What you Need to Know: An Update on the GLBA Safeguards Rule

With the expanding scope of cyberattacks on financial institutions and a substantial increase in fraud, government and industry oversight bodies are stepping up with new regulations and requirements to protect consumers. One of the most recent examples are the updates to the Gramm-Leach Bliley Act (GLBA). 

After 20 years of regulating information security policies for financial institutions, the GLBA Safeguards Rule is getting a facelift to continue driving strong privacy and security requirements for all financial institutions. The end goal is to protect the personal data of consumers. 

The GLBA is a federal law enacted in 1999 to control the ways financial institutions deal with the private information of individuals. The act is framed within 3 sections:

  1. The Financial Privacy Rule regulates the collection and disclosure of private financial information.
  2. The Safeguards Rule stipulates that financial institutions must implement security programs to protect such information.
  3. The Pretexting provisions prohibit the practice of pretexting or accessing private information using false pretenses. 

The act also requires financial institutions to give customers written privacy policy notices that explain their information-sharing practices.

In the last quarter of 2021, the Federal Trade Commission (FTC) announced a number of important changes to the Safeguards Rule, bringing the GLBA in line with much more stringent security frameworks. Here’s a breakdown of the most relevant changes: 

  • Access Controls Periodic review of access controls, including “technical and physical controls” to limit access only to authorized users and restricted to necessary customer information.
  • Multi-Factor Authentication: Implementation of MFA to access any information system or the implementation of other equivalent or stronger controls.
  • Data and Systems Inventory: Maintain an up-to-date inventory of the data in the financial institution’s possession, the systems on which (and facilities where) that data is collected, stored or transmitted, and an understanding of the relevant portions of applicable systems and their importance.
  • Encryption of all customer information in transit and at rest: When shared internally, data need not be encrypted in transit.
  • Secure Applications: Adoption of secure development practices for applications developed in-house and the assessment of externally developed applications.
  • Change Management: Adoption of procedures governing changes to a company’s safeguards. This includes monitoring all access to customer information for suspicious activity, including any unauthorized access or use.
  • Secure disposal of data: Require organizations to securely dispose of customer information when it no longer serves a legitimate business use.
  • System Monitoring: Intrusion detection through monitoring all access to customer information for suspicious activity, including any unauthorized access or use. If a company is unable to implement it, it must perform annual penetration testing and twice-yearly vulnerability assessments.
  • Risk assessments: Maintain a formal risk management program, including a written risk assessment and procedures for addressing threats.
  • Incident Response: Development of a written incident response plan (IRP) that meets specific criteria. (This section does not apply to organizations holding information on fewer than 5,000 customers).
  • Vendor Risk Management: Periodic risk assessment of 3rd-party service providers to ensure cloud services and other providers are using adequate security controls.

It also adds a requirement for the appointment of a single “Qualified Individual'' to oversee the program and report to the board of directors or an equivalent governing body. This addition reinforces its priority and provides flexibility to apply all the mentioned requirements.

Finally, the Safeguard Rule update has an effective date of January 10, 2022. It will apply to all financial services institutions, banks, and non-bank financial institutions such as fintechs, mortgage brokers, credit reporting agencies, and accountants.

How can Okta help?

Complying with new, robust requirements may seem daunting, especially with potential additions coming. But the best security programs begin with a good IAM strategy. Okta offers both customer identity and workforce solutions for financial services companies that enable compliance for each of the updated GLBA requirements: 

  • Identity Governance provides an integrated approach that allows governance to play a crucial and connected role with access management. 
  • Universal Directory allows one consolidated view of every user and centralized user management.
  • Lifecycle Management helps automate lifecycle capabilities.
  • Workflows makes it easy to automate and customize identity processes at scale.
  • MFA provides extra controls by choosing from a range of assurance factors— without sacrificing security and customer experience.

But that’s not all…

  • Get reports showing which apps you’ve assigned to which users and who is signed in where—all working to make your auditing and risk assessments painless. 
  • Leverage Okta Solutions to automate the process of granting customers, workforce, or 3rd-party service providers/partners the correct levels of access to the resources they need. 

Put your trust in the hands of experts in the field and leverage Okta’s customer identity cloud and workforce identity cloud solutions for a seamless, easy, and fast way to get your security up-to-date.