GLBA Risk Assessments: A Key 1st Step in GLBA Compliance

The Gramm–Leach–Bliley Act (GLBA) is a federal law in United States that governs how financial institutions handle sensitive information of individuals. Under this act, financial institutions need to spell out how they collect, process, and share their customer’s information and how they safeguard it.

The GLBA risk assessment is an organization’s starting point for GLBA compliance. A risk assessment, such as those performed by ERMProtect, is important because no organization has unlimited budgets.

The Value of Risk Assessments

Risk assessments help organizations prioritize risks so that most of their budget goes toward protecting areas that are at the highest risk.

These risk assessments are important because they:

• Provide critical insights into data collected, the locations, controls in place to control access, and other security safeguards, thus allowing institutions to gain a deep understanding of what could be at risk.
• Validate security controls in place, ensuring that customer data is handled securely in the financial institution.
• Identify risks and vulnerabilities that, if not mitigated, could easily throw an institution’s GLBA compliance pursuit off the rails.
• Provide ratings on the identified risks, helping with decisions about what risks need to be addressed first.
• Result in remediation steps that financial institutions can take to plug cybersecurity deficiencies that could be easily exploited by a malicious actor.
• Offer financial institutions a chance to adjust their information security program and develop a stronger posture with every assessment.
• Help financial institutions to demonstrate to customers and stakeholders their proactive efforts toward managing risks.
• Demonstrate commitment to data security practices to regulators.

Does GLBA Apply To Your Organization?

GLBA applies to all financial institutions that provide financial products or services such as:

• Banks and Credit unions
• Financial advisory firms
• Real estate firms
• Mortgage lenders and brokers
• Insurance companies
• Investment firms and advisors
• Money transfer services
• Securities firms
• Tax preparation services
• Payday lenders
• Non-bank lenders
• Courier services
• Stockbrokers

GLBA protects consumers and customers of these services, wherein a consumer is someone who obtains financial services for personal use and customers are a sub-category of consumers who have an ongoing relationship with a financial institution.

As an example, an individual who has applied for a credit card and shares personal information with a financial institution is a consumer. And an individual who is provided with a credit card account and is now using the card for ongoing transactions establishes a long-term relationship with the financial institution, thus becoming a customer. All customers are consumers but not vice versa.

Nonpublic Personal Information (NPI)

GLBA aims to protect Nonpublic Personal Information (NPI). NPI is any information that helps identify an individual that is not public in nature, such as an individual sharing personal details with a financial institution for getting a service or performing a transaction. Examples of NPI include an individual’s name, address, phone number that’s not public, social security number, account numbers, account balances, purchases made through credit or debit cards, and so on.

What are the GLBA Requirements?

GLBA is enforced by federal and state agencies including the Federal Trade Commission (FTC), and banking regulators such as the Federal Deposit Insurance Corporation (FDIC), the Federal Reserve, and the Office of the Comptroller of the Currency (OCC). The GLBA has certain compliance requirements that organizations must follow:

The Privacy Rule

The Privacy Rule requires institutions to provide customers with their privacy practices and offer them the right to opt out of data sharing services. The privacy notice should include details such as what information is collected about the consumer/customer, disclosures of where that information will be shared, how the information will be used, and how the NPI will be protected by the financial institution.

The Safeguards Rule

The Safeguards Rule requires financial institutions to develop, implement and maintain a comprehensive information security program. The idea here is to safeguard the NPI from cyber incidents and attacks.

Financial institutions must implement a combination of administrative, technical, and physical controls to protect customer NPI. As per the GLBA safeguards rule, the information security program must include a qualified employee such as a security officer who will be responsible for overseeing and implementing the information security program and enforcing it as well.

The institution also needs to perform risk assessments that identify risks to NPI. The risk assessment should be periodically conducted to ensure identification of new risks and/or control gaps and to address them diligently.

Cybersecurity safeguards in areas of access control, encryption, multi factor authentication, secure data disposal, secure development of in-house applications, change management, and third-party management should also be in place.

The institution also needs to perform regular vulnerability assessments and penetration tests and remediate the issues identified in a timely manner.

Furthermore, an incident response plan is also a critical part of the institution’s information security program that enables containment and swift recovery in case of incidents.

Lastly, if a financial institution faces a security incident that involves at least 500 customers, it must notify and submit a safeguards rule security event report to the FTC within 30 days of the event.

The Pretexting Rule

The Pretexting Rule aims to counter identity theft as it prohibits disclosure of NPI through deception or use of social engineering tactics or similar attacks. Financial institutions must have stringent access control mechanisms in place that provide the least privilege of access based on employees’ roles and responsibilities to avoid unauthorized access into sensitive resources.

Financial institutions also need to have security awareness training sessions for employees to make them aware of pretexting schemes and to train them not to take inadvertent actions when they are instigated by false pretenses or deception.

Steps to Conduct a GLBA Risk Assessment

So how do you perform a GLBA risk assessment?

1. You start by scoping out the assets that need to be analyzed. This scoping exercise should consider which assets are critical in terms of dealing with customer information, including any third-party relationships as well. All departments, applications, and third parties handling customer information should be included in the scope of the assessment.
2. The next step is to create an inventory of assets within the institution. This can go a long way in narrowing down the scope of the assessment and saving a lot of time and resources in the process.
3. Next, the organization must identify the potential threats the institution might face and assess the likelihood that the threat may materialize as well as the level of damage that it would cause. This step involves assigning rankings to the threats to prioritize it, and to validate the controls in the institution that could counteract or manage the risks posed by these threats.
4. The organization also needs to review its risk management process to understand:

• • How it remediates or treats the risks that are identified
  • What risks remain after remediation (also known as residual risk)
  • What processes it has implemented to continuously monitor the institution’s compliance. These include reports from vulnerability assessments and penetration tests as well as the institution’s information security program.

