FTC cybersecurity proposals introduce daunting compliance burdens for financial institutions
The Federal Trade Commission (FTC) has proposed changes to the cybersecurity and privacy rules under the Gramm-Leach-Bliley Act (GLBA) that will bring additional compliance mandates for financial institutions. The changes, if enacted, will force a broad range of businesses to implement extensive new safeguards across the people, process, and technology disciplines.
The commission issued detailed proposals that broaden the GLBA’s Safeguards Rule and Financial Privacy Rule (Privacy Rule) and has set aside 60 days for comments. The Safeguards Rule requires that covered financial entities develop, implement, and maintain a comprehensive risk-based information security program, while the Privacy Rule safeguards customers’ personal data. FTC proposals stipulate that financial companies:
- Encrypt all customer data
- Implement effective access controls
- Adopt multifactor authentication (MFA) for access to consumer data
The commission also proposes that financial entities hire a chief information security officer (CISO) to oversee the security program and submit periodic reports to the firm’s board of directors. Businesses that hold data of 5,000 or fewer customers would be exempt from certain rules.
Given the GLBA’s expansive definition of what constitutes a financial institution, the rules will likely affect businesses across a swath of sectors. Under GLBA, a financial institution can include:
- Certain mortgage brokers
- Money-transfer service providers
- Automobile dealerships
- Property and real estate appraisers
- Professional income tax preparers
- Some travel agencies
The proposed changes signal a rising tide of regulations that require financial firms to implement a top-down, risk-based security program. Proposals are based on cybersecurity regulations issued by the New York Department of Financial Services (23 NYCRR 500).
Taken together, these proposals reflect an escalating concern that data-rich businesses are expanding the attack surface by retaining too much customer information. Most financial firms will need to either implement or update records management processes, update workflows and processes to destroy the data, and automate data destruction.
Below, we’ve summarized additional amendments and top challenges that will face the financial industry.
1. Appoint a CISO to oversee security
The FTC proposals obligate financial institutions to hire a CISO (or equivalent) to establish governance and oversee a cybersecurity program that is based on an assessment of individual risk. This person will be required to report in writing on the status of the information security program and compliance, as well as material matters related to the security program, at least once a year to the institution’s board of directors.
2. Encrypt all customer data
The proposals mandate that organizations encrypt all customer information, both in transit and at rest, to protect against unauthorized use and access. This can stretch the resources of an already inundated IT staff.
3. Apply multifactor authentication (MFA)
The FTC designates MFA as a “minimum standard” for access to customer information. Deploying the safeguard will require that firms map data across the organization to identify the information and applications that must be protected and will require a robust IT architecture.
4. Individualized training for employees
Under the proposed rules, financial institutions will need to develop effective training for employees who handle, access, or dispose of customer data. Training and awareness must be based on an individual, risk-based security assessment, and employees in different roles will require different training.
5. Data minimization
Financial entities will be required to implement a data retention policy for the secure disposal of customer information in any format that is no longer necessary for legitimate business purposes. The FTC doesn’t specify what constitutes legitimate business purposes and is seeking comments to define the term.
The FTC also proposed the following amendments:
- Access controls
- Secure custom applications
- Audit trails
- Monitor users
- Continuous monitoring
- Assess service providers
- Incident response plans
Financial institutions will need to begin implementing these changes as soon as possible. Financial firms can jump-start their compliance efforts by mapping the requirements of the proposed rules against their current IT state to understand gaps and priorities. Those that need outside help should engage outsourcers or consultants now, rather than waiting until the last minute.
CohnReznick has decades of experience helping financial services firms design, implement, and operate risk-based cybersecurity and privacy programs. We can help you meet new cybersecurity and privacy requirements and achieve compliance with today’s evolving regulations.
Insight2019 Trends for Technology CXOsIn this report, CohnReznick’s 2019 Trends for Technology CXOs, we focus on emerging issues that tech executives should consider as they navigate the challenges ahead and leverage the opportunities that disruption inevitably brings.
InsightManaging enterprise risks and privacy as your technology ecosystem growsAs more businesses embrace digital transformation, they digitize more critical processes, applications, and assets.