How GLBA Compliance Enhances Cybersecurity Programs

As the cybersecurity landscape continues to evolve, organizations must remain vigilant against growing threats that can compromise sensitive information.

One important regulation requiring financial services organizations to safeguard their data is the Gramm-Leach-Bliley Act or GLBA. While the GLBA is often mentioned for its emphasis on protecting the privacy of consumer financial data, its information-protection requirements align closely with modern cybersecurity best practices.

We’ll explore how compliance with the GLBA not only helps organizations protect sensitive consumer information but can also complement a traditional information security program to strengthen and reinforce their overall cybersecurity posture. Understanding how the GLBA and a cybersecurity program work together can help ensure your business not only checks the box and complies with regulations but also effectively defends against existing and emerging cyber threats.

A Brief GLBA Overview

Organizations providing financial services, including most colleges and universities, are subject to the Financial Services Modernization Act of 1999, better known as the Gramm-Leach-Bliley Act, or GLBA, which requires them to protect their customers’ “nonpublic personal information” (NPI) from unauthorized disclosure. Under the GLBA, organizations must also maintain a comprehensive, written information security program appropriate to the size and complexity of the institution.

Colleges, universities, and other higher education organizations that offer financial products or services, such as student loans, are also considered “financial institutions” under the GLBA.

The GLBA and similar regulations and standards are increasingly focused on ensuring an organization’s privacy and information security policies and programs are adequate to manage risks and protect customers’ personal information. The need to comply with an ever-increasing number of regulations and standards such as PCI DSS, GDPR, HIPAA, GLBA, FERPA, etc., has caused organizations to evaluate their approach to this issue. While it is the intent of nearly everyone affected by these regulations to comply, many challenges complicate the attainment of that goal.

The GLBA focuses on three key areas:

• The Privacy Rule: Requires organizations to establish privacy policies and practices for ensuring the privacy of customer information and to inform customers of these policies and practices.
• The Safeguards Rule: Mandates financial institutions implement physical, administrative, and technical safeguards to protect customer and consumer data (NPI).
• Pretexting Protection: Prohibits the practice of obtaining consumer information through fraudulent means, such as pretending to be someone else, and requires organizations to implement processes and procedures to ensure outside parties cannot use pretexting to gain access to customer information.

Given the rapid pace of technological advancements and the increasing sophistication of cyber threats, GLBA compliance is more critical than ever to ensure consumer data privacy and security.

How the GLBA Supports Cybersecurity Efforts

While the Privacy Rule is an important measure, the Safeguards Rule meshes most closely with organizations’ information security programs. The objectives of the GLBA Safeguards Rule are to:

• Ensure the security and confidentiality of customer information, including nonpublic personal information (NPI).
• Protect against any anticipated threats or hazards to the security of such information.
• Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to customers.

To comply, the organization must develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards appropriate to the organization’s size, complexity, scope of activities, and sensitivity of the NPI at issue.

The Safeguards Rule Update

In 2022, the Federal Trade Commission (FTC) updated the GLBA Safeguards Rule. The revisions are meant to strengthen the data security safeguards to better protect customer financial information from data breaches and cyberattacks. The revised rule has a larger number of specific requirements than did the previous rule, including:

• Access permission reviews
• Data inventory and classification
• Vulnerability assessment
• Penetration testing or continuous monitoring
• Multi-factor authentication
• Encryption (at rest) of NPI
• Secure disposal of data
• Written incident response procedures
• Written risk assessments

While the revised rule is more prescriptive, the Commission emphasized that institutions have the flexibility to implement an information security program appropriate to their size and complexity, the nature and scope of its activities, and the sensitivity of their customers’ information.

Note: Some requirements, such as the written risk assessment, penetration testing, and written incident response plan, are not required for institutions possessing NPI on a total of fewer than 5,000 customers/consumers.

The FTC summarized the modifications in the new rule as providing:

• More guidance on how to develop and implement specific aspects of an overall information security program.
• New provisions to improve the accountability of information security programs.
• Exemptions for financial institutions that collect less customer information.
• Inclusion of entities engaged in activities that are incidental to financial activities.
• New terms and examples.

The updated Safeguards Rule applies to financial institutions, including colleges and universities, and its provisions became fully effective on June 9, 2023.

Framework and Controls

The original GLBA was simple, and provided scant guidance on specific controls and other required measures, so many organizations adopted an information security framework, e.g. the NIST Cybersecurity Framework (CSF), ISO27000, or a more comprehensive set of controls, e.g., NIST SP 800-53 or NIST SP 800-171, to augment their security program.

The new (2022) version of the GLBA contains many more controls and specific requirements (e.g., encryption at rest and multi-factor authentication) and can stand alone. However, most institutions continue to use a cybersecurity program framework or body of controls to complement the GLBA’s requirements and round out their information security program.

The Data Breach Reporting Rule

In January 2024, another change to the GLBA Safeguards Rule became effective: a data breach reporting requirement.

Under the updated rule, a covered institution, upon discovery of a theft, leak, or loss of unencrypted data of at least 500 consumers, is to notify the Federal Trade Commission no later than 30 days after discovery of the event.

