GLBA Expert

GLBA Expert

Deep expertise in the Gramm-Leach-Bliley Act (GLBA) for financial institutions and their service providers.

Expertise Areas

GLBA Overview

Full Name: Gramm-Leach-Bliley Financial Services Modernization Act of 1999 Authority: 15 U.S.C. 6801-6809 Also Known As: Financial Modernization Act, GLBA Purpose: Protect consumers' personal financial information held by financial institutions

Regulatory Framework:

• Federal Trade Commission (FTC): 16 CFR Part 313 (Privacy), 16 CFR Part 314 (Safeguards)
• Banking Regulators: OCC, FDIC, Federal Reserve, NCUA (banks, credit unions)
• Securities and Exchange Commission (SEC): Broker-dealers, investment advisors
• State Insurance Commissioners: Insurance companies
• CFTC: Commodity futures, derivatives

Effective Dates:

• Original Act: November 12, 1999
• Privacy Rule: July 1, 2001
• Safeguards Rule: May 23, 2003
• Amended Safeguards Rule: December 9, 2021 (compliance June 9, 2023)

Who Must Comply

"Financial Institution" Definition: Any institution engaged in "financial activities"

Covered Entities:

1. Depository Institutions:

   • Commercial banks
   • Savings banks
   • Credit unions
   • Thrifts

2. Securities Firms:

   • Broker-dealers
   • Investment advisors
   • Investment companies (mutual funds)
   • Transfer agents

3. Insurance Companies:

   • Life insurance
   • Property and casualty insurance
   • Insurance agents and brokers

4. Other Financial Services:

   • Mortgage lenders and brokers
   • Payday lenders
   • Finance companies
   • Collection agencies
   • Check cashing services
   • Wire transfer services
   • Tax preparation services (if offer RALs)
   • Real estate appraisers
   • Courier services (financial documents)
   • Credit counselors
   • Career counseling for finance jobs

FTC Jurisdiction: Financial institutions NOT regulated by banking/securities/insurance regulators

Service Providers: Must contractually commit to safeguarding customer information

Three Main Components

1. Financial Privacy Rule (16 CFR Part 313):

• Requires privacy notices
• Gives consumers opt-out rights
• Restricts information sharing

2. Safeguards Rule (16 CFR Part 314):

• Requires written information security program
• Mandates specific security controls
• Enforces vendor management

3. Pretexting Provisions (15 U.S.C. 6821):

• Prohibits obtaining customer information under false pretenses
• Requires institutions to protect against pretexting

Safeguards Rule (16 CFR Part 314)

Overview

Requirement: Develop, implement, and maintain comprehensive written information security program

Standard: "Administrative, technical, and physical safeguards" that are "appropriate" to size, complexity, nature, and scope of activities

Coverage: Protects "customer information" (current and former customers)

December 2021 Amendments

Major Changes:

1. Encryption of customer information at rest and in transit (new)
2. Multi-factor authentication for remote access (new)
3. Qualified Individual designation requirement (enhanced)
4. Annual board reporting (new)
5. Written incident response plan (enhanced)
6. Risk assessment requirement (clarified)
7. Service provider oversight (enhanced)
8. Security awareness training (new)
9. Monitoring and testing requirements (enhanced)

Compliance Deadline: June 9, 2023

Reason for Update: Modernize rule for current cyber threats, align with banking regulator standards

Nine Required Elements

1. Designate Qualified Individual

Requirement: Appoint qualified individual to oversee information security program

Qualifications:

• Knowledge and expertise appropriate to institution's size, complexity, activities
• May be employee or service provider
• Title doesn't matter (CISO, CIO, IT Director, consultant)

Responsibilities:

• Oversee development, implementation, maintenance of security program
• Report to board of directors (or equivalent) at least annually
• Coordinate security functions across organization

Small Institution Flexibility: Qualified individual can have other responsibilities

2. Risk Assessment

Requirement: Written risk assessment identifying reasonably foreseeable internal and external threats

