The Gramm-Leach-Bliley Act (GLBA) and the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT) are both important pieces of legislation and guidance for financial institutions to ensure the security and privacy of sensitive customer information.
GLBA, also known as the Financial Services Modernization Act of 1999, requires financial institutions to protect the privacy of customer information and to provide customers with annual privacy notices. It also requires financial institutions to have in place measures to protect against unauthorized access to or use of customer information, such as through the use of firewalls and secure data storage. There are approximately 20 requirements for GLBA Part 314 making it a relatively manageable mandate for most institutions. In our experience, the biggest hurdle many face with these requirements is the lack of specificity in the rule to accomplish compliance. With consistent uses of terms like “periodically” and “reasonable” it can be confusing for those who might not be familiar with other industry standards and accepted best practices.
FFIEC CAT, on the other hand, is a tool developed by the FFIEC to help financial institutions assess their cybersecurity risks and implement effective risk management strategies. The tool provides a framework for financial institutions to assess their cybersecurity risk and to identify and prioritize areas for improvement. It also provides guidance on the types of controls that financial institutions should have in place to protect against cyber threats, such as incident response plans and network segmentation. The CAT is a bit more complex in nature when it comes to control requirements. There are just shy of 500 possible controls and processes that can be evaluated against, however since its a risk based model, they may not all be required for every organization. Depending on criteria like size, technology used and security history, there are varying levels of control implementations possible.
Both GLBA and FFIEC CAT are important for financial institutions to comply with in order to protect sensitive customer information and to reduce the risk of cyber-attacks. Financial institutions are expected to understand and adhere to the regulations and guidance provided by these acts. It is also important for financial institutions to regularly assess and update their cybersecurity measures in response to changing threats and technologies.
By understanding and complying with GLBA and using FFIEC CAT as a guide to assess and manage cyber risk, financial institutions can better protect themselves and their customers against cyber threats.
Feel free to reach out with any questions about requirements or expectations with these rule sets or general infosec knowledge!