New GLBA Safeguards Compliance

Information security and cybersecurity are areas with an intensive need for ongoing monitoring, review, and adjustment in the face of developing threats and challenges. With technology advancements, new products or services, and changing compliance requirements, organizations are called to develop a more unified, disciplined approach in response to any negative and adverse risks or vulnerabilities within their organizations.

Management accountants and finance departments are integral to these efforts. Finance professionals are knowledge partners in answering significant questions related to protecting financial data, information, and cybersecurity for critical financial IT solutions within an organization.

The U.S. Federal Trade Commission’s final rule amended the Standards for Safeguarding Customer Information (Safeguards Rule) under the Gramm-Leach-Bliley Act (GLBA). “The Safeguards Rule requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information.” These new final rule changes further define information security program requirements for financial service organizations identified as financial institutions within GLBA. The rule provides safeguards to protect the security of customer information.

SIGNIFICANT CHANGES AND AMENDMENTS

Effective January 10, 2022, the definition for “financial institutions” will now include organizations engaged in financial activities from a much broader perspective. It’s more about activities than specific organizational categories. Organizations that bring together buyers and sellers of a product or service may be within the rule’s scope. Under the new rule, the following are examples of financial activities that will now need to be measured for compliance:

• Retailer providing credit by issuing its own credit card
• Automobile dealership that, as a usual part of its business, leases automobiles on a nonoperating basis for longer than 90 days
• Personal property or real estate appraiser
• Collection agency services
• Credit bureau services
• Asset management, servicing, and collection activities
• Leasing personal or real property, real estate settlement servicing
• College and university financial and school loan services
• Securing buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate

These financial institutions will need adequate representation and reporting for information security programs, more accountability, and sufficient controls. This will include designation of a specific qualified individual responsible for overseeing and implementing the information security program; ongoing internal and external risk assessments and inventory; periodic reports to boards of directors or governing bodies; and development of physical, administrative, and technical safeguards to “protect customer information.”

Further, financial institutions will need to incorporate more specific aspects of an information security program, including a written information security program, encryption of customer information over external networks and at rest, multifactor authentication, and secure disposal of customer information. Those institutions that collect customer information from fewer than 5,000 consumers will also be exempt from certain rule requirements.

As of June 9, 2023, a new set of requirements takes effect. A qualified individual must be appointed to oversee an information security program. Risk assessments should be documented. Encryption standards are to be implemented for all sensitive information in transit and at rest, and multifactor authentication or the equivalent protection needs to be in place for customer information access.

Access to sensitive customer information will need to be monitored and limited, and security personnel training will need to be continually updated based on risk assessments and/or with changes in security practices. Periodic security practice assessments of service providers should be performed, and a written incident response plan should be developed to respond to and recover from security events materially affecting customer information. Finally, reports on security programs from a qualified individual should be written at least annually to the board of directors.

KEY CONSIDERATIONS MOVING FORWARD

So what does this mean for your organization, and how can management accountants play a role? First, elevate the Safeguards Rule changes to executive management for discussion and awareness. These rule changes may subject your organization to operational efforts beyond expected tactical and budgetary plans determined for the upcoming years.

Engage both the compliance and legal departments to determine whether your organization is now considered a financial institution under the Safeguards Rule changes. Timeliness in figuring out if this new legislation applies to you as an organization is paramount. This may be a stop-go gate for added decisions going forward and impact the other mentioned efforts that follow. If so, begin efforts to start a compliance readiness program to decide current gaps between current information security practices and the Safeguards Rule.

Decide if this is an initiative that can be managed in-house or if outside consulting services will need to be incorporated to help assess organization-wide information security governance and process activities. Your organization may be in a position with limited capacity to complete assessments. Move forward with an assessment by leveraging and revisiting any pertinent information security policies, procedures, and earlier work efforts and work papers for analysis, and establish baseline efforts between where you are now and where you need to go for rule compliance. Minimize the duplication of other work products within your three lines of defense construct. This may include risk assessments completed by internal or external audit.

Include a review of current financial information security controls, addressing how to manage financial and accounting metadata, work papers, and electronic reports in core information technology information systems, as well as disposal and the storage location of this data, and encryption standards. This is in addition to the accompanying information security governance assessment. Where determined, begin recalibration of information security practices where differences are discovered. This may involve realignment in your governance and practices for risk assessments, incident response plans, and vendor oversight programs.

Communicate and coordinate these efforts with external auditors, as needed. This may be an area of external audit consideration these next coming years. Try and forgo any rework where applicable. Maintain sufficient work papers for external requests by auditors or regulatory agencies. Complete annual reassessment and realignment with new information security practices and changes implemented during a current year. Reference year-over-year baseline and update in a timely manner when significant changes were implemented. This should apply to other areas of compliance beyond GLBA. Review your current legislative and strategic governance risk profile. As an organization, assess the consequences of new or changes in legislation.

These GLBA Safeguards Rule requirements may not be easy lifts for affected financial service entities. Responsive, initiative-taking implementation changes to information security programs may be necessary to meet these 2022-2023 revised rule requirements.