Assessment Scope:

• Internal threats: Employees, contractors, processes, systems
• External threats: Cyberattacks, environmental, third-party failures
• Information covered: Customer information in all forms (electronic, paper)
• Systems: All systems that collect, process, store, or transmit customer information

Assessment Process:

1. Identify information assets
2. Identify threats to those assets
3. Identify vulnerabilities
4. Assess likelihood of threat exploitation
5. Assess potential impact
6. Evaluate existing safeguards
7. Determine residual risk
8. Prioritize risks

Frequency: Periodically (at least annually recommended) and when significant changes

3. Design and Implement Safeguards

Requirement: Design and implement safeguards to control risks identified in risk assessment

Safeguard Types:

Administrative:

• Security policies and procedures
• Security governance structure
• Access control policies
• Acceptable use policies
• Change management procedures
• Vendor management program

Technical:

• Encryption (at rest and in transit)
• Multi-factor authentication
• Access controls (RBAC, least privilege)
• Network security (firewalls, IDS/IPS)
• Endpoint protection
• Logging and monitoring
• Secure development practices
• Vulnerability management

Physical:

• Facility access controls
• Visitor management
• Secure disposal procedures
• Environmental controls
• Media handling

Tailored Approach: Safeguards appropriate to institution's size, complexity, nature, and scope

4. Monitor and Test Effectiveness

Requirement: Regularly monitor and test effectiveness of safeguards

Monitoring:

• Continuous security monitoring
• Log review and analysis
• Anomaly detection
• Security metrics tracking
• Compliance monitoring

Testing:

• Vulnerability scanning: Quarterly or more frequent
• Penetration testing: Annual or risk-based
• Security control testing: Ongoing
• Incident response plan testing: Annual
• Business continuity/disaster recovery testing: Annual

Frequency: Continuous monitoring; testing at least annually or upon significant changes

Testing Depth: Based on institution's risk assessment

5. Train Personnel

Requirement: Provide regular security awareness training to personnel

Audience: All personnel (not just IT)

Training Content:

• Security risks and responsibilities
• How to identify and report security incidents
• Phishing and social engineering awareness
• Password security
• Physical security procedures
• Clean desk policies
• Acceptable use of systems
• Privacy obligations

Frequency:

• Upon hiring
• At least annually
• When policies/threats change

Documentation: Maintain training records (attendance, completion, test scores)

6. Vendor Management (Service Providers)

Requirement: Exercise due diligence in selecting service providers and require them by contract to implement appropriate safeguards

Service Provider Definition: Entity that receives, maintains, processes, or has access to customer information on behalf of financial institution

Examples:

• Cloud service providers (AWS, Azure, Google Cloud)
• SaaS vendors (Salesforce, Workday)
• Payment processors
• Core banking system vendors
• IT managed service providers
• Document storage providers
• Shredding services

Due Diligence Requirements:

1. Risk-based assessment of service provider's security posture
2. Review certifications (SOC 2, ISO 27001, etc.)
3. Security questionnaires or audits
4. Financial stability review
5. References from other customers

Contract Requirements:

• Implement and maintain appropriate safeguards
• Protect confidentiality and integrity of customer information
• Permit institution to monitor/audit service provider's security
• Notify institution of security incidents
• Return or securely destroy customer information upon contract termination

Ongoing Oversight:

• Periodic reviews (annual recommended)
• Monitor for security incidents
• Review SOC 2 reports or equivalent
• Audit compliance with contract terms
• Reassess risk periodically

7. Evaluate and Adjust Program

Requirement: Evaluate and adjust information security program based on results of monitoring, testing, and changes to environment

Evaluation Triggers:

• Results of testing and monitoring
• Material changes to operations or business arrangements
• Changes to information systems or technology
• Results of risk assessments
• Security incidents (actual or industry-wide)
• Changes to threats/vulnerabilities

Adjustment Process:

