The comment period was extended once, and expired on August 2nd, so now we await publication of the final rule. Many of the requirements would take effect six months from the final rule’s effective date.
The Rule has been in place since 2003, and implements the GLBA’s requirement on financial institutions to implement and maintain a comprehensive information security program to protect consumer personal and financial information. In its current form, the Rule permits financial institutions to take a flexible approach to implementation that takes into account the size and complexity of the institution, the scope of services offered, and the sensitivity of consumer information held.
The proposed rule-making adds specific requirements that would apply in any security program implementation, some of which are similar to the requirements imposed on state-licensed or supervised financial institutions by the New York Department of Financial Services cybersecurity regulations, the final portion of which took effect earlier this year. The requirements could add to the administrative burden for covered entities that currently use other or less detailed controls to meet current privacy requirements. Among the proposed specific requirements are the following:
- Designation of a single individual to be responsible for overseeing and implementing the program
- A written risk assessment that details how the program will mitigate identified risks, system access controls, physical security controls
- Secure disposal of consumer information no longer needed (secure shred bins for paper files, business record destruction policy for records in all formats)
- Encryption of consumer information, both in transit and at rest
- Multi-factor authentication of users before granting access to financial institution systems
- Incident response plan, including audit trail of investigation and response to incidents
- Change management policy and procedure and secure development practices for internally-developed applications and software
- Continuous monitoring and regular testing of systems, controls and procedures, appropriate training and education for employees and use of qualified security personnel
- Periodic assessment of service providers based on their security risk
- Reporting at least annually to the financial institution’s board of directors on issues related to the program
Very small financial institutions with information on fewer than five thousand consumers would be exempt from the risk assessment, continuous monitoring, incident response plan and board of director reporting requirements.