If your financial institution is found to not be in compliance with the Gramm-Leach-Bliley Act (GLBA), it will cost you: The institution will be fined $100,000 for every violation of GLBA, while directors and officers can be fined $10,000 per violation and face as many as five years in prison. Individuals may be barred from working in the banking industry and financial institutions may have their FDIC insurance terminated. Given the serious nature of these consequences, it is vital to ensure your institution is in compliance with GLBA, so your compliance audit is successful.
We’ve mentioned some of the common mistakes with GLBA compliance before to raise awareness of where institutions tend to be non-compliant with GLBA. Let’s shift focus to explore key components of a successful GLBA audit, so your financial institution can avoid the negative consequences of GLBA non-compliance.
Understanding GLBA Audits
Before exploring the keys to success, you must understand the process of GLBA audits. In the audit, a third party reviews the policies your organization has developed to ensure you are in compliance with GLBA requirements, which include:
- a written plan for safeguarding consumer information
- a clear incident response plan
- employee education around GLBA compliance
- demonstrated support from leadership
By preparing ahead of time for the audit, your financial institution can streamline the process.
Auditors will review all aspects of your organization’s plan with the goal of understanding, through dialogue, how your plan works and whether it is robust enough. Remember that under GLBA, your plan must be specific and appropriate to your firm’s size, customer base, activities, and complexities. By making sure you are familiar with all aspects of your firm’s plan and can explain from a risk management perspective why certain decisions were made, you can help auditors appreciate your plan’s strong points even as they look for weak areas that need shoring up.
Start the preparation by gathering all relevant documentation pertaining to your financial institution’s policies for safeguarding information. This may be eye opening for your financial institutions, as it isn’t uncommon to realize when gathering documentation that your organization has documented policies that are being overlooked in your day to day operation.
Organize the materials to tell the whole story of your financial institution’s GLBA compliance, for instance by creating a binder devoted to staff training or collating all completed incident response reports by date. When everything is clearly organized, the auditors will be able to dive deep into the audit process to determine your organization’s strengths, weaknesses, and opportunities.
When asked about something, be direct and honest in your response. An auditor will be able to see through a half-truth, and your organization will be penalized. If you do not have the information, find the right person in your financial institution to address the question and pass it off to them.
With these basic principles in mind, your GLBA compliance audit will be successful if you have planned properly for the major variables that affect compliance: Staff training, incident response, consumer information safeguards, and robust risk assessment and mitigation.
Staff training is key to being in compliance with GLBA, since employees are the “weak link” in the cyber security chain. New employees should receive comprehensive training on your organization’s policies around consumer data protection, while all employees should receive periodic training on privacy protection, data threats, and best practices. All it takes is one employee providing the wrong piece of information via phone or email to unwittingly violate the safeguards rule.
Your organization can share memos, written policies, training manuals, online courses, and other documentation with auditors to demonstrate your commitment to educating employees around compliance issues.
A robust incident response plan should outline what employees should do if a security incident arises, including what type of information to capture in the immediate aftermath and how to best manage the organization during the response period.
A strong plan will be clear, with decisions and action steps listed. Plans that do not include actionable steps are merely policies; these are not strong enough to pass a GLBA compliance audit.
Good plans are simple enough to be understandable and usable, yet cover all types of data loss incidents, from reporting a misplaced laptop to a mitigating a data breach. Oftentimes, organizations focus on the sensationalized threats (e.g., getting hacked) and lose sight of more common issues, like how to handle a lost laptop. This leads to delays in reporting, which can cost valuable time.
The focus of the incident response plan should be on how to help customers. A plan should address how the organization will deal with a request from law enforcement not to notify the public, which is common. It’s best practice to get written notification from law enforcement of their request to keep the incident private, and to find out when you can notify your customers. This helps to offset pushback that can stem from an incident if a regulator or a customer believes they should have been notified sooner.
Since threats change, incident response plans must keep up with shifts. The strongest plans are tested quarterly at a minimum, and integrate solicited feedback for a culture of continuous improvement.
Consumer information safeguards
One part of GLBA compliance is safeguarding sensitive consumer information. Your organization needs a comprehensive written security plan that details physical, technical, and administrative safeguards to sensitive data in a manner that is appropriate with your institution’s size and complexity.
Strong safeguards are coordinated at the organizational level and reviewed by a committee or a dedicated individual, updated once a year or more to reflect changing needs, and tested for viability.
Since technology is constantly innovating, the way you safeguard information may naturally change over time. What is important is that consumers understand how their data is stored, employees understand the requirements regarding sensitive data management, and your organization demonstrate a thorough understanding of risk and mitigation — and follow the proper channels for reporting an incident, if one does arise.
Risk assessment and mitigation
To have a thorough GLBA compliance plan, you must understand where risks are and how to mitigate them. Thus, your plan can only be as thorough as your initial assessment of risk.
Mitigating risk isn’t a one-time action; instead, best practice is to demonstrate overall coverage and monitor progress in all aspects (e.g. handling of incident) with the goal of continuous improvement.
Risk assessments can shine a light on areas where your organization needs to make improvements. When undertaken periodically and with the goal of bolstering the institution’s performance, these assessments can catch actually problems before the GLBA audit process, allowing you to fix something that would otherwise have been a compliance issue.
Organizations who have top-down support for regulatory compliance do best with GLBA audits. If the Board of Directors does not take compliance seriously, then it will never be a priority for the organization and you may not have a successful audit. There is simply no substitute for engaged leadership doing what is in the best interest of the company.
Get Help With GLBA Compliance
We hope learning about the keys to a successful GLBA compliance audit and common mistakes to avoid with GLBA has been helpful. If you have any questions about the audit process or the regulations, we at I.S. Partners are more than happy to talk further about your circumstances. Call us at 215-675-1400, request a quote, or launch a live chat get a quote for a GLBA compliance audit.