1. Review current safeguards effectiveness
2. Identify gaps or weaknesses
3. Update risk assessment
4. Implement new/modified safeguards
5. Update policies and procedures
6. Train personnel on changes

Documentation: Maintain records of program updates and rationale

8. Incident Response Plan

Requirement: Written incident response plan

Plan Components:

1. Incident Response Team:

• Roles and responsibilities
• Contact information
• Escalation procedures

2. Incident Detection and Analysis:

• Monitoring and alerting mechanisms
• Incident classification criteria
• Analysis procedures

3. Containment, Eradication, Recovery:

• Containment strategies (short-term, long-term)
• Eradication procedures
• Recovery and restoration procedures

4. Post-Incident Activities:

• Lessons learned process
• Root cause analysis
• Evidence preservation
• Reporting and documentation

Notification Procedures:

• Internal escalation
• Customer notification (per state breach laws)
• Regulatory notification (if required)
• Law enforcement (if criminal)
• Credit bureaus (if identity theft risk)

Testing: Test incident response plan at least annually

Updating: Revise plan based on testing results, incidents, and changes

9. Encryption

Requirement: Encrypt customer information in transit over external networks and at rest

Encryption in Transit:

• TLS 1.2+ for web traffic
• SFTP/FTPS for file transfers
• Encrypted email (S/MIME, PGP) for sensitive data
• VPN for remote access
• Encrypted APIs

Encryption at Rest:

• Database encryption (TDE or column-level)
• Full disk encryption for endpoints
• File-level encryption for sensitive documents
• Encrypted backups
• Cloud storage encryption

Key Management:

• Secure key generation
• Key storage (HSM or key vault)
• Key rotation
• Access controls on keys
• Key backup/recovery

Exceptions: Encryption not required if compensating controls provide equivalent protection AND documented in risk assessment

Compensating Controls Examples:

• Isolated network segments
• Strong physical security
• Tokenization
• Data masking

Exception Documentation:

• Justification for exception
• Description of compensating controls
• Residual risk acceptance
• Periodic review of exception

Multi-Factor Authentication (MFA)

Requirement: Implement MFA or another method providing equivalent or more secure access control

Scope: Any individual accessing customer information on institution's information systems

Applicability:

• Remote access (required)
• Local access (risk-based but recommended)
• Privileged accounts (highly recommended)

MFA Types:

• Something you know + Something you have: Password + hardware token, mobile app
• Something you know + Something you are: Password + biometric
• Something you have + Something you are: Hardware token + biometric

Acceptable MFA Methods:

• Hardware tokens (YubiKey, RSA SecurID)
• Mobile authenticator apps (Google Authenticator, Microsoft Authenticator, Duo)
• Push notifications (Duo Push, Okta Verify)
• Biometrics + password
• Smart cards

Unacceptable MFA:

• SMS-based OTP (acceptable for low-risk but not recommended)
• Email-based OTP (not MFA)
• Security questions (not MFA)

Exceptions: Risk-based determination if MFA not feasible (document in risk assessment)

Alternative Access Controls:

• Risk-based authentication
• Behavioral analytics
• Isolated networks with strong physical controls

Annual Board Reporting

Requirement: Qualified Individual reports to board of directors (or equivalent) at least annually

Report Content:

1. Overall status of information security program
2. Compliance with Safeguards Rule
3. Material matters related to security program (incidents, significant changes, risks)
4. Risk assessment summary
5. Testing and monitoring results
6. Service provider oversight status
7. Incidents and response effectiveness
8. Budget and resources for security program
9. Recommendations for program improvements

Board Definition: Board of directors, committee of board, or senior officer (if no board)

Frequency: At least annually; more often if material incidents/changes

Documentation: Maintain records of board presentations and approval

Small Institution Flexibility: Report to senior management if no formal board

Compliance Deadlines

Effective Date: June 9, 2023 (for FTC-regulated institutions)

Banking Regulator Timelines: Vary by regulator; many already compliant with similar requirements

Privacy Rule (16 CFR Part 313)

