On March 5, the FTC announced proposed amendments to the Standards for Safeguarding Customer Information under the Gramm-Leach-Bliley Act (“Safeguards Rule” or “Rule”). The FTC version of the Safeguards Rule applies to financial institutions that are not governed by federal banking regulators (e.g., FDIC, Federal Reserve, OCC, and NCUA) or state insurance regulators. Examples of organizations to which The FTC Rule may apply include tax preparation firms, mortgage lenders, mutual fund companies, and university financial aid offices.
The proposed amendments seek to provide “more detailed requirements for the development and establishment of the information security program required under the Rule.” The FTC based the amendments “primarily on the cybersecurity regulations issued by the New York Department of Financial Services [(“NY DFS”)]. . . and the insurance data security model law issued by the National Association of Insurance Commissioners . . . .”
Some of the key proposed amendments to the Safeguards Rule include:
- CISO Requirement: Designation of a single individual responsible for implementing, overseeing and enforcing the financial institution’s security program, including the provision of an annual report to the Board of Directors.
- Detailed Incident Response Plan: Incident response plan that addresses certain areas, including: (a) external and internal communications and information sharing, (b) any notification or reporting requirements imposed by federal or state laws, and (c) the definition of clear roles, responsibilities and levels of decision-making authority.
- Testing of Security Systems: Biannual vulnerability assessment and either “continuous monitoring” or annual penetration testing.
- Encryption: Encryption of all personal information while in transit and at rest, unless the CISO approves alternative means of protection.
- Risk Assessment: Conducting a risk assessment to underpin the information security program; the risk assessment must include details on how the financial institution will address specific identified risks with respect to the sensitivity of the customer information and the financial institution’s systems.
- Periodic Assessment of Service Providers: Periodic assessment of service providers to ensure the service providers maintain adequate safeguards on an ongoing basis.
The expansion of the Safeguards Rule appears to be a reflection of what have become common information security best practices. The federal banking regulators’ versions of the GLBA Safeguards rule have long both pioneered and reflected these practices, and, as a result, have been much more detailed and prescriptive than the FTC version. While in the past there may have been justifications to have more stringent rules for banks, today it is clear that all financial institutions need robust cybersecurity programs to safeguard consumers and investors. Public comments on the proposed amendments must be submitted within 60 days of the proposed rules’ publishing in the Federal Register, which is expected soon.