GLBA Compliance: Cybersecurity Requirements of Gramm-Leach-Bliley Explained

The Gramm-Leach-Bliley Act (GBLA) sets privacy and cybersecurity standards for financial institutions in the US. Learn about the IT requirements of GLBA compliance and how organizations can implement the necessary safeguards.

What Is GLBA Compliance?

The Gramm-Leach-Bliley Act (GLBA) a.k.a. the Financial Services Modernization Act is a 1999 piece of US legislation that reformed the finance industry by allowing banks to operate in the commercial, investment and insurance sector at the same time. By removing prior restrictions from the Glass-Steagall Act, GLBA cleared the way for huge mergers in the banking industry.

In addition to market reform, the Gramm-Leach-Bliley Act also includes security and privacy requirements for financial institutions:

  • 1

    Notifying customers about the bank’s privacy policy and what information it collects, giving customers the ability to opt out of their information being shared with third parties, except for a few specified purposes (Privacy Rule).

  • 2

    Protecting nonpublic personal information of their customers against unauthorized access and anticipated threats or hazards through suitable administrative, technical and physical safeguards (Safeguards Rule).

However, GLBA does not detail what a privacy policy should look like or what appropriate safeguards for financial information are. Instead, the bill tasked relevant agencies such as the Federal Trade Commission (FTC) with creating specific rules based on the legislation, which were implemented in the Code of Federal Regulations.

Who Does the GLBA Apply to?

The Gramm-Leach-Bliley Act applies to all financial institutions over which the FTC has jurisdiction, defined as “all businesses, regardless of size, that are significantly engaged in providing financial products or services” (and which are not subject to the enforcement authority of another regulatory agency). The FTC has a detailed list of activities it considers financial in nature, but in general the GLBA applies to:

  • Banks

  • Stockbrokers

  • Investment firms

  • Insurance companies

  • Mortgage companies

  • Credit unions

  • Credit card issuers

  • Tax preparers

  • Real estate lenders

  • Financial advisers

Which Data Is Covered by the GLBA?

The GLBA governs nonpublic personal information (NPI), which is all personally identifiable information financial institutions collect about their customers that is not publicly available through other sources, such as public government records.

NPI includes:

  • Names

  • Birth dates

  • Addresses

  • Social security numbers

  • Employment data

  • Account numbers

  • Account balance

  • Payment history

  • Credit history

  • Tax information

What Is the GLBA Privacy Rule?

The Privacy of Consumer Financial Information Rule (Privacy Rule) is the federal regulation put in place by the FTC to implement financial privacy provisions of the Gramm-Leach-Bliley Act. Its full text can be found under 16 C.F.R. Part 313.

To comply with GLBA, financial institutions need to disclose their privacy policies and practices to consumers and give them the ability to opt out of their information being shared, except for a few specified purposes such as joint marketing or delivering a financial service. In the Privacy Rule, the FTC provides a model privacy form and lays out the notification and opt out requirements.

What Is the GLBA Safeguards Rule?

Standards for Safeguarding Customer Information or the Safeguards Rule is the federal regulation that implements sections 501 and 505 of the Gramm-Leach-Bliley Act. The full text of the Safeguards Rule is available at 16 C.F.R. Part 314.

The GLBA requires financial institutions to implement administrative, technical and physical safeguards to:

  • 1

    Insure the security and confidentiality of customer records and information.

  • 2

    Protect against any anticipated threats or hazards to the security or integrity of such records.

  • 3

    Protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

In the Safeguards Rule, the FTC details what a GLBA-compliant security program looks like and which safety measures banks need to implement, including risk assessments, stringent access controls and regular reviews and reports to the board. Learn more about the exact requirements of GBLA below.

Due to the highly sensitive information being processed, the finance sector is a frequent target of fraud and cybercrime. Financial institutions need to follow the best practices of identity governance & administration to stop attacks and safeguard customer data. Learn more about IAM in the finance industry.

What Is the GLBA Pretexting Rule?

Under the section Fraudulent Access to Financial Information, the GLBA prohibits obtaining customer information from financial institutions under false pretenses, such as making false statements or presenting false documents to bank employees or customers.

While the Safeguards Rule already requires banks to protect against various forms of fraud – including phishing, social engineering and insider threats – the Pretexting Provisions add a criminal penalty for the perpetrators behind these schemes: up to 5 years in prison or a fine of $250,000. In aggravated cases, the sentence can double to 10 years in prison or $500,000.

GBLA Compliance: The Requirements in Detail

1

Information Security Program

In order to comply with the Gramm-Leach-Bliley Act, financial institutions need to develop, implement and maintain a written information security program. This document explains the nature and sensitivity of customer data your organization collects and the specific safeguards (administrative, technical and physical) used to protect it from threats and unauthorized access.

Here are the requirements your information security program needs to conform to:

  • You need to designate a qualified individual to oversee and implement the program.

  • The program has to be based on reasonably foreseeable internal and external risks, as established through regular risk assessments.

  • You need to test and monitor the effectiveness of your security program and adapt based on your findings.

  • You need to establish a written incident response plan that addresses how you plan to respond to and recover from security events.

  • Your qualified individual needs to submit annual reports to your board of directors on the overall status of the security program.

2

Access Controls

Aside from the structure of your security program, the FTC safeguards rule also details a number of specific safeguards banks need to cover in order to comply with the GLBA, beginning with the need for access controls.

In order to protect the privacy and security of customer data, financial institutes need to:

  • Implement and periodically review access controls.

  • Permit access only to authorized users.

  • Limit users’ access only to information they need, i.e. follow the principle of least privilege.

The FTC does not specify how organizations should go about limiting user access, but the only realistic way to restrict access and ensure that users can only view information relevant to their job is through an identity & access management solution.

