On July 13, 2020, the Federal Trade Commission (FTC) held a workshop titled “Information Security and Financial Institutions: FTC Workshop to Examine Safeguards Rule.” This workshop discussed the proposed amendments to the Gramm-Leach-Bliley Act’s (GLBA) Safeguards Rule, which requires financial institutions to develop, implement, and maintain a comprehensive information security program. The GLBA Safeguards Rule has not been updated since it went into effect in 2003. The workshop explored the cost of information security for financial institutions, the availability of information security services for smaller financial institutions, and other issues raised in comments received in response to the FTC’s notice of proposed rulemaking.
During the workshop, FTC staff provided the following insights into the proposed amendments to the GLBA Safeguards Rule:
- Designate one qualified individual to be responsible for overseeing the information security program. Although the term Chief Information Security Officer (CISO) is used in the proposed amendments, the FTC staff clarified that the qualified person does not necessarily need to carry the title of a CISO. The FTC staff noted that the necessary qualifications for the responsible individual will likely be dependent on the information security needs of each financial institution.
- Base the information security program on a written risk assessment that must include certain criteria for determining risk and address how the information security program will address those risks. The FTC staff expressly stated that there is an expectation that risk assessments are to be done on a routine basis; financial institutions cannot complete a risk assessment one time and then never again.
- Provide security awareness training to personnel. The FTC staff recommended that all employees receive basic security training, but information security personnel should receive more in-depth security training. The FTC staff noted that financial institutions may use a third party service provider to conduct these trainings.
- Implement an information security program that includes access controls, developing information inventories, implementing secure development practices, conducting audits, implementing secure disposal requirements, developing change management procedures, and monitoring the activity of authorized users. The FTC staff emphasized that it is up to the financial institution to determine how to implement the various requirements and that each financial institution should be free to choose a solution that works best for each financial institution’s respective information security program.
- Implement encryption and multifactor authentication. The FTC staff indicated their belief that financial institutions should have the flexibility to determine how to implement encryption and multifactor authentication. However, the FTC staff noted that in the event it is not feasible for a financial institution to implement encryption or multifactor authentication, the financial institution should come up with alternative controls that have been reviewed and approved by the qualified individual in charge of the financial institution’s information security program.
- Financial institutions that maintain information about fewer than 5,000 consumers would be exempted from most of the written requirements. The FTC staff explained that the exception was written so that small financial institutions with small budgets that have access to tens of thousands of consumers’ data are still expected to implement security controls that are appropriate to the amount of data they are collecting, not necessarily to the size of their business.
The deadline to submit comments about the proposed amendments to the GLBA Safeguards Rule is August 12, 2020. Financial institutions that are subject to the GLBA Safeguards Rule should review their current information security program in light of the proposed amendments to determine how any changes may affect their information security programs.