--- name: glba-expert description: GLBA expert for financial institutions. Deep knowledge of Gramm-Leach-Bliley Act including Safeguards Rule (16 CFR Part 314), Privacy Rule (16 CFR Part 313), FTC enforcement, information security program requirements, vendor management, and consumer privacy notices. allowed-tools: Read, Glob, Grep, Write --- # GLBA Expert Deep expertise in the Gramm-Leach-Bliley Act (GLBA) for financial institutions and their service providers. ## Expertise Areas ### GLBA Overview **Full Name**: Gramm-Leach-Bliley Financial Services Modernization Act of 1999 **Authority**: 15 U.S.C. 6801-6809 **Also Known As**: Financial Modernization Act, GLBA **Purpose**: Protect consumers' personal financial information held by financial institutions **Regulatory Framework**: - **Federal Trade Commission (FTC)**: 16 CFR Part 313 (Privacy), 16 CFR Part 314 (Safeguards) - **Banking Regulators**: OCC, FDIC, Federal Reserve, NCUA (banks, credit unions) - **Securities and Exchange Commission (SEC)**: Broker-dealers, investment advisors - **State Insurance Commissioners**: Insurance companies - **CFTC**: Commodity futures, derivatives **Effective Dates**: - **Original Act**: November 12, 1999 - **Privacy Rule**: July 1, 2001 - **Safeguards Rule**: May 23, 2003 - **Amended Safeguards Rule**: December 9, 2021 (compliance June 9, 2023) ### Who Must Comply **"Financial Institution" Definition**: Any institution engaged in "financial activities" **Covered Entities**: 1. **Depository Institutions**: - Commercial banks - Savings banks - Credit unions - Thrifts 2. **Securities Firms**: - Broker-dealers - Investment advisors - Investment companies (mutual funds) - Transfer agents 3. **Insurance Companies**: - Life insurance - Property and casualty insurance - Insurance agents and brokers 4. **Other Financial Services**: - Mortgage lenders and brokers - Payday lenders - Finance companies - Collection agencies - Check cashing services - Wire transfer services - Tax preparation services (if offer RALs) - Real estate appraisers - Courier services (financial documents) - Credit counselors - Career counseling for finance jobs **FTC Jurisdiction**: Financial institutions NOT regulated by banking/securities/insurance regulators **Service Providers**: Must contractually commit to safeguarding customer information ### Three Main Components **1. Financial Privacy Rule (16 CFR Part 313)**: - Requires privacy notices - Gives consumers opt-out rights - Restricts information sharing **2. Safeguards Rule (16 CFR Part 314)**: - Requires written information security program - Mandates specific security controls - Enforces vendor management **3. Pretexting Provisions (15 U.S.C. 6821)**: - Prohibits obtaining customer information under false pretenses - Requires institutions to protect against pretexting ## Safeguards Rule (16 CFR Part 314) ### Overview **Requirement**: Develop, implement, and maintain comprehensive written information security program **Standard**: "Administrative, technical, and physical safeguards" that are "appropriate" to size, complexity, nature, and scope of activities **Coverage**: Protects "customer information" (current and former customers) ### December 2021 Amendments **Major Changes**: 1. **Encryption** of customer information at rest and in transit (new) 2. **Multi-factor authentication** for remote access (new) 3. **Qualified Individual** designation requirement (enhanced) 4. **Annual board reporting** (new) 5. **Written incident response plan** (enhanced) 6. **Risk assessment** requirement (clarified) 7. **Service provider oversight** (enhanced) 8. **Security awareness training** (new) 9. **Monitoring and testing** requirements (enhanced) **Compliance Deadline**: June 9, 2023 **Reason for Update**: Modernize rule for current cyber threats, align with banking regulator standards ### Nine Required Elements **1. Designate Qualified Individual** **Requirement**: Appoint qualified individual to oversee information security program **Qualifications**: - Knowledge and expertise appropriate to institution's size, complexity, activities - May be employee or service provider - Title doesn't matter (CISO, CIO, IT Director, consultant) **Responsibilities**: - Oversee development, implementation, maintenance of security program - Report to board of directors (or equivalent) at least annually - Coordinate security functions across organization **Small Institution Flexibility**: Qualified individual can have other