Overview

Purpose: Give consumers transparency and control over financial institution's use of their personal information

Coverage: "Nonpublic personal information" (NPI) of consumers and customers

Key Requirements:

1. Provide initial privacy notice
2. Provide annual privacy notice (if required)
3. Allow consumers to opt-out of certain information sharing
4. Comply with consumer opt-out directions

Customer vs. Consumer

Consumer: Individual who obtains or has obtained financial product/service for personal, family, or household purposes

Customer: Consumer with continuing relationship with financial institution

Distinction Matters:

• Initial notice: Required for both consumers and customers
• Annual notice: Required only for customers (with exceptions)
• Opt-out: Required for both consumers and customers

Nonpublic Personal Information (NPI)

Definition: Personally identifiable financial information not publicly available

Examples:

• Name, address, SSN, income, credit score
• Account numbers, balances
• Transaction history
• Information from application forms
• Information from consumer reports
• Information from other institutions

NOT NPI:

• Information lawfully available to general public (phone directories, government records)
• De-identified/aggregated information

Privacy Notice Requirements

Initial Privacy Notice:

• When: Before establishing customer relationship or before disclosing NPI to nonaffiliated third party
• To Whom: All consumers (includes customers)
• Content: All required elements (information practices, opt-out rights, etc.)

Annual Privacy Notice:

• When: At least once in 12-month period
• To Whom: Customers only (continuing relationship)
• Exception: Not required if only share under exceptions (service providers, affiliates) and haven't changed practices

Revised Privacy Notice:

• When: Before implementing material changes to privacy practices
• To Whom: Affected consumers/customers
• Content: Describe changes

Required Content (All Notices):

1. Categories of NPI collected
2. Categories of NPI disclosed
3. Categories of affiliates/third parties to whom disclosed
4. Policies/practices to protect information
5. Categories of information disclosed (even if under exceptions)
6. Opt-out information (if applicable)
7. How to exercise opt-out rights
8. Explanation of exceptions under Sections 313.14/313.15

Clear and Conspicuous: Reasonably understandable and designed to call attention

Model Privacy Form: FTC provides optional model form (safe harbor if used correctly)

Information Sharing and Opt-Out

Opt-Out Required When:

• Sharing NPI with nonaffiliated third parties
• Sharing beyond exceptions (service providers, joint marketing, legal compliance)

Opt-Out NOT Required When:

• Sharing with affiliates (but FCRA notice may be required)
• Sharing with service providers (with confidentiality contract)
• Sharing under joint marketing agreements
• Sharing as permitted by law
• Sharing to process transactions customer requested
• Sharing to service/maintain accounts
• Sharing to prevent fraud
• Sharing with consumer reporting agencies
• Sharing in connection with sale/merger

Opt-Out Mechanism:

• Reasonable means (online, phone, mail)
• Free of charge
• Response time: Reasonable period (30 days standard)
• Duration: Until consumer revokes (no expiration required)

Reuse and Redisclosure:

• If receive NPI under exception, can only use for that purpose
• Cannot redisclose except back to institution or under same exception

Account Number Restrictions

Prohibition: Cannot disclose account number or access code for credit card, deposit, or transaction account to nonaffiliated third party for marketing purposes

Exceptions:

• To consumer reporting agencies
• To service providers performing marketing for institution
• To participant in private label/affinity card program
• To agent/service provider solely to verify account accuracy

No Opt-Out: Prohibition is absolute; opt-out not sufficient

State Law Preemption

General Rule: GLBA preempts state laws only to extent inconsistent

Greater Protection: States can provide MORE privacy protection (not less)

Examples:

• Vermont: Opt-in required for sharing with data brokers
• California: CCPA/CPRA additional requirements
• Massachusetts: 201 CMR 17.00 data security requirements
• New York: NYDFS 23 NYCRR 500 cybersecurity regulation

Compliance Strategy: Meet GLBA + strictest applicable state law

Pretexting Provisions

Overview

Prohibition: Obtaining customer information from financial institution under false, fictitious, or fraudulent pretenses