IAM software automatically provides new users with the right permissions for their role, offers detailed reporting on who has access to what and allows you to conduct periodic access reviews – all through a central, automated platform.

Whitepaper

Best Practices for Access Management In Microsoft® Environments

Our in-depth guide explains how to manage access securely and efficiently from a technical and organizational standpoint, including tips for implementation, reporting and auditing.

3

Inventory Assets

In order to manage their IT risks successfully, the GLBA requires organizations to identify the data, staff, devices and systems that enable their day-to-day operations and manage these assets according to their risk strategy and their relative importance to business objectives.

In simple terms, this means that banks and other financial institutions need to first identify all IT assets and then apply stricter security measures depending on an asset’s sensitivity level.

4

Encrypt Customer Data

All customer information transmitted to your organization needs to be protected by encryption both at rest and in transit. When encryption is not feasible, alternative methods to secure information can be used as a compensating control, but only if your qualified individual reviews and approves them.

5

Secure Software Practices

As part of their GLBA compliance, organizations need to evaluate the security of external software applications they utilize to store, transmit or access customer information. Likewise, you need to adopt secure development practices for any in-house applications used to process customer data.

6

Multi-Factor Authentication

Any information system that stores customer information must be secured through multi-factor authentication (MFA) for all accounts.

7

Data Retention & Secure Disposal

GLBA compliance requires businesses to securely dispose of customer information after 2 years from when it was last used to provide a service, unless a longer retention period is necessary for legal reasons or legitimate business purposes.

Either way, companies need to implement procedures for the secure disposal of customer information and periodically review their data retention policy to minimize the unnecessary retention of data.

8

Change Management

Financial institutions need to adopt change management procedures to comply with the GLBA, which means that any change to the IT infrastructure, such as installing a new piece of software, needs to be reviewed and approved before it is implemented. This evaluation is intended to help organizations understand the security impact of proposed changes ahead of time.

9

Monitor User Activity

To detect unauthorized access or tampering with customer data, GLBA requires organizations to implement procedures to monitor and log user activity.

10

Penetration Tests

To assess the effectiveness of your information security program, the FTC requires annual penetration testing based on relevant risks identified through your risk assessment.

11

Vulnerability Assessments

Vulnerability assessments are likewise required to ensure the effectiveness of your IT safeguards and need to be conducted every six months as well as following material changes to your operations or business arrangements.

The need for penetration tests and vulnerability assessments can alternatively be covered through systems for continuous monitoring.

12

Training & Education

As part of their organizational controls, businesses covered by the GLBA need to ensure that their staff is able to follow the information security program by:

  • Providing staff with security awareness training that is repeated and updated as necessary.

  • Employing qualified specialists or service providers to manage the security program.

  • Providing security staff with updates and training sufficient to address relevant risks.

  • Ensuring that security staff keep informed about current threats.

13

Manage Third-Party Risks

Aside from protecting their own network, the GLBA also requires financial companies to manage third-party risks and oversee their service providers by:

  • Selecting and retaining service providers that maintain appropriate safeguards.

  • Making it a contractual obligation to implement and maintain appropriate safeguards.

  • Regularly assessing service providers based on the risk they present and the continued adequacy of their security measures.

GLBA-Compliant Access Control with tenfold

One of the cornerstones of GLBA compliance is protecting customer data from unauthorized access – both inside the organization and from external threats like data breaches and cyberattacks. But with hundreds of employees and dozens of information systems, how can financial institutions really ensure that no one on their staff has access they do not need?

There’s only one way to guarantee accurate user provisioning, timely on- and offboarding and least privilege access for all IT users: an automated IAM solution. Platforms for identity & access management allow businesses to track and manage all IT permissions through one central hub – from lifecycle automation to detailed reporting, regular permission audits and a self-service platform for end users.

Like most cybersecurity regulations, the GLBA sets security requirements but leaves it up to organizations how to achieve them. In practice, however, IAM solutions are the only option that allows you to safely manage users and permissions at scale.

The Problem with IAM Solutions

While identity and access management is crucial to GLBA compliance – as well as standards like SOX, HIPAA and NIST 800-53 – there is one major problem: Most IAM solutions are far too complex to be used effectively outside huge, global corporations.

Conventional IAM products are delivered to you as a framework of building blocks that requires significant effort to assemble into a working platform: from custom code for interfaces to crafting your own workflows.

This build-your-own-IAM approach not only makes the software difficult to set up, but also challenging to maintain: Any change in your IT infrastructure and you need to go through the same process all over again.

tenfold No-Code IAM: Automate Without Delay

Luckily, there is a faster and easier option that delivers the same results as complex enterprise platforms: Our no-code IAM solution tenfold!

Unlike conventional identity & access management products, tenfold comes with a suite of prebuilt plugins that allow you to connect your IT systems with just a few clicks! All plugins and features can be fully configured through our no-code UI – eliminating the need for scripting and custom code.

tenfold is easy to set up and operate while delivering the same powerful features you’d expect from an enterprise platform: automated provisioning, central access audits and detailed permission reporting, from accounts in IT systems down to unstructured data in file servers and cloud storage.

Make your life easy with our no-code platform for GLBA-compliant access control! Watch our video demo to learn more or sign up for a free trial to test our solution in-depth!

Free Trial

Our No-Code Solution Makes IAM Easy. Sign Up Now and Test It Yourself!

About the Author: Joe Köller

Joe Köller is tenfold’s Content Manager and responsible for the IAM Blog, where he dives deep into topics like compliance, cybersecurity and digital identities. From security regulations to IT best practices, his goal is to make challenging subjects approachable for the average reader. Before joining tenfold, Joe covered games and digital media for many years.