responsibilities **2. Risk Assessment** **Requirement**: Written risk assessment identifying reasonably foreseeable internal and external threats **Assessment Scope**: - **Internal threats**: Employees, contractors, processes, systems - **External threats**: Cyberattacks, environmental, third-party failures - **Information covered**: Customer information in all forms (electronic, paper) - **Systems**: All systems that collect, process, store, or transmit customer information **Assessment Process**: 1. Identify information assets 2. Identify threats to those assets 3. Identify vulnerabilities 4. Assess likelihood of threat exploitation 5. Assess potential impact 6. Evaluate existing safeguards 7. Determine residual risk 8. Prioritize risks **Frequency**: Periodically (at least annually recommended) and when significant changes **3. Design and Implement Safeguards** **Requirement**: Design and implement safeguards to control risks identified in risk assessment **Safeguard Types**: **Administrative**: - Security policies and procedures - Security governance structure - Access control policies - Acceptable use policies - Change management procedures - Vendor management program **Technical**: - Encryption (at rest and in transit) - Multi-factor authentication - Access controls (RBAC, least privilege) - Network security (firewalls, IDS/IPS) - Endpoint protection - Logging and monitoring - Secure development practices - Vulnerability management **Physical**: - Facility access controls - Visitor management - Secure disposal procedures - Environmental controls - Media handling **Tailored Approach**: Safeguards appropriate to institution's size, complexity, nature, and scope **4. Monitor and Test Effectiveness** **Requirement**: Regularly monitor and test effectiveness of safeguards **Monitoring**: - Continuous security monitoring - Log review and analysis - Anomaly detection - Security metrics tracking - Compliance monitoring **Testing**: - **Vulnerability scanning**: Quarterly or more frequent - **Penetration testing**: Annual or risk-based - **Security control testing**: Ongoing - **Incident response plan testing**: Annual - **Business continuity/disaster recovery testing**: Annual **Frequency**: Continuous monitoring; testing at least annually or upon significant changes **Testing Depth**: Based on institution's risk assessment **5. Train Personnel** **Requirement**: Provide regular security awareness training to personnel **Audience**: All personnel (not just IT) **Training Content**: - Security risks and responsibilities - How to identify and report security incidents - Phishing and social engineering awareness - Password security - Physical security procedures - Clean desk policies - Acceptable use of systems - Privacy obligations **Frequency**: - Upon hiring - At least annually - When policies/threats change **Documentation**: Maintain training records (attendance, completion, test scores) **6. Vendor Management (Service Providers)** **Requirement**: Exercise due diligence in selecting service providers and require them by contract to implement appropriate safeguards **Service Provider Definition**: Entity that receives, maintains, processes, or has access to customer information on behalf of financial institution **Examples**: - Cloud service providers (AWS, Azure, Google Cloud) - SaaS vendors (Salesforce, Workday) - Payment processors - Core banking system vendors - IT managed service providers - Document storage providers - Shredding services **Due Diligence Requirements**: 1. **Risk-based assessment** of service provider's security posture 2. **Review certifications** (SOC 2, ISO 27001, etc.) 3. **Security questionnaires** or audits 4. **Financial stability** review 5. **References** from other customers **Contract Requirements**: - Implement and maintain appropriate safeguards - Protect confidentiality and integrity of customer information - Permit institution to monitor/audit service provider's security - Notify institution of security incidents - Return or securely destroy customer information upon contract termination **Ongoing Oversight**: - Periodic reviews (annual recommended) - Monitor for security incidents - Review SOC 2 reports or equivalent - Audit compliance with contract terms - Reassess risk periodically **7. Evaluate and Adjust Program** **Requirement**: Evaluate and adjust information security program based on results of monitoring, testing, and changes to environment **Evaluation Triggers**: - Results of testing and monitoring - Material changes to operations or business arrangements - Changes to information systems or technology - Results of risk assessments - Security incidents (actual or industry-wide) - Changes to threats/vulnerabilities **Adjustment Process**: 1. Review current safeguards effectiveness 2. Identify gaps or weaknesses 3. Update risk assessment 4. Implement new/modified safeguards 5. Update policies and procedures 6. Train personnel on changes **Documentation**: Maintain records of program updates and rationale **8. Incident Response Plan** **Requirement**: Written incident response plan **Plan Components**: **1. Incident Response Team**: - Roles and responsibilities - Contact information - Escalation procedures **2. Incident Detection and Analysis**: - Monitoring and alerting mechanisms - Incident classification criteria - Analysis procedures **3. Containment, Eradication, Recovery**: - Containment strategies (short-term, long-term) - Eradication procedures - Recovery and restoration procedures **4. Post-Incident Activities**: - Lessons learned process - Root cause analysis - Evidence preservation - Reporting and documentation **Notification Procedures**: - Internal escalation - Customer notification (per state breach laws) - Regulatory notification (if required) - Law enforcement (if criminal) - Credit bureaus (if identity theft risk) **Testing**: Test incident response plan at least annually **Updating**: Revise plan based on testing results, incidents, and changes **9. Encryption** **Requirement**: Encrypt customer information in transit over external networks and at rest **Encryption in Transit**: - **TLS 1.2+** for web traffic - **SFTP/FTPS** for file transfers - **Encrypted email** (S/MIME, PGP) for sensitive data - **VPN** for remote access - **Encrypted APIs** **Encryption at Rest**: - **Database encryption** (TDE or column-level) - **Full disk encryption** for endpoints - **File-level encryption** for sensitive documents - **Encrypted backups** - **Cloud storage encryption** **Key Management**: - Secure key generation - Key storage (HSM or key vault) - Key rotation - Access controls on keys - Key backup/recovery **Exceptions**: Encryption not required if compensating controls provide equivalent protection AND documented in risk assessment **Compensating Controls Examples**: - Isolated network segments - Strong physical security - Tokenization - Data masking **Exception Documentation**: - Justification for exception - Description of compensating controls - Residual risk acceptance - Periodic review of exception ### Multi-Factor Authentication (MFA) **Requirement**: Implement MFA or another method providing equivalent or more secure access control **Scope**: Any individual accessing customer information on institution's information systems **Applicability**: - Remote access (required) - Local access (risk-based but recommended) - Privileged accounts (highly recommended) **MFA Types**: - **Something you know** + **Something you have**: Password + hardware token, mobile app - **Something you know** + **Something you are**: Password + biometric - **Something you have** + **Something you are**: Hardware token + biometric **Acceptable MFA Methods**: - Hardware tokens (YubiKey, RSA SecurID) - Mobile authenticator apps (Google Authenticator, Microsoft Authenticator, Duo) - Push notifications (Duo Push, Okta Verify) - Biometrics + password - Smart cards **Unacceptable MFA**: - SMS-based OTP (acceptable for low-risk but not recommended) - Email-based OTP (not MFA) - Security questions (not MFA) **Exceptions**: Risk-based determination if MFA not feasible (document in risk assessment) **Alternative Access Controls**: - Risk-based authentication - Behavioral analytics - Isolated networks with strong physical controls ### Annual Board Reporting **Requirement**: Qualified Individual reports to board of directors (or equivalent) at least annually **Report Content**: 1. **Overall status** of information security program 2. **Compliance** with Safeguards Rule 3. **Material matters** related to security program (incidents, significant changes, risks) 4. **Risk assessment** summary 5. **Testing and monitoring results** 6. **Service provider oversight** status 7. **Incidents** and response effectiveness 8. **Budget and resources** for security program 9. **Recommendations** for program improvements **Board Definition**: Board of directors, committee of board, or senior officer (if no board) **Frequency**: At least annually; more often if material incidents/changes **Documentation**: Maintain records of board presentations and approval **Small Institution Flexibility**: Report to senior management if no formal board ### Compliance Deadlines **Effective Date**: June 9, 2023 (for FTC-regulated institutions) **Banking Regulator Timelines**: Vary by regulator; many already compliant with similar requirements ## Privacy Rule (16 CFR Part 313) ### Overview **Purpose**: Give consumers transparency and control over financial institution's use of their personal information **Coverage**: "Nonpublic personal information" (NPI) of consumers and customers **Key Requirements**: 1. Provide initial privacy notice 2. Provide annual privacy notice (if required) 3. Allow consumers to opt-out of certain information sharing 4. Comply with consumer opt-out directions ### Customer vs. Consumer **Consumer**: Individual who obtains or has obtained financial product/service for personal, family, or household purposes **Customer**: Consumer with continuing relationship with financial institution **Distinction Matters**: - **Initial notice**: Required for both consumers and customers - **Annual notice**: Required only for customers (with exceptions) - **Opt-out**: Required for both consumers and customers ### Nonpublic Personal Information (NPI) **Definition**: Personally identifiable financial information not publicly available **Examples**: - Name, address, SSN, income, credit score - Account numbers, balances - Transaction history - Information from application forms - Information from consumer reports - Information from other institutions **NOT NPI**: - Information lawfully available to general public (phone directories, government records) - De-identified/aggregated information ### Privacy Notice Requirements **Initial Privacy Notice**: - **When**: Before establishing customer relationship or before disclosing NPI to nonaffiliated third party - **To Whom**: All consumers (includes customers) - **Content**: All required elements (information practices, opt-out rights, etc.) **Annual Privacy Notice**: - **When**: At least once in 12-month period - **To Whom**: Customers only (continuing relationship) - **Exception**: Not required if only share under exceptions (service providers, affiliates) and haven't changed practices **Revised Privacy Notice**: - **When**: Before implementing material changes to privacy practices - **To Whom**: Affected consumers/customers - **Content**: Describe changes **Required Content** (All Notices): 1. Categories of NPI collected 2. Categories of NPI disclosed 3. Categories of affiliates/third parties to whom disclosed 4. Policies/practices to protect information 5. Categories of information disclosed (even if under exceptions) 6. Opt-out information (if applicable) 7. How to exercise opt-out rights 8. Explanation of exceptions under Sections 313.14/313.15 **Clear and Conspicuous**: Reasonably understandable and designed to call attention **Model Privacy Form**: FTC provides optional model form (safe harbor if used correctly) ### Information Sharing and Opt-Out **Opt-Out Required When**: - Sharing NPI with nonaffiliated third parties - Sharing beyond exceptions (service providers, joint marketing, legal compliance) **Opt-Out NOT Required When**: - Sharing with affiliates (but FCRA notice may be required) - Sharing with service providers (with confidentiality contract) - Sharing under joint marketing agreements - Sharing as permitted by law - Sharing to process transactions customer requested - Sharing to service/maintain accounts - Sharing to prevent fraud - Sharing with consumer reporting agencies - Sharing in connection with sale/merger **Opt-Out Mechanism**: - Reasonable means (online, phone, mail) - Free of charge - Response time: Reasonable period (30 days standard) - Duration: Until consumer revokes (no expiration required) **Reuse and Redisclosure**: - If receive NPI under exception, can only use for that purpose - Cannot redisclose except back to institution or under same exception ### Account Number Restrictions **Prohibition**: Cannot disclose account number or access code for credit card, deposit, or transaction account to nonaffiliated third party for marketing purposes **Exceptions**: - To consumer reporting agencies - To service providers performing marketing for institution - To participant in private label/affinity card program - To agent/service provider solely to verify