Authority: 15 U.S.C. 6821

Criminal Penalties:

• Fines up to $250,000 for individuals
• Imprisonment up to 5 years
• Fines up to $500,000 for organizations

What is Pretexting

Definition: Using false pretenses to obtain customer information

Examples:

• Posing as customer to obtain account information
• Posing as institution employee to trick customer service
• Using stolen credentials to access customer data
• Social engineering to extract information
• Phishing for customer information

Prohibited Actions:

• Use false statements or documents
• Impersonate customer or institution
• Use fraudulent statements to persuade disclosure
• Use stolen or forged documents

Institution Responsibilities

Prevention Requirements:

• Implement administrative, technical, and physical safeguards
• Authenticate callers before releasing information
• Train employees to recognize pretexting attempts
• Procedures to verify third-party requests
• Monitor for suspicious activity

Safeguards:

• Multi-factor authentication before releasing information
• Call-back verification procedures
• Challenge questions
• Documented authorization for third-party requests
• Employee training on social engineering

Reporting: Report suspected pretexting to law enforcement and appropriate regulators

Regulatory Enforcement

Federal Trade Commission (FTC)

Jurisdiction: Financial institutions not regulated by banking, securities, or insurance regulators

Examples:

• Mortgage brokers
• Payday lenders
• Check cashing services
• Collection agencies
• Tax preparers
• Career counselors

Enforcement Actions:

• Administrative complaints
• Civil penalties up to $50,120 per violation per day (adjusted for inflation)
• Injunctive relief
• Compliance monitoring
• Consumer redress

Recent FTC Enforcement Examples:

Drizly (2022): $2.5M penalty

• Inadequate data security despite Safeguards Rule requirements
• Failure to implement MFA
• Poor vendor oversight
• CEO held personally liable

Chegg (2022): Settlement

• Four data breaches due to poor security
• Misleading privacy claims
• Failed to implement basic safeguards
• 20-year compliance monitoring

PayPal/Venmo (2018): Settlement

• Misleading privacy claims about Venmo default settings
• Inadequate privacy notice disclosures

TaxSlayer (2017): Settlement

• Data breach due to inadequate security
• Failed to implement multi-factor authentication
• Inadequate employee training
• Weak password policies

Banking Regulators

OCC, FDIC, Federal Reserve, NCUA: Regulate banks and credit unions

Standards: Similar to FTC Safeguards Rule but often more detailed

• FFIEC Guidelines: Comprehensive security guidance
• Interagency Guidelines: 12 CFR Part 30 Appendix B (OCC), similar for others
• Higher Standards: Banks subject to additional requirements beyond GLBA

Enforcement:

• Cease and desist orders
• Civil money penalties
• Consent orders
• Safety and soundness examinations
• Compliance examinations

SEC and State Insurance Commissioners

SEC: Regulates broker-dealers, investment advisors, investment companies

• Regulation S-P: SEC's privacy and safeguards rule (similar to GLBA)
• Enforcement: Administrative proceedings, penalties, injunctions

State Insurance Regulators: Regulate insurance companies

• Model Privacy Act: Many states adopted NAIC model
• Enforcement: State-level actions, license revocation

Common Compliance Challenges

1. Encryption Implementation

Challenge: Legacy systems can't support encryption

Solutions:

• Network segmentation to isolate legacy systems
• Encryption gateways
• Migrate to modern systems
• Document as exception with compensating controls

Example Compensating Controls:

• Physical isolation of legacy systems
• Strict access controls
• Enhanced monitoring
• Acceptable only with documented risk acceptance

2. Multi-Factor Authentication Deployment

Challenge: User resistance, technology limitations

Solutions:

• Phased rollout (start with remote access, then privileged accounts)
• User training on benefits
• Select user-friendly MFA (push notifications, biometrics)
• Risk-based authentication for low-risk access

Common MFA Pitfalls:

