GLBA Compliance
The Gramm-Leach-Bliley Act of 1999, or GLBA, is a deregulation bill meant to enhance competition in the financial services industry. But it is best known by IT and security professionals for requiring the protection of personal information and the disclosure of privacy policies. The Federal Financial Institutions Examination Council (FFIEC) has established guidelines for meeting and maintaining GLBA compliance.
34%
of financial firms say they've experienced some kind of economic crime in the past year (PwC study)
29%
of financial services employees didn't undergo any security awareness training
50%
financial firms believe the threat of cybercrime is rising year over year
Overview:
GLBA applies to companies that provide financial products or services to consumers. This includes: banks, mortgage brokers, insurance firms, real estate appraisers, tax preparation businesses, check-cashing businesses, accountants, ATM op erators and others.
There are two main security- and privacy-related provisions under GLBA:
Safegard Rule
Introduced under Section 501(b) of GLBA and issued by the Federal Trade Commission (FTC), the rule aims to:
- Ensure the security and confidentiality of customer records and information.
- Protect against any anticipated threats or hazards to the security or integrity of such records.
- Protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer.
Privacy Rule
Required by Section 504(a) of GLBA and also issued by the FTC, this rule:
- Requires financial institutions to provide its customers with a notice of privacy policies and practices.
- Prohibits financial institutions from disclosing nonpublic personal information about a consumer to "nonaffiliated" third parties, unless the consumer has agreed to share the information.
In particular, financial companies must have a written information security plan in place. As part of this plan, entities must, among other things: Identify and assess their risks to customer information, implement a "safeguards program" and regularly monitor and test it; and manage the selection of appropriate service providers.
Through its Information Security Examination Handbook, the FFIEC, in conjunction with its member agencies, has defined a process-based approach for complying with GLBA.
Among the guidance: financial institutions should test for vulnerabilities, monitor their network for anomalies, implement an incident response program, train staff on security awareness and ensure third-parties have adequate security controls in place.
In addition, the FFIEC has released “Authentication in an Internet Banking Environment (PDF) (PDF Supplement), which prescribes a risk management framework for financial institutions offering online banking. The guidance states that these entities should use adequate methods to authenticate the identity of customers as a way to protect against threats like phishing and account takeover.
While financial services companies traditionally are leaders compared to other industries when it comes to the effectiveness of their information security controls, they also remain a significant target of attackers due to the wealth of personal information under their control. Attackers constantly are developing new schemes to perpetrate fraud against these institutions. As Willie Sutton once said, when asked why he robs banks: “Because that’s where the money is.” The mindset is no different for cybercriminals.
Consequences:
A number of federal and state agencies are responsible for enforcement of GLBA, depending on whom the potential violator is. They are: the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corp. (FDIC), the Office of Thrift Supervision, the National Credit Union Administration, the Securities and Exchange Commission, state insurance authorities, the Commodity Futures Trading Commission and the FTC.
| Enforcement Agency | Financial Institution |
|---|---|
| Office of the Comptroller of the Currency | Federal branches and federal agencies of foreign banks |
| Board of Governors of the Federal Reserve System | Member banks of the Federal Reserve System |
| FDIC | Banks insured by the FDIC other than members of the Federal Reserve System |
| Office of Thrift Supervision | Savings associations whose deposits are insured by the FDIC |
| National Credit Union Administration | Federally insured credit unions |
| Securities and Exchange Commission | Brokers and investment companies |
| State insurance authorities | Insurers |
| Commodity Futures Trading Commision | Commodities brokers |
| FTC | Federal institutions not subject to jurisdiction of another agency |
- A financial institution can be fined up to $100,000 per violation.
- The officers and directors face civil penalties of $10,000 per violation.
- Criminal penalties of five years in prison, a fine, or both can be imposed.
Solutions:
Trustwave provides a comprehensive portfolio that can help organizations of any size respond to GLBA regulations.
Plan and Prepare
Conducting a Risk Assessment is the first step to identifying and implementing safeguards necessary to meet compliance. Trustwave helps you find gaps that may exist between your current security posture and GLBA requirements. The customizable assessments, scaled individually for your financial institution, include identification of key assets and IT systems, assessment of controls and frameworks and a review of third-party providers and incident response programs.
Address Gaps and Vulnerabilities
GLBA requires companies to protect customer records and information, whether it’s being collected, stored or transmitted. Here are some of the ways we can help:
Data Loss Prevention
Allows you to discover and classify sensitive data and prevent it from leaving the network.
Network Access Control
Ensures managed and unmanaged devices connecting to the network comply with policies and do not introduce malware.
Two Factor Authentication
Offers a token-less, cloud-based mechanism to prevent password interception and ensure the identities of customers.
Web Application Firewall
Protects sensitive data against external attackers who may use vulnerabilities, such as SQL injection, to steal patient information.
SIEM
Helps you gain broad visibility of threats to your network and improve your compliance process through logging, monitoring, and analysis of events.
Incident Readiness and Response
Prepares your staff to proactively identify the indications of a breach and contain it quickly and effectively.
Security Awareness Education
Instructs your employees and contractors to understand the threat of social engineering and follow best practices for security, including the safe use of web and social media tools and password management.
Penetration Testing
Identifies and manages potential vulnerabilities in your networks, applications or databases.
Automate and Manage
TrustKeeper Compliance Manager helps you to centrally automate and manage controls, policies and procedures across multiple compliance frameworks, including GLBA. Compliance Manager is delivered through our cloud-based management portal TrustKeeper, which provides a real-time view into the status of your compliance and security programs and offers access to all of your managed services. Through one easy-to-use dashboard, you can submit support requests, see event history, run reports and manage your account at any time.
Documentation:
Download the Trustwave Solutions for the Financial Services Industry Data Sheet (PDF).