After years of development and public input, the Federal Trade Commission (FTC) in December finalized some changes to the Standards for Safeguarding Customer Information (Safeguards) Rule – a key part of the Gramm-Leach-Bliley Act (GLBA).
Of the four major rule changes, one simply adds a new category of business under the definition of “financial institution,” another exempts institutions that serve fewer than 5,000 people, and a third standardizes some terminology across agencies.
Though all of these are important for various reasons, the most significant changes from Raxis’ perspective are the ones that more clearly define the elements of the information security programs required by GLBA and which ensure better accountability for implementing and testing such programs.
The Problems
In the past, the federal government was reluctant to be overly prescriptive with its cybersecurity requirements. The prevailing mindset was that doing so would mean compliance would happen by “magic” – in this case, meaning mindless activities guaranteed to inspire complacency. Flexibility was necessary to ensure that institutions were free to adopt the practices that ensured the best protection for their company or niche.
The reality we’ve witnessed during more than a decade of Raxis penetration testing is that the level of cybersecurity awareness and sophistication can vary wildly among financial institutions, regardless of size or business model. Ambiguity in the regulations allowed a patchwork of cybersecurity measures to emerge under the general umbrella of compliance. It was clear to our team that the Safeguards Rule needed to be more specific to make sure all the institutions were implementing the most basic best practices.
Lack of specificity in the prior iterations of the rules also made it harder for regulators and the institutions themselves to know whether their infosec programs were effective. Along with more specifics, the institutions needed stronger accountability measures.
The Improvements
Toward the goal of greater accountability, the Safeguards Rule added two important provisions: Designation of a single “qualified individual” to act as a de facto chief information security officer (CISO) to manage the infosec program and a requirement that he or she report to the company’s board. Most institutions have those functions covered in some form or fashion, but we’ve seen instances where responsibilities were split among employees and even departments.
Having a qualified infosec leader in place is a good first step toward consolidating authority, but more important is how well and how quickly the institutions adopt the following changes to the Safeguards Rule:
- Review of access controls. This change requires institutions to regularly test digital and physical access to customer data to make sure only authorized personnel can see it – and see only the parts of it that are necessary to do their jobs. If a Raxis team member successfully breaches your network during a test, you can bet we will check to see if you’ve followed the principle of least privileged access.
- Inventory of key data and systems. The inventory process ensures that institutions know what they are protecting with their infosec program. As we discussed in a prior post, it’s not always obvious what data and what systems are at risk.
- Intrusion detection. This change makes annual pentesting and semi-annual vulnerability assessments a requirement for companies that don’t have continuous monitoring of their networks. Raxis offers all the services described above, but we don’t believe they should be presented as either/or choices. Continuous monitoring or vulnerability assessments should trigger a pentest if serious vulnerabilities are discovered.
- Secure application development. With this rule change, the FTC outlines some best security practices for in-house and third-party app development. As we explained in some recent posts, public-facing web applications face some unique security challenges, and it’s good that the FTC understands the seriousness of that issue.
- Incident response planning. This update simply requires that institutions develop written plans for responding to security incidents and includes information about what those plans should cover.
- Encryption requirement. This may seem like a no-brainer, but the Safeguards Rule now requires encryption of data in transit and at rest. But it also provides for the ability of the “qualified individual” to authorize an acceptable alternative if encryption isn’t feasible.
- Multifactor authentication (MFA) requirement. Again, this would appear to be table stakes for a financial institution, but based on Raxis’ experience, it has not been adopted nearly as widely as it should have been already. The rule change, we hope, will make MFA a standard practice industrywide.
- Change management procedures outline the steps financial institutions should take when they alter their infosec programs. As a security measure, this ensures such changes are documented and approved beforehand.
This is just a snapshot of what Raxis considers the FTC’s most impactful changes to the GLBA Safeguards Rule. Like all such regulations, they should all be viewed by the institutions as minimum guidelines, not as a safe harbor or assurance of security. Similarly, regulators should judge compliance not by whether the boxes have been checked, but by how thoroughly the institutions have prepared themselves for the attacks that are coming.
There is no finish line in cybersecurity, but these changes will give all US financial institutions a head start on better protection for their customers.
To read the full Safeguards Rule as finalized, be sure to visit the Federal Register.