Preparing for a GLBA risk assessment could appear to be a tedious task, but if financial institutions take a structured approach towards attaining compliance, then navigating through the compliance process is a lot easier.

What are GLBA Compliance Best Practices?

Having a structured roadmap towards attaining GLBA compliance can make the entire process quite painless. In fact, once you have a repeatable process in place, it’s just like clockwork year after year. Here are some key aspects you need to keep in mind:

• Information Security Program: Implement and maintain an information security program as per the GLBA information security guidelines including administrative, technical, and physical safeguards. An institution’s information security program should encompass all the evolving business and regulatory needs of the institution.

Information security programs should cover end-to-end security processes for protecting data and information. Also, make sure you review and update the program at least annually or whenever there are changes in business processes or if you encounter a significant incident that needs you to make changes to the information security program.

• Access Control: Having strong access control principles implemented at your institution goes a long way in warding off unauthorized access to sensitive data. The principle of least privilege should be implemented to ensure that the minimum levels of privilege an employee needs to perform the job are provided.

Also, access should be reviewed and monitored continuously to look for signs of malicious activity and to minimize the risk of unauthorized exposure to sensitive information. Use mechanisms such as multi factor authentication to enhance access control measures for sensitive information.

• Inventory: Maintaining an inventory of information assets encompassing people, third parties, processes, data, applications, servers, and so on are important to effectively track them and classify them based on their criticality.

Inventorying also helps with scoping assets for assessments and identifying potential risks and threats to them. Maintaining an up-to-date inventory is critical to plan and prioritize efforts for GLBA compliance.

• Encryption: Encryption plays a significant role in protecting data from unauthorized access when sensitive data is at rest or in transit. As per GLBA Section 501(b), financial institutions should have safeguards in place for protecting the security and confidentiality of NPI. Encryption of data ensures that NPI is protected from unauthorized access and threats. In the event such data is breached, it will be very difficult for an attacker to decrypt and view it if strong encryption has been employed.
• Data Retention and Disposal: A sensitive data retention and disposal policy should be implemented, maintained, and enforced that justifies the data retention and disposal process being followed.

This process should align with the financial institution’s business needs as well as legal and regulatory requirements. As per GLBA, unused customer data that hasn’t been used to serve a customer for two years should be disposed of safely unless there is some legal or business need not to do so. Periodic review of data retention practices should be performed to reduce risks associated with holding on to data longer than needed.

• Change Management: Change management policies and procedures should be implemented. Change management is a structured process for managing modifications to an organization’s IT environment, so they are conducted in a controlled and secure manner. All changes should be tracked. Processes should be enforced in the institution to prevent unauthorized or unwanted changes. This process ensures changes are authorized, reducing the risk of introducing vulnerabilities in security.
• Monitoring: Ongoing monitoring is required to ensure that controls are working as expected. Whether it is user access monitoring, third party monitoring, or network monitoring, continuous monitoring is a modern-day reality. Today’s technological offerings such as SIEM, IDS, IPS, and log management tools help significantly with real-time monitoring and detection of anomalous behavior.
• Training: Employees need to be trained in privacy policies and procedures to ensure they understand and acknowledge their responsibilities. They also need to be provided with security awareness training that covers the latest attacks and threats, which they could face while performing their jobs, such as pretexting or social engineering attacks used to trick them into giving out sensitive information. The training program needs to be updated regularly to cover the organization’s latest threat landscape.
• Vulnerability Assessments and Penetration Tests: Vulnerability assessments help identify potential risks and vulnerabilities in the infrastructure. Penetration tests go further than just identifying vulnerabilities. They provide insight into how attackers could leverage identified vulnerabilities and cause damage to the network or infrastructure.

GLBA mandates ongoing vulnerability assessments and penetration tests at least yearly. These tests help with compliance but also play a crucial role in building a robust cyber security posture.

• Periodic Reviews: Financial institutions should conduct periodic reviews of their privacy policy and information security programs to identify gaps and update them. Organizations must keep evolving the policies and procedures to suit the needs of the institution’s business and compliance goals.
• Third-party risk management: Financial institutions sometimes outsource services to third parties that might need access to NPI. In such cases, remember that the onus of GLBA compliance is on the institution. Financial institutions must ensure contracts with third parties cover GLBA requirements for protection of NPI as well as the safeguards rule. Additionally, third parties need to be monitored regularly to ensure they are complying with the requirements.
• Incident Response Plan: A robust incident response plan is important to help your organization contain, respond to, and recover from a cybersecurity incident. The goal is to contain a threat, while also enabling quick recovery and minimum damage. Be sure to update the incident response plan regularly to address new threats and vulnerabilities. Also, test the plan in a simulated exercise at least once a year.

When Should Organizations Conduct GLBA risk assessments?

GLBA risk assessments should be conducted at least annually or:

• Whenever there is significant change in the financial institution, such as adopting new systems or technology for handling customer data
• Whenever a new third-party service provider is brought on board who would have access to sensitive information
• After a financial institution has a security incident

Remember: Compliance Isn’t Security

It is important to remember that compliance with GLBA does not automatically mean good security. In fact, if you focus solely on GLBA risk assessments and compliance, chances are that you will leave behind gaps in security. Take into consideration the organization’s broader cybersecurity requirements. Compliance often falls into place itself as a result of robust security program.

For more information on GLBA risk assessments or any cybersecurity needs, please email Judy Miller at [email protected] or call 305-447-6750.