GLBA and the Penetration Testing Mandate: Everything You Need to Know

Over the past decade, we have primarily become denizens of a digitalized world. All our personal and professional data now gets accumulated in a digital form. This situation has given rise to the need for more stringent cybersecurity practices. In the cyber domain, financial data, in particular, stands amongst those most prone to misappropriation and misuse. Cyber attackers always remain on the lookout for private financial information in order to embezzle our hard-earned money. Thus, a pressing need remains to sustain thorough safeguarding of our banking and financial details. In this bid to shield public financial data, regulations like GLBA are pivotal. 

What Is GLBA?

Brought into the public light in 1999, GLBA or the Gramm-Leach-Bliley Act stands as a cornerstone law to regulate financial institutions and their allies with access to confidential financial details. Widely recognized as the Financial Modernization Act, it outlines standards that different organizations must practice to secure sensitive data.

The applicability of GLBA regulations, however, is not limited to conventional financial institutes. It encompasses any business entities involved in deploying any financial product or services to customers. GLBA helps oversee how these organizations accumulate, share, and reuse such information. The information covers details like bank account info, customer name, social security numbers, addresses, employment information, customer tax details, or credit history. The act terms such details as personally identifiable information (PII). It holds the non-compliant parties liable for penal consequences as well. 

Key Components of the Gramm-Leach-Bliley Act, 1999

GLBA states three principal rules to ensure the protection of personally identifiable information. 

The Financial Privacy Rule

This rule emphasizes that before the commencement of any business relationship with customers, organizations should issue a clear and unambiguous notice highlighting their privacy policy. It clearly explains the necessary elements that must form part of the privacy notice. 

The Safeguards Rule

The Safeguards Rule elucidates that all financial organizations having access to non-public financial info have to draft and maintain a proper cybersecurity plan. This plan should illustrate the procedures entities must implement to protect PII. This rule also provides standards that required entities must follow for safeguarding private financial information against phishing schemes, cyber attacks, and other data security risks. It even mandates organizations to appoint a designated employee to oversee the execution of the security program.

The Pretexting Rule

Under this rule, businesses cannot gather non-public financial information through false pretense. This helps prevent varied instances of unwanted access to personal information. 

5 Recent Updates Under the GLBA

To match pace with the evolving needs of the cybersecurity realm, the Federal Trade Commission (FTC) brings further updates to the security regulations like GLBA. Some critical updates recently came into the picture in December 2021. The FTC declared the applicability of a revised final rule that modifies the Safeguards Rule of GLBA. This updated version of the rule consists of five prime amendments. 

1. More Elaborate Guidelines

Firstly, the revised Safeguards Rule now has more elaborate guidelines to help financial institutions frame specific aspects of an appropriate information security program. The safeguards must incorporate the following elements:

  • Inventory management and classification of systems, devices, and data
  • Access controls
  • Adequate secure development practices for software and apps
  • Change management process
  • Robust encryption of information
  • Authentication 
  • Monitoring and detecting unwanted access or utilization of consumer data

Notably, the rule also outlines the requirement for financial institutions to undertake yearly penetration testing and semi-annual vulnerability assessments or conduct continuous monitoring. 

2. Exemption Provision

It also comes with an exemption provision from compliance with some requirements of the law for certain forms of financial institutions that accumulate less customer details. Entities that gather financial data of less than 5000 customers do not have to mandatorily comply with the requirement of preparing an incident response plan, a written risk assessment, or annual reporting to the directors.

3. Timely Reports Required

The amended rule aims to enhance the accountability of the drafted security programs in various financial organizations. It now has provisions that need the submission of timely reports to the management bodies or the board of directors.

4. Financial Institution Definition Expanded

There is an expansion of the scope of the definition of financial institutions. It now encompasses organizations that engage in activities determined by the Federal Reserve as those incidental to financial activities. Under its purview, the act has entities working as brokers and agents, also termed finders, that operate on behalf of moneylenders. If required, it may even bring into its nexus collection agencies, payday lenders, and auto dealers. Since these entities can have access to highly sensitive customer details, they may have to follow the compliances of the safeguards rule.

5. Additional Definitions

Lastly, the new version of the rule has its own set of definitions for relevant terms with appropriate examples. It now does not have to entirely rely on the definitions incorporated in the privacy rule of the act.

The scope of the revised Safeguards Rule stands similar to that stated in the cybersecurity regulation brought forth by the New York Department of Financial Services (NYDFS). 

Understanding the Penetration Testing Mandate of GLBA

Remarkably, the revamped edition of the Safeguards Rule under GLBA has developed some more stringent testing requirements for covered financial institutions. 

In line with the definition adopted in the revised rule, penetration testing denotes a testing methodology wherein the assessors try to evade or defeat an information system’s data security features. The assessors undertake this attempt by penetrating the security controls of the information system internally or externally, as needed.

Earlier, the rule required financial institutions to periodically monitor or test the effectiveness of the various cybersecurity safeguards. The institutions had to then make necessary changes as per the testing results. The revised rule explicitly mentions that the testing process must cover either continuous monitoring of the safeguards implemented or include yearly penetration testing and half-yearly vulnerability scanning of the safeguarding measures. 

Implications of FTC’s Penetration Testing Mandate on Various Industries

The definitive mention of specific testing requirements under the Safeguards rule means that the required financial institutions must remain braced to refine their testing procedures. Unlike in the past, you cannot just rely on automated system checks, simple gap analysis, or basic vulnerability assessments. There now comes the need for more robust testing tactics and methodologies. 

The FTC does not want any leeway in financial institutions’ information systems safeguards. As per the act, all forms of business entities that fall under the category of financial institutions must prepare their team to address the amended compliances.

There is a need for a more proactive approach to manage security breaches and strengthen the cybersecurity posture of concerned financial entities. It is possible through regular testing and assessments in line with the revised rule. Conducting security testing and assessments with the assistance of industry-recognized professionals can support organizations in this direction. 

Possible Future Transformations Under the GLBA Regulation

The FTC is contemplating further introduction of a provision for reporting events of security breaches. As per this proposal, the liable financial institutions might have to report to the FTC events of security failure or violations. This amendment may become a concrete part of the GLBA legislation in the upcoming half of 2022 or the initial phase of 2023. 

Find Proficient Penetration Testing for GLBA with NaviSec

The task of maintaining an enduring and up-to-date information security system is not a piece of cake. The nuances involved in drafting multiple policies and plans and staying compliant with the ever changing regulations can be perplexing. However, the cybersecurity specialists at NaviSec can help you navigate your way in the right direction. Our extensive expertise in the field of cybersecurity can help you attain the desired data security posture. Addressing security concerns through penetration testing and assessments, coupled with managing regulatory compliance, becomes effortless with NaviSec. We have remarkable proficiency in addressing penetrating testing requirements and conducting risk assessments. Our data protection prowess and tailored services span across diverse industries. Spare a few seconds and discover the magic of NaviSec. We’d be happy to answer any questions you have on redefining your organization’s cybersecurity framework with a free 30-minute call.

Urgent Contact