As the turn of the year settles, financial institutions should revisit their information security obligations under the Gramm-Leach-Bliley Act Safeguards Rule (Safeguards Rule). The Federal Trade Commission (FTC) released final amendments to the Safeguards Rule, which affects all financial institutions under the FTC’s jurisdiction.
Under the Safeguards Rule, covered financial institutions are required to develop, implement, and maintain compliant, comprehensive information security programs. The amended rule (Final Rule) provides in-depth guidance on targeted program aspects under the Safeguards Rule, such as access controls, authentication, and encryption. The Final Rule also includes several new and expanded procedural, technical, and personnel requirements related to the information security obligations of covered financial institutions.
“Financial institutions and other entities that collect sensitive consumer data have a responsibility to protect it,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The updates adopted by the Commission to the Safeguards Rule detail common-sense steps that these institutions must implement to protect consumer data from cyberattacks and other threats.”
The FTC expects all covered financial institutions to remain in compliance with the Safeguard Rule’s existing requirements and adopt all expanded program guidance. The new rule is effective as of January 10, 2022, and the FTC expects all covered financial institutions to be in compliance with the new requirements in the Final Rule by December 9, 2022.
The new definition of “financial institution.”
The Final Rule expanded the definition of “financial institutions” to include non-banking financial institutions, such as non-federally insured credit unions, auto dealerships, collection agencies, finance companies, mortgage brokers, “payday” lenders, and other entities that bring together the buyers and sellers of products or services.
If a financial institution collects information about fewer than 5,000 consumers, the institution is exempt from the incident response plan, written risk assessments, and annual reporting requirements under the Final Rule.
New requirements for covered financial institutions under the Final Rule.
Under the Final Rule, covered financial institutions are now required to:
- prepare written risk assessments and explain the administrative, technical, and physical safeguards they have in place related to their financial information sharing practices
- if any risks are identified in such assessments, the institution must implement safeguards to control the risks
- designate a qualified individual to oversee their information security program
- this individual will report periodically to the board of directors or a senior officer in charge of information security
- provide employees with training sufficient to address security updates and risks
- perform annual penetration testing and biannual vulnerability assessments
- perform periodic assessments of service providers
- establish a written incident response plan
Cybersecurity tools and resources.
To adopt the amendments and comply with the Final Rule, your institution may have to make additional software, technology, or personnel investments. Industry-specific technology vendors have the same compliance deadline of October 27, 2022; however, we encourage you to reach out to your vendors early on to ensure timely compliance.
The FTC has issued FAQ to help guide auto dealers. You may consider reaching out to your membership groups as well. For example, the National Automobile Dealers Association (NADA) plans to release comprehensive compliance guidance to its members.
The Federal Financial Information Council (FFIEC) offers a Cybersecurity Assessment Tool to help institutions perform cybersecurity risk assessments. The National Credit Union Administration (NCUA) also offers an Automated Cybersecurity Evaluation Toolbox (ACET) and other assessment tools specific to credit unions on their website.
ARB’s Credit Union and Auto Dealership Services Groups are also here to help. Our professionals are actively involved in both industries, so we understand how these issues affect each sector specifically. If you’d like to discuss your compliance plan, contact me today.
Laura Everett is a principal at ARB. She provides accounting, attest, and business advisory services primarily to credit unions, auto dealerships, and buy here/pay here finance companies. As an actively involved member of the credit union industry, Laura specializes in helping credit unions with financial reporting, compliance, and mergers. Her industry expertise includes comprehensive services from financial statement audits, supervisory committee audits, and internal audits to Bank Secrecy Act independent testing, fraud investigations, and other agreed-upon procedures.