FTC Strengthens GLBA Information Security Requirements for Non-Bank Financial Institutions

The Federal Trade Commission (FTC) recently announced significant new information security requirements for non-bank financial institutions subject to the Gramm-Leach-Bliley Act (GLBA). The new requirements are incorporated into the FTC's Standards for Safeguarding Customer Information (Safeguards Rule), which updates the FTC's original GLBA Safeguards Rule from 2002 (Original Rule).

The Safeguards Rule applies to covered "financial institutions," which broadly includes non-bank entities "engaging in an activity that is financial in nature or incidental to such financial activities." This definition encompasses many companies that may not describe themselves as financial institutions, such as non-bank and alternative lenders.

Covered financial institutions must comply with the majority of the new Safeguards Rule requirement by late 2022. Several provisions, which generally track the requirements of the Original Rule, go into effect 30 days after the new rule's publication. As soon as practicable, such institutions should assess their existing information security programs and map out their path to compliance with the new rule.

The newly updated rule expands the Original Rule's definition of "financial institutions" by adding entities engaged in activities that are incidental to financial activities and by explicitly including "finders"—companies that bring together buyers and sellers of products and services. While the inclusion of "finders" potentially broadens the definition of "financial institutions" significantly, the FTC states that the term does not encompass finders engaged in only non-consumer transactions or that have "only isolated interactions with consumers" and do not receive "customer information."

The new Safeguards Rule is substantially more prescriptive than the Original Rule and significantly mirrors the New York Department of Financial Services (NYDFS) Cybersecurity Regulation. Key requirements of the Safeguards Rule include:

• Written Information Security Program
  
  Financial institutions must adopt a comprehensive, written program for safeguarding customer information. The information security program must include administrative, technical, and physical safeguards that are appropriate to the institution's size and complexity, the nature of its operations, and the sensitivity of the customer information it handles.
• Designation of a Qualified Individual
  
  A "qualified individual" must be designated to oversee, implement, and enforce the financial institution's information security program. This Qualified Individual may be an employee or an outside consultant.
• Written Reports to the Board of Directors
  
  The Qualified Individual must create a written report at least annually to provide to the financial institution's governing body. The report must include information about the overall status of the information security program and compliance with the Safeguards Rule and must identify material matters related to the information security program.
• Periodic Risk Assessments
  
  Financial institutions must conduct periodic risk assessments. Those risk assessments must be in writing and include:
  
  • Criteria for evaluating and categorizing of security risks and threats;
  • Criteria for assessing the confidentiality, integrity, and availability of the financial institutions' information systems and customer information; and
  • Requirements for mitigating or accepting identified risks.
• Program Design Based on Risk Assessment Outcomes
  
  As with the NYDFS Cybersecurity Regulation, the risk assessments required by the Safeguards Rule are not simply a compliance exercise. They are a cornerstone of how financial institutions are to demonstrate the sufficiency of their information security programs.
  
  The Safeguard Rule explicitly requires financial institutions to base their information security programs on risk assessments and to design and implement information security safeguards identified through the risk assessment. At least on paper, the Safeguards Rule provides financial institutions with flexibility in developing their information security program—provided that the program can be justified by the institution's risk assessments.
• Access and Authentication Controls
  
  Financial institutions must implement and periodically review access and authentication controls to prevent unauthorized access to customer information and to limit access by authorized individuals to what is needed for legitimate business purposes (often referred to as the "principle of least privilege").
• Encryption of Customer Information at Rest and in Transit
  
  If a financial institution determines that encryption is infeasible, it may adopt effective compensating controls as approved by the Qualified Individual.
• Multifactor Authentication
  
  Multifactor authentication (MFA) must be implemented for systems that contain customer information unless the Qualified Individual has approved an equivalent or stronger control. The Safeguards Rule's MFA requirement mirrors recent actions by NYDFS and the U.S. Securities and Exchange Commission, discussed in a prior DWT blog post, which have enforced the use of MFA for Internet-facing systems.
• Oversight of Service Providers
  
  The Safeguards Rule adopts the Original Rule's requirements that financial institutions take reasonable steps to select and retain service providers capable of safeguarding customer information and to mandate service providers' safeguards by contract. The Safeguards Rule adds a requirement that financial institutions must periodically assess service providers based on the risks they present and the adequacy of their safeguards.
• Penetration Testing and Vulnerability Scanning
  
  Financial institutions must undergo penetration testing annually and vulnerability scanning every six months. Penetration tests and vulnerability scans must address the risks and vulnerabilities identified in the institution's required risk assessment.
• Data Retention and Disposal
  
  Financial institutions must adopt controls for securely disposing of customer information no later than two years after the last date that the information was used, unless retention is otherwise required or necessary for legitimate business purposes.
• Incident Response Plan
  
  Financial institutions must establish a written incident response plan that addresses:
  
  • The goals of the incident response plan;
  • The internal processes for responding to a security event;
  • The definition of clear roles, responsibilities and levels of decision-making authority;
  • External and internal communications and information sharing;
  • Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls;
  • Documentation and reporting regarding security events and related incident response activities; and
  • The evaluation and revision as necessary of the incident response plan following a security event.

The Safeguards Rule also requires financial institutions to adopt various controls to address data inventorying and classification, secure development of in-house applications, change management procedures for their IT environments, employee training, and other areas.

Notably, several requirements do not apply to financial institutions that maintain customer information of fewer than 5,000 customers. Such institutions are not required to include certain details in their risk assessments, undergo penetration testing or vulnerability scanning, document their information security program in writing, or have their Qualified Individual regularly report to the institution's governing body about the information security program.