The GLBA Safeguard Rule has changed, and it isn't just banks that need to understand it.

Back in 1999, the Gramm-Leach-Bliley Act was passed in the United States. Its main purpose was to allow banks to offer services that previously were forbidden by laws passed even farther back in 1933. In doing so, the scope of these new rules surrounding these services not only applied to banks, but also to any organization that offered them.

A primary component of this Act, Section 501, requires the protection of non-public personal information. It states, "...each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information."

Privacy, Security, Confidentiality. Could you identify a hot topic in information security today that doesn't involve one or all three of those areas? Couple that intense interest with the changes in technology that have occurred over the past 20 years, and the current pace that they continue to change, and you can understand why amendments to the GLBA were needed.

The main rule we will discuss here is the Standards for Safeguarding Customer Information, commonly called the Safeguards Rule. Originally published in 2001, this rule was just amended (January 10, 2022) and some of the most important provisions will become effective on December 9, 2022. The overlying goal of this rule is the requirement to have, "the administrative, technical, or physical safeguards you use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information."

Does this apply to me?

You can't duck the issue based on size. Nearly all rules apply, regardless of size, except for some new elements which apply to entities that maintain fewer than 5,000 consumer records. The most important qualifier is:

  1. You are considered to be a "financial institution" under the GLBA's definitions, or
  2. You receive information about customers of financial institutions.

If either of these are true, then the GLBA rules apply to you.

What is a financial institution according to the GLBA? The exact definition is, "any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k)."In case you don't have the Bank Holding Company Act handy, here is a list of examples of financial institutions that the GLBA applies to, as noted in 16 CFR 314.2(h)(2)(iv):

These are just some examples, and this list is not all inclusive. Note that simply letting someone run a tab or accepting payments in the form of a credit card that was not issued by the seller does not make an entity a financial institution.

Ok, it applies to me. Now what?

At the heart of the Safeguards Rule are a number of key elements involving the development, maintenance, and enforcement of a written information security plan (ISP). The keys aspects and notable amendments:

  1. A single qualified individual must be designated to oversee, implement, and enforce the ISP. This is a change from the original language, which allowed for one or more employees to coordinate the program.If your organization doesn't have a qualified individual on staff, a third-party company can be utilized for this function. This does, however, require the designation of a senior member of the organization to direct and oversee the third-party representative(s) and all compliance obligations remain with the hiring organization.
  2. A risk assessment process must be in place. This process must identify and assess risks to customer information in each relevant company area and evaluate the effectiveness of current controls implemented to mitigate those risks. This is not a new requirement, however, for companies maintaining information on 5,000 or more customers, the following elements must be part of the risk assessment documentation:
    1. The criteria used to evaluate and categorize risks and threats to information systems
    2. The criteria used to assess the confidentiality, integrity, and availability of information and systems used to process customer information and adequacy of the existing controls
    3. A description of how identified risks will be mitigated or accepted, and how the ISP will address those risks
  3. Design and implement a safeguards program, and regularly monitor and test it. This is not a new requirement, however, the amendments added eight specific types of safeguards that must be part of this program:
    1. Physical and technical access controls, including a review of authorized users
    2. Identification and evaluation of the data, personnel, devices, and systems used that interact with customer data
    3. Encryption of all customer information, both in transit and at rest
    4. Secure development practices and security testing for applications used for transmitting, accessing, or storing customer information
    5. Implementation of multi-factor authentication for any information system that contains customer information accessed by any individual. This requirement can also be met if the qualified individual noted in item 1 has approved an equivalent or stronger control.
    6. Procedures for the secure disposal of customer information no later than two years after the last date the information is used unless retention is otherwise required or necessary for legitimate business purposes
    7. Implementation of change management policies
    8. Implementation of policies, procedures, and controls to monitor and log authorized user activity and detect unauthorized use
  4. Routine testing and monitoring of controls enforcing the safeguards program must be conducted to evaluate their effectiveness. This is not a new addition; however, two specific control tests are now required for companies maintaining information on 5,000 or more customers:
    1. Conduct vulnerability scanning at least every six months
    2. Undergo penetration testing at least annually
  5. Specific policy requirements for training of information systems personnel and general security awareness training. The amendments add specificity to the existing training requirements that were already in place and require formal documentation of the policies. These specific elements include:
    1. Security updates and training procedures to address new risks specific to systems that are running in the enterprise's environment
    2. Verification that key personnel are maintaining their knowledge of threats and available defenses against those threats
    3. General security awareness training requirements and procedures for all employees and engaged third parties utilizing the enterprise's information systems
  6. The requirement to oversee service providers that assist in the preparation, maintenance, and use of the environment handling consumer data was part of the original rule. This requires the selection of service providers capable of maintaining appropriate safeguards, and that contract language mandates these safeguards. The amendments add an additional requirement that the service providers must be periodically assessed on the risks associate with their use, and the adequacy of the safeguards they have implemented.
  7. A new requirement for entities handling more than 5,000 consumer records is for the existence of a written incident response plan. There are seven requirements for this plan in the new amendments:
    1. Stated goals of the response plan
    2. A description of internal procedures for responding to a security event
    3. The definition of roles, responsibilities, and levels of decision-making authority for individuals involved in the incident response process
    4. Plans for handling internal and external communications, and details on the use of information sharing resources
    5. Procedures for the remediation of identified weaknesses in information systems and associated controls
    6. Requirements for documenting and reporting of security events, procedures classifying incidents, and the activation of the incident response plan
    7. A defined process for post-incident performance, evaluation, and revision of the incident response plan following an event.
  8. Another new requirement for entities handling more than 5,000 consumer records is for a written report, presented to the enterprise's governing body or senior/executive level individual, done on at least an annual basis. This report is to be created by the qualified individual responsible for oversight of the ISP as noted in item number one. There are two elements required to be in the report:
    1. The overall status of the ISP, including its compliance with the updated Safeguards Rule
    2. Recommendations for changes or improvements, and any other material matters related to the ISP

