GLBA Compliance Assessments

The Gramm-Leach-Bliley Act (GLBA) is a federal law in the United States that protects consumer financial privacy. It requires financial institutions to safeguard consumer data and explain their information security practices to their customers, while allowing consumers to opt out of having their information shared.

Who Does GLBA Apply To?

GLBA applies to financial organizations that are “significantly engaged” in financial activity. This includes:

  • Banks
  • Lenders (including retailers and auto dealers that offer their own lines of credit)
  • Wire transfer and money order service providers
  • Check cashing organizations
  • Debt collectors
  • Financial, investment, or economic advisory organizations
  • Tax preparation services
  • Personal property and real estate appraisers
  • Institutions of higher education (IHEs) that offer financial aid

Under the law, covered organizations must also confirm that their third-party service providers meet GLBA requirements. As part of the due diligence process, organizations that provide products or services to these financial institutions (such as payment processors and call centers) may need to prove that they have implemented appropriate safeguards for the protection of NPI (nonpublic personal information).

Our GLBA Compliance Services

360 Advanced provides a full range of cybersecurity and compliance services to financial institutions and their vendors. We offer GLBA risk assessments, gap assessments, and compliance assessments.

Risk assessments are a mandatory component of a GLBA-compliant information security program. For most organizations, an annual risk assessment satisfies this requirement. However, a new assessment should also be completed after any major change to a system.

We can help you assess your internal and external threats. Our GLBA risk assessments cover:

  • Your information management systems, including network and software design; information processing; storage; and disposal
  • Your data inventory
  • Your measures for detecting, preventing, and responding to attacks
  • Your employee training programs
  • Your management team’s approach to governance and risk management

The risk assessment process serves as a valuable opportunity for you to identify new vulnerabilities, assess your current safeguards, and evaluate the potential impact and likelihood of a breach.

A gap assessment will help you identify if there are any areas of your service environment that is not applicable to the GLBA standard, and will reveal where you already meet GLBA compliance requirements, and where you need new (or stronger) controls. If remediation is necessary, our auditors will provide a prioritized list of recommendations.

A third-party GLBA compliance assessment can provide additional validation for your privacy and security efforts.

360 Advanced will assess your written information security program, including administrative, technical, and physical safeguards that protect the security, confidentiality, and integrity of customer information. Specifically, our procedures will address the Guidelines Establishing Standards for Safeguarding Customer Information, as mandated by Section 501(b) of GLBA.

After your assessment, you will receive a GLBA compliance report that you can share with customers and stakeholders. This provides independent assurance that your information security program meets GLBA standards.

If you are subject to the Graham-Leach-Bliley Act, you may have additional privacy and security obligations. For instance, you may need to demonstrate compliance with the Payment Card Industry Data Security Standard or the FFIEC Cybersecurity Framework.

At 360 Advanced, we can help you complete multiple cybersecurity and compliance initiatives through a single, streamlined engagement. Leveraging each of your efforts to meet multiple requirements, our team can help you build an integrated strategy that saves you time and money.

GLBA requirements apply to NPI. This includes:

  • Names, addresses, social security numbers, income statements, and other information provided when applying for a financial product or service
  • Account numbers, loan or deposit balances, and other information related to financial accounts or transactions

GLBA calls for ensuring the security, confidentiality, integrity, and proper disposal of this consumer information in both physical and electronic formats.

The Privacy of Consumer Financial Information Rule of the Graham-Leach-Bliley Act requires organizations to tell customers about their information management practices. Under this rule, privacy policies must include:

  • Information about the types of information that are collected and disclosed
  • The categories of third parties that receive the customer’s information
  • Policies and practices related to the processing of NPI

In some cases, a short-form policy may be acceptable, but a long-form policy must be available on request.

The GLBA Privacy Rule also gives customers the right to opt out of having their data shared. Financial organizations must give their customers a reasonable amount of time to opt out before providing their information to a third party.

The GLBA Safeguards Rule requires organizations to take – and document – steps to secure NPI. It specifically covers:

  • Access controls for customer information systems
  • Access restrictions for physical locations that contain customer information
  • Encryption policies
  • Procedures to control changes to an organization’s information system
  • Dual control procedures, segregation of duties, and employee background checks
  • Monitoring systems and procedures
  • Response programs
  • Measures to protect customer data from environmental damage

However, the Safeguards Rule does not specify which controls an organization must use. Instead of outlining specific information security requirements, it encourages each organization to “adopt the measures [it] concludes are appropriate.”

The Pretexting Provisions standard supports a strong cybersecurity program. It instructs institutions to implement controls (such as employee training programs and monitoring systems) to safeguard against phishing, social engineering, and other common attacks.

GLBA guidelines require financial institutions to deliver an annual report to their board. This report should cover:

  • The status of the organization’s information security plan
  • A summary of the organization’s most recent risk assessment
  • Risk management and control decisions
  • Service provider agreements
  • Any recent security violations and corresponding safeguards that were implemented in response

Preparing for a GLBA Compliance Assessment: Understanding the Rules and Requirements

New to consumer financial privacy? Discover everything you need to know about GLBA rules and requirements:

Connect with a GLBA Compliance Assessor

If you need to demonstrate GLBA compliance, our team is here to help. For more information, contact us today.