Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
April 14, 2022
GLBA was designed and written to protect financial customers’ privacy but abjectly failed to recognize that there's no privacy without an adequate security foundation. The GLBA Safeguards Rule was so vague and subject to interpretation that many companies could convince themselves, their customers and federal auditors they were complying with the rule when their security programs barely existed. When GLBA was written in 1999, cybersecurity risk was much lower because we lived in a world where companies’ data resided behind closed network perimeters. This was before companies interacted almost seamlessly across the wild internet and before hackers ruled.
It’s 2022 now and the GLBA Safeguards Rule has finally grown teeth – long, sharp teeth. While most large financial institutions have invested heavily in building out their cybersecurity programs over time due to industry regulations and business risk alignment, many mid-size or smaller non-bank financial institutions may going find themselves woefully short of complying with the new, and much more prescriptive, Safeguards Rule. Companies should begin now to review the state of their cybersecurity program in order to be compliant by the end of 2022.
The FTC released their final rule in late October 2021, detailing changes that will enforce and better define customer protections in the GLBA. The changes have a large impact on non-bank financial institutions, such as mortgage and finance companies, brokerages, lenders and motor vehicle dealers. The final rule is effective 30 days after it’s published in the Federal Register and is expected to be enforced by the end of 2022. Some financial entities that were previously considered outside the banking industry were able to escape the requirements, but these new changes place them in scope.
The most significant requirement is the risk assessment parameters. The existing rule requires that information security programs be based on a financial institution’s identification and assessment of reasonably foreseeable internal and external risks to customer information. The new rule continues to require risk assessments, but now specifically requires that they be in writing. They must include: criteria to evaluate and categorize identified security risks; criteria to assess the “confidentiality, integrity, and availability” of customer information and information systems (including whether existing controls are adequate in the context of the identified risks); and requirements that describe how identified risks will be accepted or mitigated based on the assessment and how the information security program will address them. While risk assessments must include these topics, each financial institution can tailor them to its own structures and needs.
Specific Measures. To control the risks identified through risk assessments, financial institutions must implement a number of specific safeguards, save where an exception or qualification applies, such as:
Meeting the requirements of the updated Safeguards Rule doesn’t have to be overwhelming, but the deadline for compliance is just a few short months away, so you’re encouraged to begin assessing your organization’s footing as soon as possible.
If you have questions about this new Safeguard Rule and how it might affect your organization, please drop us a line.
Optiv Security: Secure greatness.®
Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
Cybersecurity Compliance Services
Optiv's Cybersecurity compliance services including, PCI DSS, HITRUST, NIST CSF and ISO 27001, can help you navigate the complex, ever-changing security compliance arena. Learn more today!
PCI DSS 4.0 Is Here: When Does My Company Need To Be Ready?
Some companies should update to PCI DSS v4.0 now, while others should wait. This post features helpful details and advice on how to begin preparing.
Cyber Risk Management and Transformation
Our Cyber Risk Management and Transformation services help organizations modernize and automate their approach to risk management. Learn more today!
Let us know what you need, and we will have an Optiv professional contact you shortly.