Caldwell & Berkowitz, PC See all The company and law firm names shown above are generated automatically based on the text of the article. We are improving this feature as we continue to test and develop in beta. We welcome feedback, which you can provide using the feedback tab on the right of the page.

December 9, 2021 - The much-anticipated updates to the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule are finally here. On Oct. 27, 2021, the Federal Trade Commission (FTC) approved its final rule amending the Safeguards Rule. This concludes an amendment process that lasted over two years.

Established in 2003, the Safeguards Rule sets forth the foundational requirements of an information security program that covered financial institutions must implement to protect the non-public personal information of their customers. The original rule contained very few specific requirements and allowed financial institutions much flexibility and discretion in protecting the confidentiality and security of customer information.

While the amendments still afford some flexibility, they now include detailed criteria that financial institutions must implement. This includes specific security controls, new requirements for risk assessments, and new accountability and reporting requirements to boards of directors. The amendments continue the trend of state, federal, and industry regulations requiring financial institutions to implement proactive measures designed to mitigate the threat of cyber-attacks.

The new amendments only apply to financial institutions that are within the FTC's jurisdiction. These include non-banking financial institutions such as mortgage lenders, mortgage brokers, payday lenders, professional tax preparers, check cashing businesses, collection agencies, non-federally insured credit unions, and real estate appraisers.

The following highlights the new requirements of the Safeguards Rule and what financial institutions can be doing to ensure compliance with the new rule.

Designation of a 'Qualified Individual': The new rule requires financial institutions to designate a single person referred to as a "Qualified Individual" to be responsible for its information security program. This is a change from the current rule that allows "one or more people" to have this responsibility. There is some latitude in addressing this requirement as the individual does not have to be an employee and there are no specific experience or educational requirements for this role.

Additional requirements for risk assessments: The amendments add to the requirement that financial institutions identify reasonably foreseeable internal and external risks to customer information that could result in potential compromise. The FTC's amendments now require that those risk assessments: (1) be in writing and (2) include the specific criteria used to evaluate those risks.

According to comments from the FTC, the criteria are intended to be a high-level assessment to 1) identify and evaluate risks faced by the financial institution;.2) evaluate the adequacy of existing controls for addressing those risks; and (3) identify how those risks can be mitigated.The FTC has stressed that there is flexibility for financial institutions in implementing the criteria into their risk assessment process as financial institutions can employ whatever methods are most suitable and fit best for their organization as long as such methods satisfy the general requirements of the rule.

New specific security controls required: Financial institutions will now be required, with some exceptions, to implement specific new security controls, including technical and physical controls to limit access to customer information only to authorized users, and multi-factor authentication (MFA) for access to any information system that contains customer information.

All customer information must be encrypted both at rest and in transit over external networks. The new amendments do provide an exception to this requirement if a financial institution determines that such encryption is not feasible and other compensating controls are used.

Financial institutions must also have the following systems in place:

•Intrusion detection: continuous monitoring and logging to identify user activity and detect potential unauthorized activity within its environment.

•Data and systems inventory: identifying and having an understanding of the data, devices, systems, and facilities that enable financial institutions to achieve business purposes in accordance with their risk strategy and business objectives.

•Penetration testing and vulnerability scanning: completing annual penetrating testing on all systems and vulnerability scanning and assessments every six months.

Reporting to boards of directors: In an effort to improve accountability on data security issues, the "Qualified Individual" is required to issue an annual written report to a financial institution's board of directors or equivalent governing body addressing: (1) the overall status of the information security program and compliance with the Safeguards Rule and (2) material matters related to the information security program such as risk assessments, testing results, security events, and recommendations for changes in the program.

Expanded definition of 'Financial Institution' to include 'Finders': The amendments expand the definition of "financial institution" to include entities engaged in activities that the Federal Reserve Board determines to be "incidental" to financial activities.

Specifically, the definition now includes "finders," which are companies that bring together buyers and sellers of a financial product or service. The expansion harmonizes this rule with the rules of other federal agencies as "finders" often collect and maintain sensitive customer information.

Incident response plan requirements: Financial institutions are required to create a written incident response plan that addresses, among other things, internal processes for responding to a security incident, responsibilities and decision-making authority of incident response team members, requirements for remediating any identified weaknesses in information systems and controls, and documentation and reporting regarding the response to security events.

Oversight of service providers: In addition to conducting due diligence in selecting service providers that can maintain appropriate safeguards for customer information and requiring such safeguards in a written contract, financial institutions must now periodically assess its service providers based upon their potential risk and adequacy of their safeguards.

Enhanced training requirements: The amendments require financial institutions to update the training for their employees based upon risk assessments and/or changes in practices. Verification that these training requirements have been met is also required.

New requirements for a 'Security Event': The definition of a "security event" was expanded to include unauthorized access to physical records and events where there is a "disruption or misuse of" an information system. According to comments from the FTC, this is designed to include incidents where there may not be unauthorized access to customer information. Financial institutions must ensure that their incident response plans address this expanded definition.

The majority of the substantive amendments will go into effect near the end of 2022. Between now and then, covered financial institutions should audit their current information security program and assess any required modifications to comply with the new rule. This includes evaluating risk assessment processes, designating a "Qualified Individual" to be responsible for the program, reviewing processes for reporting on data security issues to the board of directors, assessing security controls, and updating the incident response plan. These steps are recommended proactive measures that all financial institutions should take to mitigate the numerous threats present in the current cyber landscape and comply with its obligations to safeguard customer information.

In addition to approving these updates to the Safeguards Rule, the FTC issued a request for comments with respect to a new proposal on notification requirements. The proposal would require financial institutions to report certain security events to the FTC when a financial institution determines that there has been misuse of customer information and at least 1,000 customers have been or may reasonably be affected.

The FTC would make any reported information public through a database that would be updated periodically. The FTC is soliciting written comments to this rule for 60 days after it is published in the Federal Register.

