This is the second blog in a series focused on cybersecurity consulting for financial institutions. The first blog of our series provided a quick overview of this series, this article will start to dive into the Gramm-Leach-Bliley Act (GLBA) and how it impacts financial institutions. The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act of 1999, is a significant piece of legislation that had a profound impact on the financial industry in the United States. The GLBA aimed to modernize and deregulate the financial sector by removing barriers between different types of financial institutions. While the act had several implications for the industry as a whole, it also introduced essential provisions to address the growing concern of cybersecurity in the financial sector.

GLBA Security Awareness Training

One of the primary impacts of the GLBA on financial institutions was the requirement for them to develop and implement comprehensive information security programs. Under the act, financial institutions are obligated to protect the security, integrity, and confidentiality of customer information. This requirement includes the development and maintenance of safeguards to protect against unauthorized access, use, or disclosure of nonpublic personal information. One of the top components in a robust information security program is the implementation of security awareness training. This type of training is designed to educate and train financial institution staff members on the cybersecurity threats that exist and how to combat those threats.

Companies looking to implement a GLBA compliant security awareness training program should focus on three key components:

• Provide ongoing training, instead of once per year. There are typically two methodologies when approaching staff training. The first is having a robust annual training that covers everything the staff needs to know in one sitting. Although this does technically check the boxes to remain compliant with what the GLBA is looking to accomplish, it is not necessarily the most effective approach. Providing an ongoing training program, where you take the same information, break it down into small segments for the staff to digest on a monthly basis, can be extremely beneficial. It is easier for the staff to stay engaged with the training module, and they will retain more information in the long run.
• The training needs to be fun. Whether you provide in-person training, or an online training module, the staff needs to be entertained. If the training does not keep their interest, then it most likely will not be effective. There are several companies out there that provide very informative and entertaining training content. Invest a little in those platforms, or learn how to create some of your own engaging training. With either direction you go, your approach should be focused on, “Will this keep their attention for 5-10 minutes?”
• Keep a focus on Phishing. Year after year, phishing attacks continue to be a top utilized approach for cybercriminals. There are a variety of phishing attacks – emails, text messages, phone calls, etc. Try to keep some kind of focus on these social engineering attacks because they are the top threat to your staff. Keep them informed on what is out there, so they can be the best line of defense at your financial institution.

Additional GLBA Requirements for Financial Institutions

Financial institutions are also required to assess and manage risks to the security and confidentiality of customer information. This involves things like identifying internal and external threats and evaluating the effectiveness of existing security measures. It also includes adjusting the information security program as necessary to address new and emerging threats. The GLBA emphasizes the importance of ongoing monitoring, testing, and updating of security measures to ensure their effectiveness in the face of evolving cybersecurity threats.

Furthermore, the GLBA encourages financial institutions to establish relationships with third-party service providers, such as cloud service providers or data processors, to enhance operational efficiency. However, it imposes obligations on financial institutions regarding these partnerships. It aims to ensure that these service providers have adequate safeguards in place to protect customer information. It is the financial institutions responsibility to select service providers that can maintain appropriate security measures. When they enter into contracts with these third-party vendors, the financial institution must require the service providers to implement and maintain such safeguards.

The GLBA’s cybersecurity provisions have played a crucial role in improving the overall cybersecurity posture of financial institutions. By mandating the development of comprehensive information security programs, regular risk assessments, and close oversight of third-party service providers, the act has helped mitigate the risk of data breaches. To ensure compliance with GLBA, financial institutions have had to invest in robust cybersecurity measures. These measures include firewalls, encryption, intrusion detection systems, and employee training programs. But thanks to these mitigation efforts, financial institutions aligned with GLBA standards have decreased the risk of unauthorized access to customer information.

Conclusion

It is important to note that cybersecurity threats continue to evolve rapidly, and the GLBA represents a minimum baseline for cybersecurity requirements. Financial institutions must go beyond mere compliance and stay vigilant in adopting advanced cybersecurity practices to effectively combat sophisticated cyber threats. Regular staff training, threat intelligence sharing, and ongoing evaluation of security measures are essential components of a robust cybersecurity strategy for financial institutions in the current digital landscape. If you are in the process of implementing these programs, and you have any questions or need assistance, contact LMSolutions today.