Start with the ABCs of the GLBA
The Gramm-Leach-Blilely Act of 1999 (GLBA) serves as a protective measure for financial institutions’ customers and was originally passed to repeal the Glass-Steagall Act of 1933 that had prohibited any single institution from taking on more than one role, such as an investment bank also acting as an insurance company. The GLBA once again allowed these entities to merge with responsibility to their customers. According to the Federal Trade Commission (FTC), “GLBA requires financial institutions—companies that offer consumers financial products or services like loans, financial or investment advice, or insurance—to explain their information-sharing practices to their customers and to safeguard sensitive data.”
Under the GLBA, financial institutions must also comply with the Safeguards Rule, which directs financial institutions to properly protect any customer information that they collect. The GLBA, in combination with the Safeguards Rule, allows financial—and financially-related—institutions greater freedom in mergers and associations while also ensuring that they always answer to their customers’ needs for full service, according to the terms of any agreements, and privacy.
Refer to our Essential Guide to GLBA Compliance.
Financial Institutions and the Need for GLBA Risk Assessments
Between the ever-evolving nature of web-based customer data collection and storage and the basic nature of the financial industry, “GLBA is driving the need for vulnerability and risk assessments to be conducted within any banking or financial institution in the United States,” asserts InformIT. New laws and mandates intend to protect everyone involved, and risk assessments help everyone stay accountable and aware of the health of the professional relationship. A risk assessment can also help financial institutions catch simmering issues before they come to a boiling point and wreak havoc, so it is intended to be a preventive step to avoid lack of compliance and other issues that may interrupt standard business operations.
What Does a GLBA Risk Assessment Generally Cover?
In the effort for organizations to stay in complete and consistent compliance to protect their customers’ privacy, regular risk assessments are essential. A useful risk assessment must comply with the most recent updates to the GLBA and must include a clear identification of any foreseeable threats, a full assessment of the likelihood of such threats and the damage they can do, and the assurance of the sufficiency of the financial institution to mitigate any potential foreseeable risks. Once completed, most of the time IT teams are instructed to deliver the results of regular reporting to corporate leadership.
Many organizations follow a basic risk assessment matrix that focuses on customers’ electronically and physically stored data, guided by the following basic requirements:
- Follows and fulfills basic and updated GLBA requirements.
- Is comprehensive to show the full picture of operations.
- Easy to understand and explain to all parties.
- Determines less tangible residual risk for each system, keeping controls, data classification and vulnerabilities in mind.
- Lets each year’s assessment build upon the next for corporate leadership and third-party stakeholders to see trends, patterns and anomalies.
Key broad perspective considerations in a GLBA risk assessment include a review of:
- Network security controls, such as firewalls and encrypted email.
- External and remote security measures to address system usage by remote workers and consultants.
- Security policies and procedures.
- Physical security of IT assets, which includes all company-owed assets such as the system itself and all hardware.
- Physical security of hard copy documentation and filing quality.
- Incident response procedures to system issues that might include data breaches and losses.
- User education and awareness, which might include regular training sessions and adherence to an official employee user policy agreement.
- Disaster recovery and business continuity plans and strategies.
- Third-party security when working with vendors, suppliers, and outsourcing entities.
Evaluate the GLBA Risk Assessment Matrix and Its Components
Evaluating the GLBA risk assessment matrix can help streamline the review process for your IT team. It may help you to break the risk assessment matrix into specialized sections before digging into an intensive review.
Determine the Involvement of Your Organization’s Board In Your GLBA Risk Assessment
Working on a GLBA risk assessment is a collective effort to ensure full compliance. It is important to make sure your organization’s board, or its designated committee, has approved a written Corporate Information Security Program that meets the requirements of the Information Security Guidelines. This group holds the information and authorizations that can best help you coordinate all the necessary elements to conduct a successful risk assessment.
Evaluate the Risk Assessment Matrix for Your Organization
The foundation of the risk assessment matrix is evaluating how effectively your financial or banking institution assesses the risks to its complete customer information system and non-public customer information. Look at factors that include timelines and milestones for collection of data and, most importantly, the level of sensitivity of all customer data.
Reach Out for Professional Help to Ensure the Efficiency of the GLBA Risk Assessment Matrix
In your efforts to help your financial institution protect confidential customer data to nurture a long-cultivated bond of trust, a GLBA risk assessment can help immensely. Continually instilling and reinforcing customer confidence in your security efforts is critical. Considering the massive data breaches in various industries, including financial and banking institutions, over the past several years, your customers will appreciate seeing your diligent efforts in the official GLBA audit report.
Call us at 215-675-1400 to learn about everything from receiving a free quote to getting to work on your GLBA compliance as soon as possible.