FTC cybersecurity proposals introduce daunting compliance burdens for financial institutions
The Federal Trade Commission (FTC) has proposed changes to the cybersecurity and privacy rules under the Gramm-Leach-Bliley Act (GLBA) that will bring additional compliance mandates for financial institutions. The changes, if enacted, will force a broad range of businesses to implement extensive new safeguards across the people, process, and technology disciplines.
The commission issued detailed proposals that broaden the GLBA’s Safeguards Rule and Financial Privacy Rule (Privacy Rule) and has set aside 60 days for comments. The Safeguards Rule requires that covered financial entities develop, implement, and maintain a comprehensive risk-based information security program, while the Privacy Rule safeguards customers’ personal data. FTC proposals stipulate that financial companies:
- Encrypt all customer data
- Implement effective access controls
- Adopt multifactor authentication (MFA) for access to consumer data
The commission also proposes that financial entities hire a chief information security officer (CISO) to oversee the security program and submit periodic reports to the firm’s board of directors. Businesses that hold data of 5,000 or fewer customers would be exempt from certain rules.
Given the GLBA’s expansive definition of what constitutes a financial institution, the rules will likely affect businesses across a swath of sectors. Under GLBA, a financial institution can include:
- Certain mortgage brokers
- Money-transfer service providers
- Retailers
- Automobile dealerships
- Property and real estate appraisers
- Professional income tax preparers
- Some travel agencies
The proposed changes signal a rising tide of regulations that require financial firms to implement a top-down, risk-based security program. Proposals are based on cybersecurity regulations issued by the New York Department of Financial Services (23 NYCRR 500).
Taken together, these proposals reflect an escalating concern that data-rich businesses are expanding the attack surface by retaining too much customer information. Most financial firms will need to either implement or update records management processes, update workflows and processes to destroy the data, and automate data destruction.
Below, we’ve summarized additional amendments and top challenges that will face the financial industry.
Related Services
-
Insight2019 Trends for Technology CXOsIn this report, CohnReznick’s 2019 Trends for Technology CXOs, we focus on emerging issues that tech executives should consider as they navigate the challenges ahead and leverage the opportunities that disruption inevitably brings.
-
InsightManaging enterprise risks and privacy as your technology ecosystem growsAs more businesses embrace digital transformation, they digitize more critical processes, applications, and assets.