Are You Ready to Discuss the GLBA?
A long overdue update, but an update nonetheless. . .
Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . .
“To respond to heightened cybersecurity threat,” as they said, in fourth quarter of 2021, the Federal Trade Commission (FTC) published changes to the 2003 GLBA Safeguards Rule (Rule 314.4 (c) (3) for you compliance geeks). That new rule went into effect on 01/12/22.
It’s surreal that it has taken so long “to respond to heightened threats.” After all, the FTC updates their rules once every twenty years, whether needed or not!
The changes bring the rule into alignment with modern practices and frameworks. The rule still applies to all financial institutions, and also covers the fintech companies who have been avoiding scrutiny. In reading the rule, we feel banks who are doing well in their examinations should be in good shape.
Still, if you have been delaying controls due to gray areas in the FFIEC guidance, the rule makes certain things clear. Multi-Factor Authentication (MFA) is no longer an option. Personally Identifiable Information (PII) will be encrypted at rest as well as in motion. Not that it’s new for banks, but we of course like that system monitoring is spelled out in the new rule. We’re disappointed the Incident Response Planning part of the new rule does not require incident response plans for organizations under 5,000 customers . . . the FTC needs to read The One Test. Finally, we feel the rule is further promoting zero trust principles. MSSPs and IAM providers are definitely happy with these changes. In fact, they are saying “finally!”
The rule establishes specifics in the following areas:
- Risk Assessments and Inventory of Systems and Data
- Access Controls include MFA
- Encryption of data in motion and at rest
- Change Management
- Data Destruction
- Vendor Risk Management
- Incident Response for FI’s with more than 5,000 customers
- And, of course, our favorite: System Monitoring
We want to make sure our Clients are aware of this change, it may spark conversation in your next examination or audit.
I can’t wait for the next update! I wonder, is it currently scheduled for 2042??
Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex
Dans New Leaf is a fun blog to inspire thought in the area of IT Governance.
Speaking of safety. Visit offerings.infotex.com to reach out to us and see how infotex can make your financial institution safer!