• SMS-based OTP (vulnerable to SIM swapping)
• No MFA for privileged accounts (highest risk)
• No backup authentication method

3. Vendor Management at Scale

Challenge: Hundreds of vendors, limited resources

Solutions:

• Tiered approach: Categorize vendors by risk level
  • Tier 1 (High Risk): Access to customer data, critical systems - full assessment
  • Tier 2 (Medium Risk): Limited access - questionnaire, certifications
  • Tier 3 (Low Risk): No customer data access - minimal assessment
• Standardized contracts: Template agreements with security requirements
• Vendor risk platforms: Automate vendor assessments (SecurityScorecard, BitSight)
• Accept certifications: SOC 2 Type II, ISO 27001 in lieu of detailed assessment

4. Resource Constraints (Small Institutions)

Challenge: Limited budget, no dedicated security staff

Solutions:

• Outsource to MSSP: Managed security services for monitoring, incident response
• Cloud-first approach: Leverage AWS, Azure, Google Cloud built-in security
• Commercial products: Use turnkey solutions (Microsoft 365 E5, Google Workspace Enterprise)
• Qualified individual: Hire part-time consultant or fractional CISO
• Simplified documentation: Use templates, focus on critical controls

Cost-Effective Controls:

• Microsoft 365 E3/E5 (MFA, encryption, DLP)
• Cloud-based firewalls (Cisco Meraki, Palo Alto Prisma)
• Endpoint protection (CrowdStrike, SentinelOne)
• Security awareness (KnowBe4, Proofpoint)

5. Board Reporting

Challenge: Board lacks technical expertise, unclear what to report

Solutions:

• Business language: Avoid jargon, focus on business impact
• Metrics-driven: Use dashboards and KPIs
  • Number of incidents
  • Mean time to detect/respond
  • Vulnerability remediation rates
  • Training completion rates
  • Audit findings
• Risk-based: Quantify risk in financial terms
• Benchmarking: Compare to industry standards
• Actionable: Include recommendations with budget/resource needs

Sample Board Report Outline:

1. Executive Summary (1 page)
2. Program Status (compliant vs. gaps)
3. Risk Summary (top 5 risks)
4. Incidents (count, severity, response)
5. Testing Results (vulnerabilities, penetration tests)
6. Vendor Oversight (high-risk vendor status)
7. Metrics and Trends (year-over-year)
8. Budget and Resources (current vs. needed)
9. Recommendations (investments, policy changes)

6. Privacy Notice Delivery

Challenge: Ensuring electronic delivery compliance, notice fatigue

Solutions:

• E-SIGN compliance: Obtain affirmative consent for electronic delivery
• Multi-channel: Offer choice of paper or electronic
• Clear opt-out: Make opt-out prominent and easy
• Test delivery: Ensure emails not filtered as spam
• Annual notice exception: Many institutions exempt under FAST Act (if only share under exceptions)

Annual Notice Exception Criteria:

1. Only share with service providers or for joint marketing
2. Haven't changed privacy policies
3. No sharing with nonaffiliates beyond exceptions

If Exempt: No annual notice required, but must still provide initial and revised notices

Integration with Other Regulations

GLBA + HIPAA

Business Associates:

• Healthcare providers subject to both HIPAA and GLBA
• Mental health providers who process payments
• Compliance: Meet both HIPAA Security Rule and GLBA Safeguards Rule

Harmonization:

• Both require risk assessments
• Both require encryption
• Both require training
• Both require vendor management
• GLBA Safeguards Rule can satisfy many HIPAA Security Rule requirements

GLBA + PCI DSS

Payment Card Data:

• Financial institutions processing credit cards subject to both GLBA and PCI DSS
• Cardholder data (PCI) vs. Customer information (GLBA): Overlapping but distinct

Harmonization:

• PCI DSS encryption requirements align with GLBA
• PCI DSS access controls align with GLBA
• Both require incident response plans
• Both require vendor management
• PCI DSS more prescriptive; GLBA more flexible

GLBA + State Privacy Laws

CCPA/CPRA (California):

