What is GLBA & Why Now Post

The Gramm-Leach-Bliley Act (GLBA) was originally passed in 1999, so why is everyone talking about it now?

GLBA, also known as the Financial Services Modernization Act of 1999, regulates financial institutions and governs the security standards meant to protect customer data. In October of 2021, the Federal Trade Commission (FTC) published a final rule which amended the Standards for Safeguarding Customer Information (commonly referred to as Safeguards Rule) under GLBA. For many organizations, compliance with the FTC’s updated Safeguards Rule is required by December 6, 2022 – only a few short months away.

The updated rule broadens the definition of “financial institution,” increases accountability, and provides additional implementation guidance. Follow along as we break down key points you need to know about GLBA compliance.

Who Does GLBA Apply to?

One of the most impactful updates made to the GLBA Safeguards Rule is the broadening of the term “financial institution.” Financial Institution now includes entities engaged in activities the Federal Reserve Board determines to be incidental to financial activities. Companies that bring together buyers and sellers (also known as finders) into scope.

This expanded definition means that we are seeing many organizations facing GLBA compliance for the first time. Here are a few examples of organizations now included in GLBA compliance:

• Income tax return preparers
• Dealerships leasing a car long term — longer than 90 days
• Businesses printing and selling checks on behalf of customers or wiring money
• Businesses engaging in cash checking services
• Real estate settlement services
• Organizations appraising real estate or personal property
• Mortgage brokers

What Other GLBA Changes Do I Need to Know About?

There are two additional categories the GLBA Safeguards Rule update to focus on: 1) increasing accountability and 2) providing additional implementation guidance. Let’s take a moment to review a few of these provisions:

• Requiring organizations to designate a specific, qualified individual responsible for the information security program
• Requiring written risk assessments and corresponding mitigation implementation. One notable example of this is related to user access and the implementation of multi-factor authentication and data encryption.
• Mandating periodic reports to leadership such as the board of directors or other governing bodies. Such reports should be given regularly, annually at a minimum, and outline the current state of the information system program, compliance management, and an overview of any material event regarding cybersecurity.
• Promoting continuous monitoring through a combination of vulnerability assessments, penetration testing, and continuous network monitoring.
• Implementing policies and procedures around employee education including security awareness training and strategic communication to employees regarding relevant risks.
• Strengthening vendor management practices to ensure that third-party service providers accessing their client information maintain data security measures commensurate with their own data security programs. 

Having a strong partner can ease the burden of GLBA compliance by developing policies, fulfilling assessment requirements, and performing continuous monitoring tasks. Do you need assistance becoming GLBA compliant or meeting certain requirements? We’re here to help. Book a meeting with our Principal Consultant, Mike Skinner, here.