That's a lot of stuff! How long do I have to comply?

Covered financial institutions should be in compliance with the non-amended components of the Safeguards Rule already, since the formal effective date of the rule was January 10, 2022. The FTC has allowed for an effective date of December 9, 2022, for the amended provisions due to the length of time required to implement them.

Are there penalties for non-compliance?

Besides the potential costs associated with breaches, successful malware attacks, ransomware, and the like, there are penalties that can be assessed by the FTC for non-compliance. These penalties can apply to the enterprise and/or individuals responsible for compliance as follows:

So, if this does apply to you and your organization, hopefully you are already compliant and none of this was a surprise to you. If this doesn't apply to you, I commend you for reading on. And if it applies and you are completely surprised by the requirements and amendments, the clock is ticking!

How prepared is your organization?

See the original publication found in On Balance Magazine.

At some point in 2015, cybercriminals had an aha moment. Instead of going through all of the trouble of breaking into a network, stealing data and then executing a complicated scheme to monetize that data, they found a shortcut - and it was already paved.

Data encryption was touted as a defense against attempts to steal data, and companies implemented encryption to keep their data safe. It did not take long for the bad guys to figure out a way to turn those defenses around: Encrypt the data and hold the key for ransom. Already armed with methods to trick users into running things they should not, attack methods were created that locked companies out of their own computers, data stores and applications.

Faced with the prospect of being without key systems and data for long periods of time, criminals offered a quick fix: Pay us to fix it. Insurance companies often encouraged payments, calculating that it was more economical to pay upfront than to pay for rebuilding systems, covering lost revenue and buying new equipment.

The result was predictable. Criminals saw big pockets behind the companies they were attacking. They widened their attacks and increased the ransom demands. More criminals got into the game, realizing how profitable this venture was becoming.

How to measure your readiness

The biggest question that companies are asking today is this: "Can we survive a ransomware attack?" To answer that, it is best to break the threat down to four questions:

  1. Can we protect against the attack?
  2. Can we detect the attack?
  3. How do we respond to the attack?
  4. If the attack is successful, how will we recover?

Protect

The components of protection should be familiar, as they are the basic hygiene items needed to stop any cybersecurity threat:

Rights management

• Privileged access or admin access to devices throughout the network should be limited, with specialized accounts set up for local administrator tasks. When many users have admin access to many machines, ransomware spreads like wildfire.
• Access to file shares across the network should be only as-needed. Ransomware will look to encrypt whatever files the user who launched it can see and change. If the infected user has limited rights on file shares, the damage that can be caused will be limited.