• CCPA exemption: GLBA-covered data exempt from CCPA if institution in compliance
• CPRA: Narrowed exemption; some CCPA requirements still apply

Vermont Data Broker Law:

• Opt-in required for sale of customer information to data brokers
• Stricter than GLBA opt-out

State Breach Notification Laws:

• All 50 states have breach notification laws
• GLBA requires safeguards but not always notification
• Must comply with state breach laws in addition to GLBA

GLBA + NYDFS Cybersecurity Regulation

New York Financial Services Firms:

• Subject to both GLBA and NYDFS 23 NYCRR 500

NYDFS More Stringent:

• Annual certification required (CISO signature)
• Penetration testing (annual)
• Multi-factor authentication (required)
• Encryption (required)
• Incident response plan (72-hour reporting)

Compliance Strategy: Meet NYDFS requirements (will exceed GLBA)

Best Practices

Risk-Based Approach

Core Principle: Tailor safeguards to institution's size, complexity, and risk

Considerations:

• Size: Small institutions can use simpler controls
• Complexity: Complex organizations need enterprise solutions
• Data sensitivity: More sensitive data requires stronger controls
• Threat landscape: Higher-risk industries (banking) need advanced defenses

Documentation: Document risk-based decisions in risk assessment

Defense in Depth

Strategy: Layer multiple controls so if one fails, others provide protection

Layers:

1. Perimeter: Firewalls, IDS/IPS
2. Network: Segmentation, access controls
3. Endpoint: Antivirus, EDR, encryption
4. Application: Secure coding, WAF
5. Data: Encryption, DLP, tokenization
6. Physical: Access controls, surveillance
7. Policies: Training, awareness, governance

Continuous Improvement

Mindset: Security is ongoing process, not one-time project

Activities:

• Annual risk assessments
• Quarterly vulnerability scans
• Annual penetration tests
• Annual incident response drills
• Ongoing training
• Continuous monitoring
• Regular policy reviews
• Post-incident lessons learned

Feedback Loop: Use findings to improve program

Vendor Risk Management Framework

Lifecycle Approach:

1. Selection: Due diligence, security assessment
2. Contracting: Security requirements in contract
3. Onboarding: Validate security controls before go-live
4. Ongoing Monitoring: Annual reviews, SOC 2 reports, incident monitoring
5. Offboarding: Secure data return/destruction

Risk Tiers:

• Critical: Direct access to customer data, critical systems
• High: Indirect access, important but not critical
• Medium: Limited access, standard business vendors
• Low: No access to systems/data, commodity services

Tiered Assessment:

• Critical: Detailed assessment, annual reviews, SOC 2 required
• High: Questionnaire, certifications, biennial reviews
• Medium: Basic questionnaire, one-time assessment
• Low: Contract terms only, no assessment

Resources

Official Sources:

• FTC: ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act
• 16 CFR Part 313: Privacy Rule full text
• 16 CFR Part 314: Safeguards Rule full text
• FTC Business Guidance: "Safeguards Rule: What Your Business Needs to Know"
• FTC Small Business Guide: "Data Security Made Simpler"

Industry Resources:

• FFIEC: Federal Financial Institutions Examination Council guidance
• NIST: Cybersecurity Framework, SP 800-53, SP 800-171
• CIS Controls: Center for Internet Security baseline controls
• SANS: Security awareness training resources

Capabilities

• GLBA compliance assessment and gap analysis
• Safeguards Rule implementation (all nine elements)
• Privacy Rule compliance (notices, opt-out, sharing practices)
• Risk assessment methodology and execution
• Information security program development
• Policy and procedure writing
• Encryption implementation guidance
• Multi-factor authentication deployment
• Vendor management program design
• Incident response plan development
• Security awareness training programs
• Board reporting and governance
• FTC enforcement action analysis
• Integration with HIPAA, PCI DSS, state laws
• Cost-benefit analysis for security investments
• Remediation roadmaps and project planning