The Gramm-Leach-Bliley Act of 1999, or the Gramm-Leach-Bliley Financial Services Modernization Act, modernized the regulations governing financial institutions. One part of this act concerns the way that these organizations communicate information-sharing and how they protect sensitive data. The financial industry is a prime target for cybercriminals that want a profitable return on their activities, so it’s essential for businesses to comply with these regulations.
The Penalties of Non-compliance
A failure to comply with GLBA has several fines to consider. The organization receives a $100,000 fine for each violation, as well as an amount that goes up to one percent of the company’s assets. The FDIC has the option to cancel Senior executives get directly penalized $10,000. Employees may also face fines on an individual basis. If they don’t follow the safety policies and procedures in place, they may get a $1,000,000 fine and between 5-12 years of prison time.
Who is Subject to the GLBA
You may assume that only financial institutions such as banks have to worry about this act. However, any size business that offers financial services and products are covered. Some examples of non-bank organizations that have to follow GLBA include credit reporting agencies, mortgage brokers and tax preparers.
How to Comply With the GLBA
Your organization needs to have safeguards that protect consumer data, as well as ensuring that affiliated partners and providers take the same approach with this information. Here are the major requirements set by the GLBA.
- Written IT security plan: You need to put together a plan that goes over the structure of your IT security and the ways that it keeps customer data safe. Your proposed security measures should account for the type of consumer information you work with, the complexity of your infrastructure and your business activities.
- Coordinator(s) for the program: You need at least one employee who oversees this program to ensure that everything is implemented and maintained properly.
- Risk audit and assessment: By auditing and continually assessing the IT security plan, you identify potential vulnerabilities, discover whether the measures are effective and understand the risks that data faces on your systems. Information systems, managing system failures and employee management and training are the three operational areas that are highlighted in the Safeguards rule.
- Implement safeguards program: After you develop the plan, you need to deploy the hardware, software and policies that it consists of. A change management plan can help you prepare your organization for anything that alters typical operations.
- Proactively monitor the program: You keep an eye on the IT security program to ensure compliance and address any issues before they become major issues or a full data breach.
- Change the program as the IT security landscape changes: The cybersecurity landscape changes on a daily basis. You may need to adapt your plan to confront drastically different risks than were present at its implementation.
- Accommodate unique risks: Every financial institution has a different structure, so a one-size-fits-all approach would leave many gaps for a hacker to get through.
- Only collect what you need: Establish whether you have a business need to collect this information. If you gather consumer data without a clear purpose in place, you could end up with more data than you can properly protect.
IT Security Best Practices for Financial Institutions
Here are several security best practices that cover many common threats and address vulnerability points.
- Vetting your employees: Do your due diligence through background checks and other references so you’re not putting consumer data in the wrong internal hands.
- Limiting employee access to data: Prevent employees from accessing information that they don’t need for their job duties, and remove access from people leaving the organization.
- Create a strong password policy: Frequently updated, complex passwords reduce the risks of account breaches.
- Governing the use of personal devices: If personal devices, such as smartphones, are allowed in the business environment, you need security policies covering their protection. Otherwise, a compromised device is an easy access point for an opportunistic hacker.
- Encrypting consumer data: Lower the chances of a hacker getting any usable data by encrypting the information that you work with.
- Putting a robust security training program in place: Security knowledge is important for all levels of your organization, as social engineering is one way that hackers get into your systems.
- Staying on top of new security threats: Pay close attention to the latest types of attacks and how to protect your data. If you know the vectors that they’re using, you can increase protection in those areas before a potential attack.
How IT Companies Help You Meet Compliance Requirements
Properly protecting consumer data is an extensive undertaking that requires many resources from your IT team. If you keep them tied up with complying with the Safeguard Act, then they’re unable to address other IT duties.
A Managed IT company that specializes in IT Services for Financial Service Organinations can give you the additional support you need to come into compliance and maintain it. The fines for noncompliance of GLBA are extensive and the loss of consumer trust due to a data breach can be even more costly. Get the assistance you need to follow these regulations.