Patch management

Malware normally finds its way onto computers that are missing patches. Ransomware is no different; yet patching continues to be a shortcoming in many organizations' defenses. The keys to having an effective patch management program are to:

• Ensure ALL operating systems and platforms are covered by an automated patching system.
• Ensure ALL applications are covered by an automated patching system.
• Perform scans routinely on all systems in the environment to confirm the automated patching systems are functioning as intended.

Endpoint protection

Organizations need to have current and up-to-date technology defending endpoints. Anti-virus applications installed and forgotten five years ago do not meet this requirement. Make sure the endpoint protection system is actively monitored to ensure components are current and protections are not disabled.

Network segmentation

When commercial buildings, hotels and homes are built, codes have to be followed for a number of reasons, one of which is to ensure that fires have difficulty spreading from room to room and floor to floor. A computer network should be no different. Networked devices in one department should be able to see networked devices in another department only if there is a justified business requirement.

Detect

One of the most important aspects of limiting the damage of a ransomware attack is to know when it is happening. Following are the key steps to sharpening any company’s detection capabilities:

"How an organization responds to a ransomware attack directly affects the amount of system damage caused by the attack."

  1. Have a correctly configured Security Information and Event Management (SIEM) tool.
    SIEM tools collect logs from a variety of sources. But a SIEM is like a musical instrument. It will be a dust collector unless someone knows how to play it. SIEMs prove their worth when they are configured to analyze the logs and produce alerts directed to the right people. Instead of having people who pore through logs looking for problems, a finely tuned SIEM is a force multiplier, sending the right information to the right people to allow them to troubleshoot and prevent problems before they escalate.
  2. Conduct realistic tabletop exercises.
    Many organizations go through the exercise of bringing people into a room to talk about a possible scenario and find out what will be done. Very few organizations integrate actual actions, such as retrieving log information or confirming SIEM notices as part of the exercise. Put realism into these exercises by having simulated attacks during the tabletops to prove your detective measures are working.

Respond

How an organization responds to a ransomware attack directly affects the amount of system damage caused by the attack. That response also affects the damage to its reputation with customers and the morale of its employees. This is where a formal incident response plan (IRP) is essential. The basic components of the IRP should include:

• Defined members of an incident response team (IRT).
• Contact information for external resources (such as the media, law enforcement and third-party consultants).
• Templates for communicating with employees, customers and vendors.

Specific to ransomware, the IRP should have a playbook for procedures related to a ransomware attack. Such a playbook can be designed through a tabletop ransomware exercise. This playbook will be unique to the organization with steps specific to the IRT members. Steps should include:

• User actions when ransomware is suspected.
• Specific steps for isolating network segments or systems.
• Communication steps with members of the IRT.

Recover

Recovering from a ransomware attack normally involves one of three options.

1. Recover via backups.

To be viable, backup systems and images cannot be compromised by the ransomware. Attackers will often look to encrypt backup systems first so that a system restore is not possible. To protect the ability to recover systems and data, organizations should:

• Maintain protected gold images of systems to ensure restoration to a known trusted state.
• Keep copies of data backups that cannot be overwritten and are disconnected from the production network.

2. Pay the ransom.

Some companies are forced into this solution. Some look to it as the path of least resistance. There are risks that come with this choice: Will the decryption key be effective? Criminals realized early on that it is more profitable in the long run to provide the key. That does not mean it will be useful. In the case of the recent Colonial Pipeline attack, a large payment was made only to find the decryption tool was too slow to be of use (Morse, 2021). Unfortunately, if you're attacked once, you may be attacked again. A recent report indicated that 80% of businesses that paid to recover from an attack experienced a subsequent ransomware attack (Yu, 2021).

3. Rebuild from scratch.

This is the most painful scenario, normally chosen when backups cannot be restored and/or the purchased decryption key is not working.

What next?

Hopefully, this guide helps you to understand and prepare for these attacks. The tactics of the criminals continue to escalate with the release of captured data and the use of personal attacks on corporate executives to compel payment. Our efforts to resist need to meet these threats. Here are two resources to help in the fight:

• The website "No More Ransom!" (www.nomoreransom.org) contains resources to help victims retrieve their data without paying the criminals. Tools include working decryption keys for known ransomware variants.
• In June 2021, the National Institute of Standards and Technology (NIST) released a draft of a framework to use in managing risks associated with ransomware. This is a free resource which can be accessed here:
https://csrc.nist.gov/CSRC/media/Publications/nistir//draft/documents/NIST.IR.8374-preliminary-draft.pdf

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram