Popular Posts

The Most Common Third-Party Cyber Gaps Revealed

4 Ways to See if You Are at Risk of a Vendor…

The Gramm-Leach-Bliley Act (GLBA) is one of the most common regulatory compliance acts in the business world. And if you’re involved in providing financial products or services to consumers and utilize the services of third-party vendors, it’s something you need to be aware of.
Also known as the Financial Modernization Act of 1999, the Gramm-Leach-Bliley Act (GLBA) is a federal law that requires all financial institutions in the United States to clearly explain how they protect and share their customers’ private information. The objective of the GLBA is to protect consumer financial privacy by establishing safeguards that require companies to explain how and what information they share with affiliates and other business partners.
Based on the rules of the GLBA, companies have limitations regarding disclosure of a consumer’s nonpublic personal information (NPI) to non-affiliated third parties. They must first notify the customer about their information-sharing practices and then give them the right to opt-out if they don’t want the information shared. Furthermore, any third party that receives this information from a financial institution is restricted in its redisclosure and reuse of that information.
The two most important aspects of the GLBA are as follows:
Adhering to these two rules will not only help you remain compliant, but it will also significantly reduce your chances of being caught in a compromising situation that puts your business and customers at risk.
Not every business has to account for the GLBA. However, it’s usually applicable for any business setting where financial products and services are being provided for a customer and confidential data and private information are shared. This includes (but not limited to) companies such as:
Again, this is just a sample of organizations that are typically subject to GLBA compliance. However, any company that processes, stores or shares confidential and private information about consumers is required to adhere to the standards.
Failure to comply with GLBA rules can prove costly on multiple fronts. However, the initial financial penalties are generally what cause the most concern.
Non-compliance penalties include:
In addition to the financial ramifications, there may also be reputational consequences. You never want to be the business that people can’t trust. But a GLBA violation that leads to media coverage has the potential to tarnish your image.
Every organization is going to require a unique approach. Having said that, adhering to the following suggestions will increase your chances for success:
The first step is to familiarize yourself with the rules of the GLBA. That’s essentially what you’ve done in reading this article. Now it’s up to you to do further research and understand exactly how it applies to your business.
Depending on the size of your business and other relevant risk factors, you may find it helpful to consult with your legal team and auditing professionals. The more you pull together all relevant parties, the stronger your compliance program will be.
Secondly, perform a risk assessment to get a feel for all of the different factors involved. A good risk assessment will identify both the likelihood of something happening as well as the severity if it does. These two factors may be multiplied to develop a true risk factor.
Depending on your business and the type of data you process, you’ll need to take inventory of all processes, systems and devices that transmit NPI. This may include PCs, smartphones, laptops, mail servers, software, cloud hosts, etc.
As your assessments become more consistent across the board, you’ll start to see the various vulnerabilities and blind spots that are holding you back.
It’s not enough to acknowledge that risks exist. Even if you take proactive steps to neutralize various threats, there’s always the risk that something could happen. This is why you need to have effective controls in place at all times.
If something does go wrong, an auditor will look for evidence that you had controls in place that were adequate for the vulnerabilities and threats as displayed in your risk assessment. Any absence of proper controls could lead to serious financial penalties.
Finally, you’ll need a plan in place to monitor and respond to various threats and issues on an ongoing basis. Because of rapidly evolving cyber threats and ever changing security best practices, continuous monitoring is a must.
The Panorays platform works with your third parties so that you can be assured that they adhere to regulations and standards such as GLBA, GDPR, CCPA and NYDFS, among others. That way, you’ll always be ready for external audits.
Want an automated, comprehensive and easy-to-use third-party security management platform that works for your business? Contact us today for a free consultation, or sign up for a free demo today.