In 2023, a cyberattack happens every 39 seconds, and security posture is only getting more critical for businesses. Regulations on cybersecurity are also tightening, offering structure and standardization for organizations such as financial ones. In November 1999, the Gramm-Leach-Bliley Act (GLBA) was first enacted and included three key components: the Financial Privacy Rule, the Safeguards Rule, and the Pretexting provisions, all with the goal of protecting consumer financial privacy from data breaches and misuse.
Importance of GLBA Compliance for Financial Institutions
In December 2021, the Federal Trade Commission (FTC) amended the Safeguards Rule to stay up-to-date with the current security climate, creating new requirements for "financial organizations" to protect consumer privacy and security. Under a loose, broad definition of a "financial organization" in these new regulations, businesses like "mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors" must comply.
Specifically, these new updates to the Safeguards Rule provide new GLBA compliance requirements and guidelines for how financial institutions should maintain customer information. It outlines three key components on administrative, technical safeguards, and physical safeguards to protect consumer privacy and data. When it comes to Managed Service Providers (MSPs), it’s critical to stay proactive on fast-changing regulations and frameworks like GDPR and CCPA, becoming compliant yourself and also advocating for clients to comply. Not only does this protect your clients, but it also promotes customer trust and establishes you as a trusted, strategic partner.
GLBA Compliance Checklist
It can feel daunting to tackle all these new regulations while still staying on top of everyday requirements. Take a look at this GLBA compliance checklist to ensure your MSP is ready to comply.
Administrative safeguards are built to support the security management process, assign different responsibilities for team members, run employee security awareness programs, and more. These are foundational, “first line of defense” items that create a solid structure for more advanced, complex protections.
Assign Specific Roles and Responsibilities to Employees and Outsourced Teams
Restricting user access to specific individuals ensures everyone is only accessing files and applications that are critical to their role. Proactive monitoring systems to log authorized and unauthorized access also ensure any unusual activity is detected immediately. For example, organizations could restrict bookkeepers' access to client income statements and invoices while blocking the ability to view billing and credit card information.
Run Comprehensive Risk Assessments
Vulnerability scans and regular penetration testing are key in identifying security gaps. Comprehensive assessments help companies visualize probability versus the severity of the potential risk to properly allocate budgets and resources to fix the most significant problems. For example, with a limited security budget, businesses should prioritize data security versus a large cloud migration project.
Develop, Implement, and Continuously Iterate a Written Security Program
It’s more difficult than ever to run a cybersecurity program out of the mind of one individual at a company. Organizations should plan, craft, and implement a formal, written security program that outlines how an organization is going to protect physical and IT assets. 22% of businesses have reported they either have limited or no resources to respond to a cybersecurity incident.
Implement Employee Security Awareness Training
88% of security breaches happen due to human error, so employee security awareness training is a critical first step in protecting assets. Regular awareness training gives employees the tools to detect and report suspicious activity.
Assess Vendor Compliance
Any third-party vendor should maintain stringent compliance standards so they’re not creating a network vulnerability. For example, financial advisors using planning software should assess the platform's compliance and security, especially if advisors are inputting client data or a deeper integration is on the business roadmap.
The next principle of the Safeguards Rule, technical safeguards, deals with the physical and digital systems and frameworks.
Implement Access Control Measures
This involves identifying users based on their credentials and then giving them the appropriate level of access. Entry-level employees should not have the same access as C-suite leadership, and regardless of the position, tools like multifactor authentication should be utilized.
Utilize Strong Encryption Techniques
Encryption converts data into ciphertext, which makes it difficult for anyone to view it without a secret key or decryption. Encrypting in layers, storing keys securely, and adopting AES 256-bit encryption as the gold standard are all critical components in protecting data.
Establish Secure Network Architecture
By maintaining segmentation, least privilege, and availability, organizations can shore up their network architecture. For example, "Zero Trust" security model is one way to do this and ensures there are no whitelisted or specially approved parties who bypass basic network protocols.
Implement Intrusion Detection and Prevention Systems
Even with the strongest systems, attacks can still happen, and cybercriminals will still work to sneak through architecture. Detection and prevention systems help mitigate attacks and block threats. These programs constantly scour the network using real-time automated or manual detection to locate and dispatch threats.
Regularly Update and Patch Software Systems
Softwares quickly become outdated and can be a major source of vulnerability. Regular updates keep the most active security measures and changes in place. For example, financial organizations might be using a variety of software for bookkeeping, client communication, marketing, and customer relationships, all with access to their significant amount of confidential client information. Companies should regularly install all software updates to ensure they're compatible with the latest and greatest technology.
Implement Secure Data Disposal Methods
New requirements maintain that customer data should be disposed of after two years if it’s not being used, so confidential information isn’t stored indefinitely, increasing an organization’s liability. Data is best stored for a short period of time, used appropriately, and then securely discarded.
While many assets and frameworks live digitally, physical safeguards are important for end devices.
Control Access to Sensitive Areas
It’s critical for organizations to block unauthorized access to sensitive areas, including data centers. Based on a parameter like job functions, businesses should closely control user access, especially in critical areas.
Implement Secure Storage Solutions
Strong storage solutions focus on data at all different points, from in transit to at rest. In places where users are interacting with data, a proper security storage strategy prevents unauthorized access to data. This also involves proper monitoring and maintenance of physical security systems.
Written Procedures for Proper Data Disposal and Incident Response Plan
Written procedures across a variety of uses are helpful in standardizing a security plan. From data wiping and disposal to a step-by-step incident response plan, pre-approved written plans help minimize destruction, rapidly detect beaches, and quickly and consistently respond to any threat.
The Benefits of Continuous Monitoring for GBLA Compliance
After all of these new safeguards are in place, continuous monitoring and updates are needed to ensure these systems don’t go out of date and become ineffective. It’s key to regularly audit and stress test security programs and update policies and procedures accordingly. Staying up-to-date on evolving cybersecurity threats and best practices is another way managed services providers can uniquely support their clients. Not only does it build trust, but it also generates a competitive edge over others and, ultimately, generates more revenue.
GLBA Compliance for Managed Service Providers
As the June 9, 2023, deadline for compliance approaches quickly, it’s critical for companies to focus on GLBA compliance and the Safeguards Rule. Run through this comprehensive checklist to see where your organization currently stacks up, and dive deeper into these new requirements to facilitate adoption with your MSP customers. Financial institutions should prioritize and invest in cybersecurity, and MSP vendors are perfectly printed to help businesses navigate these transitions.
To learn more about mobile device management and security, visit Prey to stay in control of your remote assets. For laptops, tablets, and mobile devices, track locations and keep assets secure. Start a free trial today to see how Prey tracks, manages, and protects your organization's devices.