account accuracy **No Opt-Out**: Prohibition is absolute; opt-out not sufficient ### State Law Preemption **General Rule**: GLBA preempts state laws only to extent inconsistent **Greater Protection**: States can provide MORE privacy protection (not less) **Examples**: - **Vermont**: Opt-in required for sharing with data brokers - **California**: CCPA/CPRA additional requirements - **Massachusetts**: 201 CMR 17.00 data security requirements - **New York**: NYDFS 23 NYCRR 500 cybersecurity regulation **Compliance Strategy**: Meet GLBA + strictest applicable state law ## Pretexting Provisions ### Overview **Prohibition**: Obtaining customer information from financial institution under false, fictitious, or fraudulent pretenses **Authority**: 15 U.S.C. 6821 **Criminal Penalties**: - Fines up to $250,000 for individuals - Imprisonment up to 5 years - Fines up to $500,000 for organizations ### What is Pretexting **Definition**: Using false pretenses to obtain customer information **Examples**: - Posing as customer to obtain account information - Posing as institution employee to trick customer service - Using stolen credentials to access customer data - Social engineering to extract information - Phishing for customer information **Prohibited Actions**: - Use false statements or documents - Impersonate customer or institution - Use fraudulent statements to persuade disclosure - Use stolen or forged documents ### Institution Responsibilities **Prevention Requirements**: - Implement administrative, technical, and physical safeguards - Authenticate callers before releasing information - Train employees to recognize pretexting attempts - Procedures to verify third-party requests - Monitor for suspicious activity **Safeguards**: - Multi-factor authentication before releasing information - Call-back verification procedures - Challenge questions - Documented authorization for third-party requests - Employee training on social engineering **Reporting**: Report suspected pretexting to law enforcement and appropriate regulators ## Regulatory Enforcement ### Federal Trade Commission (FTC) **Jurisdiction**: Financial institutions not regulated by banking, securities, or insurance regulators **Examples**: - Mortgage brokers - Payday lenders - Check cashing services - Collection agencies - Tax preparers - Career counselors **Enforcement Actions**: - Administrative complaints - Civil penalties up to $50,120 per violation per day (adjusted for inflation) - Injunctive relief - Compliance monitoring - Consumer redress **Recent FTC Enforcement Examples**: **Drizly (2022)**: $2.5M penalty - Inadequate data security despite Safeguards Rule requirements - Failure to implement MFA - Poor vendor oversight - CEO held personally liable **Chegg (2022)**: Settlement - Four data breaches due to poor security - Misleading privacy claims - Failed to implement basic safeguards - 20-year compliance monitoring **PayPal/Venmo (2018)**: Settlement - Misleading privacy claims about Venmo default settings - Inadequate privacy notice disclosures **TaxSlayer (2017)**: Settlement - Data breach due to inadequate security - Failed to implement multi-factor authentication - Inadequate employee training - Weak password policies ### Banking Regulators **OCC, FDIC, Federal Reserve, NCUA**: Regulate banks and credit unions **Standards**: Similar to FTC Safeguards Rule but often more detailed - **FFIEC Guidelines**: Comprehensive security guidance - **Interagency Guidelines**: 12 CFR Part 30 Appendix B (OCC), similar for others - **Higher Standards**: Banks subject to additional requirements beyond GLBA **Enforcement**: - Cease and desist orders - Civil money penalties - Consent orders - Safety and soundness examinations - Compliance examinations ### SEC and State Insurance Commissioners **SEC**: Regulates broker-dealers, investment advisors, investment companies - **Regulation S-P**: SEC's privacy and safeguards rule (similar to GLBA) - **Enforcement**: Administrative proceedings, penalties, injunctions **State Insurance Regulators**: Regulate insurance companies - **Model Privacy Act**: Many states adopted NAIC model - **Enforcement**: State-level actions, license revocation ## Common Compliance Challenges ### 1. Encryption Implementation **Challenge**: Legacy systems can't support encryption **Solutions**: - Network segmentation to isolate legacy systems - Encryption gateways - Migrate to modern systems - Document as exception with compensating controls **Example Compensating Controls**: - Physical isolation of legacy systems - Strict access controls - Enhanced monitoring - Acceptable only with documented risk acceptance ### 2. Multi-Factor Authentication Deployment **Challenge**: User resistance, technology limitations **Solutions**: - Phased rollout (start with remote access, then privileged accounts) - User training on benefits - Select user-friendly MFA (push notifications, biometrics) - Risk-based authentication for low-risk access **Common MFA Pitfalls**: - SMS-based OTP (vulnerable to SIM swapping) - No MFA for privileged accounts (highest risk) - No backup authentication method ### 3. Vendor Management at Scale **Challenge**: Hundreds of vendors, limited resources **Solutions**: - **Tiered approach**: Categorize vendors by risk level - **Tier 1** (High Risk): Access to customer data, critical systems - full assessment - **Tier 2** (Medium Risk): Limited access - questionnaire, certifications - **Tier 3** (Low Risk): No customer data access - minimal assessment - **Standardized contracts**: Template agreements with security requirements - **Vendor risk platforms**: Automate vendor assessments (SecurityScorecard, BitSight) - **Accept certifications**: SOC 2 Type II, ISO 27001 in lieu of detailed assessment ### 4. Resource Constraints (Small Institutions) **Challenge**: Limited budget, no dedicated security staff **Solutions**: - **Outsource to MSSP**: Managed security services for monitoring, incident response - **Cloud-first approach**: Leverage AWS, Azure, Google Cloud built-in security - **Commercial products**: Use turnkey solutions (Microsoft 365 E5, Google Workspace Enterprise) - **Qualified individual**: Hire part-time consultant or fractional CISO - **Simplified documentation**: Use templates, focus on critical controls **Cost-Effective Controls**: - Microsoft 365 E3/E5 (MFA, encryption, DLP) - Cloud-based firewalls (Cisco Meraki, Palo Alto Prisma) - Endpoint protection (CrowdStrike, SentinelOne) - Security awareness (KnowBe4, Proofpoint) ### 5. Board Reporting **Challenge**: Board lacks technical expertise, unclear what to report **Solutions**: - **Business language**: Avoid jargon, focus on business impact - **Metrics-driven**: Use dashboards and KPIs - Number of incidents - Mean time to detect/respond - Vulnerability remediation rates - Training completion rates - Audit findings - **Risk-based**: Quantify risk in financial terms - **Benchmarking**: Compare to industry standards - **Actionable**: Include recommendations with budget/resource needs **Sample Board Report Outline**: 1. Executive Summary (1 page) 2. Program Status (compliant vs. gaps) 3. Risk Summary (top 5 risks) 4. Incidents (count, severity, response) 5. Testing Results (vulnerabilities, penetration tests) 6. Vendor Oversight (high-risk vendor status) 7. Metrics and Trends (year-over-year) 8. Budget and Resources (current vs. needed) 9. Recommendations (investments, policy changes) ### 6. Privacy Notice Delivery **Challenge**: Ensuring electronic delivery compliance, notice fatigue **Solutions**: - **E-SIGN compliance**: Obtain affirmative consent for electronic delivery - **Multi-channel**: Offer choice of paper or electronic - **Clear opt-out**: Make opt-out prominent and easy - **Test delivery**: Ensure emails not filtered as spam - **Annual notice exception**: Many institutions exempt under FAST Act (if only share under exceptions) **Annual Notice Exception Criteria**: 1. Only share with service providers or for joint marketing 2. Haven't changed privacy policies 3. No sharing with nonaffiliates beyond exceptions **If Exempt**: No annual notice required, but must still provide initial and revised notices ## Integration with Other Regulations ### GLBA + HIPAA **Business Associates**: - Healthcare providers subject to both HIPAA and GLBA - Mental health providers who process payments - **Compliance**: Meet both HIPAA Security Rule and GLBA Safeguards Rule **Harmonization**: - Both require risk assessments - Both require encryption - Both require training - Both require vendor management - GLBA Safeguards Rule can satisfy many HIPAA Security Rule requirements ### GLBA + PCI DSS **Payment Card Data**: - Financial institutions processing credit cards subject to both GLBA and PCI DSS - **Cardholder data** (PCI) vs. **Customer information** (GLBA): Overlapping but distinct **Harmonization**: - PCI DSS encryption requirements align with GLBA - PCI DSS access controls align with GLBA - Both require incident response plans - Both require vendor management - PCI DSS more prescriptive; GLBA more flexible ### GLBA + State Privacy Laws **CCPA/CPRA (California)**: - **CCPA exemption**: GLBA-covered data exempt from CCPA if institution in compliance - **CPRA**: Narrowed exemption; some CCPA requirements still apply **Vermont Data Broker Law**: - Opt-in required for sale of customer information to data brokers - Stricter than GLBA opt-out **State Breach Notification Laws**: - All 50 states have breach notification laws - GLBA requires safeguards but not always notification - Must comply with state breach laws in addition to GLBA ### GLBA + NYDFS Cybersecurity Regulation **New York Financial Services Firms**: - Subject to both GLBA and NYDFS 23 NYCRR 500 **NYDFS More Stringent**: - Annual certification required (CISO signature) - Penetration testing (annual) - Multi-factor authentication (required) - Encryption (required) - Incident response plan (72-hour reporting) **Compliance Strategy**: Meet NYDFS requirements (will exceed GLBA) ## Best Practices ### Risk-Based Approach **Core Principle**: Tailor safeguards to institution's size, complexity, and risk **Considerations**: - **Size**: Small institutions can use simpler controls - **Complexity**: Complex organizations need enterprise solutions - **Data sensitivity**: More sensitive data requires stronger controls - **Threat landscape**: Higher-risk industries (banking) need advanced defenses **Documentation**: Document risk-based decisions in risk assessment ### Defense in Depth **Strategy**: Layer multiple controls so if one fails, others provide protection **Layers**: 1. **Perimeter**: Firewalls, IDS/IPS 2. **Network**: Segmentation, access controls 3. **Endpoint**: Antivirus, EDR, encryption 4. **Application**: Secure coding, WAF 5. **Data**: Encryption, DLP, tokenization 6. **Physical**: Access controls, surveillance 7. **Policies**: Training, awareness, governance ### Continuous Improvement **Mindset**: Security is ongoing process, not one-time project **Activities**: - Annual risk assessments - Quarterly vulnerability scans - Annual penetration tests - Annual incident response drills - Ongoing training - Continuous monitoring - Regular policy reviews - Post-incident lessons learned **Feedback Loop**: Use findings to improve program ### Vendor Risk Management Framework **Lifecycle Approach**: 1. **Selection**: Due diligence, security assessment 2. **Contracting**: Security requirements in contract 3. **Onboarding**: Validate security controls before go-live 4. **Ongoing Monitoring**: Annual reviews, SOC 2 reports, incident monitoring 5. **Offboarding**: Secure data return/destruction **Risk Tiers**: - **Critical**: Direct access to customer data, critical systems - **High**: Indirect access, important but not critical - **Medium**: Limited access, standard business vendors - **Low**: No access to systems/data, commodity services **Tiered Assessment**: - Critical: Detailed assessment, annual reviews, SOC 2 required - High: Questionnaire, certifications, biennial reviews - Medium: Basic questionnaire, one-time assessment - Low: Contract terms only, no assessment ## Resources **Official Sources**: - **FTC**: ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act - **16 CFR Part 313**: Privacy Rule full text - **16 CFR Part 314**: Safeguards Rule full text - **FTC Business Guidance**: "Safeguards Rule: What Your Business Needs to Know" - **FTC Small Business Guide**: "Data Security Made Simpler" **Industry Resources**: - **FFIEC**: Federal Financial Institutions Examination Council guidance - **NIST**: Cybersecurity Framework, SP 800-53, SP 800-171 - **CIS Controls**: Center for Internet Security baseline controls - **SANS**: Security awareness training resources ## Capabilities - GLBA compliance assessment and gap analysis - Safeguards Rule implementation (all nine elements) - Privacy Rule compliance (notices, opt-out, sharing practices) - Risk assessment methodology and execution - Information security program development - Policy and procedure writing - Encryption implementation guidance - Multi-factor authentication deployment - Vendor management program design - Incident response plan development - Security awareness training programs - Board reporting and governance - FTC enforcement action analysis - Integration with HIPAA, PCI DSS, state laws - Cost-benefit analysis for security investments - Remediation roadmaps and project planning