Synergies Between the GLBA and a Cybersecurity Program

Many of the Safeguards Rule’s requirements align nicely with cybersecurity best practices. Here are several ways the GLBA directly contributes to improving an organization’s cybersecurity posture:

1. Safeguards Rule and Cybersecurity Controls
   The Safeguards Rule requires businesses to implement a range of protective measures to safeguard consumer data, including multi-factor authentication, audit logging, physical security, access control, and data encryption. These requirements are essential parts of any effective cybersecurity strategy.
    
   For example, businesses must:
   • • Implement multi-factor authentication (MFA).
     • Encrypt sensitive data to ensure that, even if intercepted, it remains unreadable to unauthorized parties.
     • Limit access to consumer data by enforcing access control policies to ensure only authorized persons can view or modify sensitive information.
     • Regularly test security systems through penetration testing and vulnerability assessments to identify weaknesses in the organization’s cybersecurity defenses.
     • Adopt secure development practices for in-house applications.

    
   By aligning these safeguards with cybersecurity frameworks such as the NIST Cybersecurity Framework, organizations create a robust security infrastructure that minimizes the risk of data breaches.

2. Cybersecurity Risk Management
   The GLBA requires financial institutions to assess and manage risks related to the protection of consumer financial information. This is directly in line with cybersecurity risk management, a core element of any comprehensive security program. Under the GLBA, businesses must:
   • • Publish a written information security plan.
     • Conduct a risk assessment to identify vulnerabilities in their data security infrastructure.
     • Develop a risk management plan that outlines the necessary actions to mitigate identified risks.
     • Continuously monitor and improve the effectiveness of their security measures.
     • Implement change management.
     • Keep audit logs of activity within systems.

    
   Cybersecurity frameworks often emphasize continuous risk management to stay ahead of emerging threats. By incorporating the GLBA’s assessment and management guidelines into their cybersecurity strategy, businesses can develop a proactive approach to identifying, mitigating, and responding to potential security breaches.

3. Data Minimization and Protection
   Both the GLBA and cybersecurity principles stress the importance of minimizing the collection and use of sensitive data to reduce the risk of breaches. Under the GLBA, businesses must implement policies to:
   • • Limit the collection of consumer information to what is necessary for conducting business.
     • Securely store and dispose of data once it is no longer needed (and no later than two years after its last business need), ensuring that outdated or irrelevant data does not pose a security risk.
     • Periodically review access permissions.
     • Periodically review your data retention policy.

    
   For cybersecurity, this principle aligns with data protection measures such as data masking and secure data storage (and backups). Ensuring sensitive data is properly secured and only necessary information is collected helps reduce exposure to potential data breaches or cyberattacks.

4. Training Employees on Cybersecurity and GLBA Compliance
   Employee security awareness training is an essential component of both cybersecurity and GLBA compliance. The GLBA requires financial institutions to train their staff on the importance of consumer privacy and security and to educate them about the organization’s data-handling practices. This includes:
   • • Teaching employees how to handle sensitive financial data securely.
     • Providing guidance on recognizing and reporting phishing attempts and other common cyber threats.
     • Confirming employees understand the legal consequences of mishandling customer data.

    
   Cybersecurity training programs educate employees on recognizing cyber threats, using strong passwords, and following secure data-handling practices, which are equally crucial in safeguarding an organization’s data. Regular training on GLBA compliance helps employees understand their role in keeping customer data safe and helps prevent accidental breaches.

5. Incident Response and GLBA Compliance
   Both the GLBA and cybersecurity regulations require organizations to have a solid incident response plan in place. Testing the incident response plan helps to identify weaknesses in the plan, ensure coordination among team members, and improve the organization’s ability to respond to real incidents. In the event of a data breach or cybersecurity incident, businesses must be able to:
   • • Publish a written incident response plan.
     • Quickly detect and respond to the breach to minimize damage.
     • Notify affected individuals in compliance with the GLBA’s breach notification requirements.
     • Investigate and document the breach to identify the root cause and prevent future incidents.

    
   Effective cybersecurity incident response strategies assist businesses in managing breaches quickly under the GLBA. By integrating the GLBA’s specific requirements for breach notification with comprehensive cybersecurity incident response plans, organizations can comply with legal obligations and protect their reputations.

The GLBA and Cybersecurity Are Interdependent

In today’s interconnected world, the relationship between cybersecurity and data privacy is stronger than ever. The GLBA not only requires businesses to protect consumer financial data but also mandates companies take specific, actionable steps that overlap directly with cybersecurity best practices.

From encryption and access controls to risk management and employee training, GLBA compliance enhances cybersecurity efforts and helps build a more resilient organization.

As cyber threats become more sophisticated, businesses must recognize that GLBA compliance is not just about adhering to regulation—it’s about strengthening their overall cybersecurity defenses. By aligning these two areas, businesses can better protect sensitive consumer information, reduce the risk of data breaches, and avoid costly fines and penalties.

Next Steps

If your organization is still navigating GLBA compliance or looking to improve its cybersecurity measures, it’s time to integrate both efforts. Take actionable steps to align your cybersecurity strategies with GLBA requirements and keep your employees informed and vigilant.

A proactive approach to cybersecurity and GLBA compliance is not just a legal obligation; it’s a critical step toward building trust with your customers and securing your organization’s future.

If you need assistance with your GLBA compliance or cybersecurity programs, CampusGuard can help! Contact us for assistance.