GLBA Interagency Guidelines: the security standard your examiners enforce

• Board approval of written information security program
• Assignment of program responsibility to qualified personnel
• Regular reporting to the board on program status
• Integration of security into business strategy and risk management

• Risk assessment and identification of threats
• Access controls and authentication measures
• Encryption of customer information in transit and at rest
• Monitoring systems and intrusion detection

• Due diligence in service provider selection
• Contractual security requirements
• Ongoing monitoring of service provider compliance

• Written incident response plan and procedures
• 36-hour regulator notification for material incidents
• Service provider notification to affected institutions
• Customer notification when warranted

• Security awareness training for all personnel
• Regular testing of key controls and systems
• Vulnerability assessments and penetration testing

• Business continuity and disaster recovery planning
• Regular testing and updating of continuity plans

What is the difference between the Interagency Guidelines and the FTC Safeguards Rule?

Both stem from GLBA Section 501(b), but they apply to different types of institutions. The Interagency Guidelines are enforced by the OCC, FDIC, Federal Reserve, and NCUA against federally supervised banks and credit unions. The FTC Safeguards Rule is enforced by the FTC against non-bank financial institutions like mortgage brokers, auto dealers, and tax preparers. The Interagency Guidelines require board-level oversight and carry the 36-hour incident notification rule, which the FTC Safeguards Rule does not.

What exactly is the 36-hour notification rule?

The Computer-Security Incident Notification Rule (effective April 2022) requires a banking organization to notify its primary federal regulator within 36 hours after the institution determines that a computer-security incident has materially disrupted or degraded — or is reasonably likely to materially disrupt or degrade — the institution's ability to serve customers, operations, or the financial sector. Bank service providers must separately notify affected institutions as soon as possible.

What are the board's specific responsibilities?

The board must approve the written information security program, oversee its development and implementation, assign specific responsibility to a qualified individual, receive and review regular reports on program status and material matters, and ensure the institution has adequate resources to maintain the program. Examiners specifically verify board engagement during examinations.

What do examiners focus on during an information security examination?

Examiners evaluate the completeness and adequacy of your written information security program, the quality and frequency of risk assessments, whether controls are commensurate with identified risks, service provider oversight practices, incident response readiness, testing and monitoring activities, and evidence of board oversight. Findings can result in matters requiring attention (MRAs) or formal enforcement actions.

How does service provider oversight work under the Guidelines?

Institutions must perform due diligence before engaging service providers, include contractual provisions requiring appropriate security measures, and monitor service providers on an ongoing basis. The 2021 incident notification rule added a requirement for bank service providers to notify affected banking organizations as soon as possible after determining that a computer-security incident has or is likely to materially affect the institution for four or more hours.