Protecting customers’ personal information isn’t just good business, it’s often a requirement. Now, an updated rule may mean some financial institutions need to review their security and handling practices — and the definition for “financial institution” may come as a surprise for many organizations across industries.

Is your organization prepared to navigate these complex decisions by the December deadline? Read on to get the important details.

What is the Safeguards Rule?

Under the Gramm-Leach-Bliley Act (GLBA), organizations defined as “financial institutions” must keep customer information secure and confidential. The Safeguards Rule, one of three sections of the GLBA, was updated December 9, 2021. With this update, the Federal Trade Commission (FTC) notes that an organization “engaging in an activity that is financial in nature or incidental to such financial activities” is considered a “financial institution” and must comply.

Key changes to the Safeguards Rule will take effect December 6, 2022.

Who must comply with the Safeguards Rule?

Consider these examples of organizations deemed to be “financial institutions” under the Safeguards Rule:

  • Retailers extending a credit card
  • Dealerships leasing a car long term — longer than 90 days
  • Organizations appraising real estate or personal property
  • Counselors helping individuals associated with a financial institution
  • Businesses printing and selling checks on behalf of customers or wiring money
  • Businesses engaging in cash checking services
  • Income tax return preparers
  • Travel agencies
  • Real estate settlement services
  • Mortgage brokers
  • Colleges and universities accepting Title IV funds

What requirements do you need to be aware of?

Effective December 6, 2022, organizations classified as “financial institutions” must implement the following security practices and then review, and periodically update formal policies and procedures, including:

  • Designating a qualified individual to oversee the information security program
  • Developing, implementing, and maintaining a written information security program
  • Completing a written information security risk assessment
  • Design and implement safeguards to control the risks you identify through risk assessment
  • Establishing continuous monitoring of information systems
  • Engaging third-party penetration testing and vulnerability assessments
  • Conducting security awareness training
  • Assessing third-party service providers periodically
  • Establishing a written information incident response program
  • Providing the board or respective group with a written report periodically and at least annually from the qualified individual

Specific controls requirements regarding the implementation of safeguards include:

  • Implementing and reviewing access control
  • Inventorying the systems that handle customer information
  • Identifying and managing data based on risk
  • Encrypting data both in transit and at rest
  • Securing software development practices
  • Requiring the use of multifactor authentication for those accessing the information systems
  • Establishing secure procedures for disposing data
  • Developing change management procedures
  • Implementing logging and monitoring procedures

While these elements must be implemented as part of your information security program, the revised rule is flexible enough to cover large and small “financial institutions” alike. Your specific safeguards must be appropriate for:

  1. The size and complexity of your organization and its operations
  2. The nature and scope of your activities involving customer information
  3. The sensitivity of the customer information you handle

That means you are permitted to implement different programs based upon the scope of your own operations and your assessment of security risks.

What can happen if you’re not compliant?

There are potential penalties for noncompliance with the Safeguards Rule, and penalties for not complying could be of a financial or non-financial nature. There is a maximum charge of $46,517 per consent order violation.

Goliath offers a Complimentary Cyber Risk Analysis to help guide you down the path to Cyber compliance and resilience

Schedule a call with our Cyber Advisory Team

Categories:

Comments are closed