The Standards for Safeguarding Customer Information, also known as 16 CFR Part 314, is a regulation issued by the U.S. Federal Trade Commission (FTC) that implements key provisions introduced in the Gramm-Leach-Bliley Act (GLBA). The regulation outlines the standards for financial institutions to follow in order to protect the security, confidentiality, and integrity of customer nonpublic personal information (NPI).
Because the law requires service providers or affiliates (such as third parties) to maintain an information security program that protects your customer data, third-party risk management teams should be aware of the provisions in the Safeguards Rule and be prepared to report on its controls.
This post examines the key provisions in the GLBA Safeguards Rule and recommends best practices for ensuring that third-party service providers maintain the security, confidentiality, and integrity of your organization’s customer data.
The GLBA Safeguards Rule applies to all financial institutions under the jurisdiction of the FTC. It aims to ensure these institutions have robust systems to safeguard customer information. As part of the Rule, financial institutions are required to develop, implement, and maintain a comprehensive written information security program. The program must be appropriate to the institution's size, complexity, and the level of sensitive customer information it handles. Additionally, financial institutions must designate one or more employees to coordinate their information security program, including with third-party service providers. Non-compliance with the standards can lead to penalties and corrective actions.
In general, the Safeguards Rule requires information security programs to include the following elements:
Financial institutions must identify and assess risks to customer information in each relevant area of their operations. They must evaluate the effectiveness of current safeguards in place to control these risks.
Based on the risk assessment, financial institutions must design and implement safeguards to control the identified risks. These safeguards should be regularly tested and monitored to ensure their effectiveness.
Financial institutions must take reasonable steps to ensure that their service providers (e.g., third parties) maintain appropriate safeguards for customer information. This includes requiring service providers by contract to implement and maintain such safeguards.
The information security program should be adjusted based on the results of ongoing risk assessments, monitoring, and changes in the institution's business operations or structure.
According to section 314.3, financial institutions are required to “develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.”
The objectives of the program are to:
The table below examines key third-party service provider-related provisions in the Safeguards Rule and suggests best practices to address the requirements.
NOTE: This table includes select provisions in section 314.4. For a complete examination of requirements, please review the full Safeguards Rule with your internal audit team or external auditor.
16 CFR Part 314 Standards for Safeguarding Customer Information | |
---|---|
Safeguards Rule | Best Practices |
(f) Oversee service providers, by: |
|
(1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; |
Centralize and automate the distribution, comparison, and management of requests for proposals (RFPs) and requests for in-formation (RFIs). Examine a potential third-party service provider’s risks – including business, operational, reputational, financial, and prior data breaches – to inform and add context to third-party selection decisions and ensure that the selected service provider meets not only technical requirements but also acceptable risk thresholds. A comprehensive third-party risk management (TPRM) platform will then automatically move a selected third party into the contracting phrase and will kick off further due diligence. |
(2) Requiring your service providers by contract to implement and maintain such safeguards; |
Centralize the distribution, discussion, retention, and review of third-party service provider contracts to ensure key contractual provisions are included and enforced throughout the third-party lifecycle. Key capabilities in a contract lifecycle management solution should include:
As with (1) above, Prevalent includes automated workflows that move contracted vendors into further due diligence steps as appropriate. |
(3) Periodically assessing your service providers based on the risk they present and the continued adequacy of their safeguards. |
Look for a solution that features a large library of pre-built templates for tthird-party risk assessments. Assessments should be conducted at the time of supplier onboarding, contract renewal, or at any required frequency (e.g., quarterly or annually) depending on material changes in the relationship.
Assessments should be managed centrally and be backed by workflow; task management and automated evidence review capabilities to ensure that your team has visibility into third-party risks throughout the relationship lifecycle. Importantly, a TPRM solution should include built-in remediation recommendations based on risk assessment results to ensure that your third parties address risks in a timely and satisfactory manner and can provide the appropriate evidence to auditors. As part of this process, continuously track and analyze external threats to third parties. Monitor the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information. All monitoring data should be correlated to assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting and response initiatives. |
The Prevalent Third-Party Risk Management (TPRM) Platform automates the critical tasks required to assess, monitor, and manage third-party service providers against security, privacy, and other critical risks. The Prevalent Platform enables third-party risk teams to centrally:
This regulation is essential for maintaining trust between financial institutions and their customers by ensuring that personal and financial information is adequately protected from unauthorized access and breaches. With 61% of companies reporting a third-party data breach or security incident in the last year, financial institutions must take adequate precautions to ensure third-party service providers are protecting their customer data.
For more on how Prevalent can help you understand your GLBA Safeguards Rule third-party service provider requirements, request a demonstration today.
Ask your vendors and suppliers about their cybersecurity risk management, governance, and incident disclosure processes to...
10/24/2024
Enhanced cybersecurity supply chain risk management guidance has arrived with the final NIST CSF 2.0. Check...
09/25/2024
Learn how integrating the NIST Privacy Framework with third-party risk management (TPRM) helps organizations enhance data...
09/12/2024