FTC cybersecurity proposals introduce daunting compliance burdens for financial institutions

    infographic with US map showing nation's largest disasters since 2005 that cohnreznick has provided emergency management services for

    The Federal Trade Commission (FTC) has proposed changes to the cybersecurity and privacy rules under the Gramm-Leach-Bliley Act (GLBA) that will bring additional compliance mandates for financial institutions. The changes, if enacted, will force a broad range of businesses to implement extensive new safeguards across the people, process, and technology disciplines.

    The commission issued detailed proposals that broaden the GLBA’s Safeguards Rule and Financial Privacy Rule (Privacy Rule) and has set aside 60 days for comments. The Safeguards Rule requires that covered financial entities develop, implement, and maintain a comprehensive risk-based information security program, while the Privacy Rule safeguards customers’ personal data. FTC proposals stipulate that financial companies:

    • Encrypt all customer data
    • Implement effective access controls
    • Adopt multifactor authentication (MFA) for access to consumer data

    The commission also proposes that financial entities hire a chief information security officer (CISO) to oversee the security program and submit periodic reports to the firm’s board of directors. Businesses that hold data of 5,000 or fewer customers would be exempt from certain rules.

    Given the GLBA’s expansive definition of what constitutes a financial institution, the rules will likely affect businesses across a swath of sectors. Under GLBA, a financial institution can include:

    • Certain mortgage brokers
    • Money-transfer service providers
    • Retailers
    • Automobile dealerships
    • Property and real estate appraisers
    • Professional income tax preparers
    • Some travel agencies

    The proposed changes signal a rising tide of regulations that require financial firms to implement a top-down, risk-based security program. Proposals are based on cybersecurity regulations issued by the New York Department of Financial Services (23 NYCRR 500).

    Taken together, these proposals reflect an escalating concern that data-rich businesses are expanding the attack surface by retaining too much customer information. Most financial firms will need to either implement or update records management processes, update workflows and processes to destroy the data, and automate data destruction.

    Below, we’ve summarized additional amendments and top challenges that will face the financial industry.

    5 challenges of the new cybersecurity and privacy rules

    1. Appoint a CISO to oversee security

    The FTC proposals obligate financial institutions to hire a CISO (or equivalent) to establish governance and oversee a cybersecurity program that is based on an assessment of individual risk. This person will be required to report in writing on the status of the information security program and compliance, as well as material matters related to the security program, at least once a year to the institution’s board of directors.

    2. Encrypt all customer data

    The proposals mandate that organizations encrypt all customer information, both in transit and at rest, to protect against unauthorized use and access. This can stretch the resources of an already inundated IT staff.

    3. Apply multifactor authentication (MFA)

    The FTC designates MFA as a “minimum standard” for access to customer information. Deploying the safeguard will require that firms map data across the organization to identify the information and applications that must be protected and will require a robust IT architecture.

    4. Individualized training for employees

    Under the proposed rules, financial institutions will need to develop effective training for employees who handle, access, or dispose of customer data. Training and awareness must be based on an individual, risk-based security assessment, and employees in different roles will require different training.

    5. Data minimization

    Financial entities will be required to implement a data retention policy for the secure disposal of customer information in any format that is no longer necessary for legitimate business purposes. The FTC doesn’t specify what constitutes legitimate business purposes and is seeking comments to define the term.

    Additional amendments

    The FTC also proposed the following amendments:

    • Access controls
    • Secure custom applications
    • Audit trails
    • Monitor users
    • Continuous monitoring
    • Assess service providers
    • Incident response plans

    Start now with CohnReznick

    Financial institutions will need to begin implementing these changes as soon as possible. Financial firms can jump-start their compliance efforts by mapping the requirements of the proposed rules against their current IT state to understand gaps and priorities. Those that need outside help should engage outsourcers or consultants now, rather than waiting until the last minute.

    CohnReznick has decades of experience helping financial services firms design, implement, and operate risk-based cybersecurity and privacy programs. We can help you meet new cybersecurity and privacy requirements and achieve compliance with today’s evolving regulations.


    Jeremy Swan, Managing Principal, Financial Sponsors and Financial Services Industry, (212) 297-0400

    Subject matter expertise

    • jeremy swan
      Contact Jeremy Jeremy+Swan Jeremy.Swan@CohnReznick.com
      Jeremy Swan

      Managing Principal - Financial Sponsors & Financial Services Industry

    • Close


      Let’s start a conversation about your company’s strategic goals and vision for the future.

      Please fill all required fields*

      Please verify your information and check to see if all require fields have been filled in.

      Please select job function
      Please select job level
      Please select country
      Please select state
      Please select industry
      Please select topic
    This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its partners, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.