The Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA) requires covered entities to protect the security of customer information and was revised at the end of 2021 to broaden the definition of financial institutions and implement new requirements for information security programs, including more specific requirements related to data security, including encryption, penetration testing and multi-factor authentication.
Financial institutions will need to comply with GLBA’s Safeguards Rule by December 9, 2022.
Auto Dealerships Among Financial Institutions Facing Compliance
Among the revised changes going into effect, associated “financial institutions” now had a broader application under the Safeguards Rule and includes:
- Automobile dealers
- Mortgage lenders and brokers
- Payday lenders
- Collection agencies
- Credit counselors
- Tax preparation firms
- Non-federally insured credit unions
- and others
New & Enhanced Information Security Program Requirements
While not every provision of the Safeguards Rule is new, the FTC did take care to strengthen its compliance requirements, and even those institutions previously subject should review the full Rule to ensure effective compliance.
Under the new requirements, financial institutions and dealers must:
- Designate a qualified individual to oversee the company’s information security program
- Conduct a periodic risk assessment
- Implement safeguards to control risks
- Train employees on cybersecurity awareness
- Maintain oversight of third-party service providers
- Complete regular penetrating testing and vulnerability scanning
- Keep information security programs current
- Develop an incident response plan
- Provide an annual security program report to its Board of Directors
Specifically, when it comes to controlling risks that pose a threat to customer information, companies will need to implement strict security practices and tools to ensure compliance. This includes: reviewing and updating access controls, locating sensitive data and keeping track of where it’s stored and who has access to it, encrypting customer information at rest and in transit, implementing multi-factor authentication (MFA) on any systems or applications that hold customer data, securely disposing of customer data every two years, enforcing change management and keeping logs of user activity, and monitoring and testing the effectiveness of your security controls.
Institutions, including dealers, with less than 5,000 consumer records are exempt from complying with certain requirements, including the written risk assessment, incident response plan and Board of Directors reporting.
|Enable FTC Compliance with Smart Comply
Financial institutions that fall under the purview of GLBA’s Safeguards Rule should act now to ensure full compliance with new information security program requirements. Omega’s managed IT compliance service, Smart Comply, acts a comprehensive compliance-as-a-service offering and can deliver the necessary discovery, assessments and advisory you need to streamline the FTC compliance process.
With data discovery & classification technology, vulnerability scanning, data auditing & a complete cyber risk assessment, you can effectively and efficiently meet new FTC compliance demands under the guidance of certified vCISOs with deep experience advising auto dealers and other financial institutions.