The Federal Trade Commission (FTC) has proposed changes to the cybersecurity and privacy rules under the Gramm-Leach-Bliley Act (GLBA) that will bring additional compliance mandates for financial institutions. The changes, if enacted, will force a broad range of businesses to implement extensive new safeguards across the people, process, and technology disciplines.

The commission issued detailed proposals that broaden the GLBA’s Safeguards Rule and Financial Privacy Rule (Privacy Rule) and has set aside 60 days for comments. The Safeguards Rule requires that covered financial entities develop, implement, and maintain a comprehensive risk-based information security program, while the Privacy Rule safeguards customers’ personal data. FTC proposals stipulate that financial companies:

• Encrypt all customer data
• Implement effective access controls
• Adopt multifactor authentication (MFA) for access to consumer data

The commission also proposes that financial entities hire a chief information security officer (CISO) to oversee the security program and submit periodic reports to the firm’s board of directors. Businesses that hold data of 5,000 or fewer customers would be exempt from certain rules.

Given the GLBA’s expansive definition of what constitutes a financial institution, the rules will likely affect businesses across a swath of sectors. Under GLBA, a financial institution can include:

• Certain mortgage brokers
• Money-transfer service providers
• Retailers
• Automobile dealerships
• Property and real estate appraisers
• Professional income tax preparers
• Some travel agencies

The proposed changes signal a rising tide of regulations that require financial firms to implement a top-down, risk-based security program. Proposals are based on cybersecurity regulations issued by the New York Department of Financial Services (23 NYCRR 500).

Taken together, these proposals reflect an escalating concern that data-rich businesses are expanding the attack surface by retaining too much customer information. Most financial firms will need to either implement or update records management processes, update workflows and processes to destroy the data, and automate data destruction.

Below, we’ve summarized additional amendments and top challenges that will face the financial industry.

5 challenges of the new cybersecurity and privacy rules

1. Appoint a CISO to oversee security

The FTC proposals obligate financial institutions to hire a CISO (or equivalent) to establish governance and oversee a cybersecurity program that is based on an assessment of individual risk. This person will be required to report in writing on the status of the information security program and compliance, as well as material matters related to the security program, at least once a year to the institution’s board of directors.

2. Encrypt all customer data

The proposals mandate that organizations encrypt all customer information, both in transit and at rest, to protect against unauthorized use and access. This can stretch the resources of an already inundated IT staff.

3. Apply multifactor authentication (MFA)

The FTC designates MFA as a “minimum standard” for access to customer information. Deploying the safeguard will require that firms map data across the organization to identify the information and applications that must be protected and will require a robust IT architecture.

4. Individualized training for employees

Under the proposed rules, financial institutions will need to develop effective training for employees who handle, access, or dispose of customer data. Training and awareness must be based on an individual, risk-based security assessment, and employees in different roles will require different training.

5. Data minimization

Financial entities will be required to implement a data retention policy for the secure disposal of customer information in any format that is no longer necessary for legitimate business purposes. The FTC doesn’t specify what constitutes legitimate business purposes and is seeking comments to define the term.

Additional amendments

The FTC also proposed the following amendments:

• Access controls
• Secure custom applications
• Audit trails
• Monitor users
• Continuous monitoring
• Assess service providers
• Incident response plans

Start now with CohnReznick

Financial institutions will need to begin implementing these changes as soon as possible. Financial firms can jump-start their compliance efforts by mapping the requirements of the proposed rules against their current IT state to understand gaps and priorities. Those that need outside help should engage outsourcers or consultants now, rather than waiting until the last minute.

CohnReznick has decades of experience helping financial services firms design, implement, and operate risk-based cybersecurity and privacy programs. We can help you meet new cybersecurity and privacy requirements and achieve compliance with today’s evolving regulations.

Contact

Jeremy Swan, Managing Principal, Financial Sponsors and Financial Services Industry, (212) 297-0400