最后更新于2023年12月1日(星期五)19:51:54 GMT
Heads up financial institutions: the Federal Trade Commission (FTC) 宣布 the first cybersecurity updates to the Gramm Leach-Bliley Act (GLBA) Safeguards Rule since 2003. 的 新规则 strengthens the required security safeguards for customer information. 这包括正式的风险评估, 访问控制, 定期渗透测试和漏洞扫描, 事件响应能力, 除此之外.
其中一些变化将于2022年11月生效, 为组织提供时间为合规做准备. 下面,我们将详细介绍与前一个规则相比的变化.
保障措施规则的背景
GLBA需要, 除此之外, a wide range “金融机构” to protect customer information. Enforcement for GLBA is split up among several different federal agencies, with FTC jurisdiction covering non-banking financial institutions in the Safeguards Rule. 以前, the Safeguards Rule left the implementation details of several aspects of the information security program up to the financial institution, 基于其风险评估.
保障措施规则范围广泛 定义 “金融机构” 包括 non-bank businesses that offer financial products or services — such as retailers, 汽车经销商, 抵押贷款经纪人, 非银行放贷机构, 房地产估价师, 编制税, 和其他人. “客户信息”的定义也很宽泛, to include any record containing non-public personally identifiable information about a customer that is h和led or maintained by or on behalf of a financial institution.
保障措施规则的更新
Many of the other updates concern strengthened requirements on how financial institutions must implement aspects of their security programs. 下面是对这些变化的简短总结. Where applicable, we include citations to both the updated rule (starting at page 123) 和 the 以前的规则 (美国联邦法典第16卷第314条),以便比较.
整体安全方案
- 当前的规则: 金融机构必须保持全面, 与行政部门一起编写信息安全程序, 技术, 并进行物理防护,确保安全, 保密, 以及客户信息的完整性. 《pg电子》第16卷第314条.3(a)-(b).
- 更新规则: 的 updated rule now requires the information security program to include the processes 和 safeguards listed below (i.e.、风险评估、安全保障等.). 《pg电子》第16卷第314条.3(a).
- 约. 有效日期: 2022年11月
风险评估
- 当前的规则: Financial institutions are required to identify internal 和 external risks to security, 保密, 以及客户信息的完整性. 风险评估必须包括员工培训, 信息系统的风险, 检测和响应安全事件和事件. 《pg电子》第16卷第314条.4(b).
- 更新规则: 的 update 包括 more specific criteria for what the risk assessment must include. This 包括 criteria for evaluating 和 categorizing of security risks 和 threats, 以及评估安全保障是否充分的标准. 的 risk assessment must describe how identified risks will be mitigated or accepted. 风险评估必须是书面的. 《pg电子》第16卷第314条.4(b).
- 约. 有效日期: 2022年11月
安全保障措施
- 当前的规则: Financial institutions must implement safeguards to control the risks identified through the risk assessment. 《pg电子》第16卷第314条.4(c). Financial institutions must require service providers to maintain safeguards to protect customer information. 《pg电子》第16卷第314条.4(d).
- 更新规则: 更新后的规则要求保障措施必须包括
-访问控制,包括提供最低权限;
-数据、设备和系统的清单和分类;
- Encryption of customer information at rest 和 in transit over internal networks;
- Secure development practices for in-house software 和 applications;
-多因素认证;
-安全的数据处理;
- Change management procedures; 和
- Monitoring activity of unauthorized users 和 detecting unauthorized access or use of customer information. 《pg电子》第16卷第314条.4(c)(1)-(8). - 约. 有效日期: 2022年11月
测试与评估
- 当前的规则: Financial institutions must regularly test or monitor the effectiveness of the security safeguards, 并根据测试结果进行调整. 《pg电子》第16卷第314条.4(c), (e).
- 更新规则: Regular testing of safeguards must now include either continuous monitoring or periodic penetration testing (annually) 和 vulnerability assessments (semi-annually). 《pg电子》第16卷第314条.4(d).
- 约. 有效日期: 2022年11月
事件响应
- 当前的规则: Financial institutions must include cybersecurity incident detection 和 response in their risk assessments, 并有应对这些风险的保障措施. 《pg电子》第16卷第314条.4(b)(3)-(c).
- 更新规则: Financial institutions are required to establish a written plan for responding to any security event materially affecting 保密, 完整性, 或者客户信息的可用性. 《pg电子》第16卷第314条.4(h).
- 约. 有效日期: 2022年11月
劳动力和人员
- 当前的规则: Financial institutions must designate an employee to coordinate the information security program. 《pg电子》第16卷第314条.4(a). Financial institutions must select service providers that can maintain security 和 require service providers to implement the safeguards. 《pg电子》第16卷第314条.4(d).
- 更新规则: 的 rule now requires designation of a single “qualified individual” to be responsible for the security program. 这可以是第三方承包商. 《pg电子》第16卷第314条.4(a). Financial institutions must now provide security awareness training 和 updates to personnel. 《pg电子》第16卷第314条.4(e). 的 rule now also requires periodic reports to a Board of 导演s or governing body regarding all material matters related to the information security program. 《pg电子》第16卷第314条.4(i).
- 约. 有效日期: 2022年11月
保险范围
- 更新规则: 的 FTC update expands on the 定义 of “financial institution” to require “finders” — companies that bring together buyers 和 sellers — to follow the Safeguards Rule. 《pg电子》第16卷第314条.2(h)(1). 然而, financial institutions that maintain customer information on fewer than 5,000 consumers are exempt from the requirements of a written risk assessment, continuous monitoring or periodic pentesting 和/or vulnerability scans, 事件响应计划, 以及向董事会提交的年度报告. 《pg电子》第16卷第314条.6.
- 约. 有效日期: November 2021 (unlike many of the other updates, this item is not delayed for a year)
下一事件报告?
除上述外,公平贸易委员会也 考虑 requirements that financial institutions report cybersecurity incidents 和 events to the FTC. 类似的要求也适用于 网络安全监管 在纽约金融服务部工作. If the FTC moves forward with these incident reporting requirements, financial institutions could expect the requirements to be implemented later in 2022 or early 2023.
Financial institutions with robust security programs will already be performing many of these practices. 为他们, the updated Safeguards Rule will not represent a sea change in internal security operations. 然而, 通过使这些安全实践成为正式的法规要求, the updated Safeguards will make accountability 和 compliance even more important.
