Security Policies for Regulation S-P: GLBA Data Privacy

In 2024 the SEC formally adopted updates to “Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information.” The rules apply to financial institutions that collect and manage nonpublic personal information about consumers (PII). First adopted in 2000, the privacy requirements have continually evolved and major updates were approved in 2024. The updated privacy rules go into effect August, 2024.

Severe Financial Penalties for Non Compliance

As the rules expand in scope, many smaller financial institutions will come under the program requirements for the first time.

The penalties can be severe. The SEC recently fined a NY investment advisor $1.8 MM for “failing to establish, maintain, and enforce written policies and procedures reasonably designed to prevent the misuse of material nonpublic information.”

In this article we discuss how these updated requirements can be addresses with written information security policies as part of a cyber governance program.

Security Policies and the Safeguards Rule

One foundation of any cyber governance program is a comprehensive set of written information security policies (and related procedures) that cover all essential domains of cyber security. In some cases the specific domains are not within the regulation, but referred to in other frameworks such as ISO 27002, NIST CSF or FFIEC.

The safeguards rule requires any broker or dealer, investment company, registered investment adviser, or transfer agent (collectively, “covered institutions”) to develop, implement, and maintain written policies and procedures “reasonably designed” to protect unauthorized access to or use of customer personal information.

Take special notice of this phrase: “reasonably designed”. This term implies that cyber programs follow a set of established leading practices that are well known to cyber professionals. Adopting security policy templates like those from Information Shield can dramatically reduce development cost and potential liability. Using security policy templates that have been vetted by hundreds of organizations helps create a “defensible” program that addresses all key best practices in each domain. (incident response, asset management, access control, etc.)

In the following sections we highlight the primary areas of focus in the SEC updates and map them to policies within a governance framework.

Security Incident Response Policies

Due to an increasing number of reported incidents, one if the key areas of focus is Security Incident Response. Incident Response is the set of organizational controls designed to detect, analyze and respond to potential cyber events.

“Incident Response Program. The final safeguards rule requires covered institutions to develop, implement, and maintain written policies and procedures for an incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.”

This requirement is supported by two key documents: Security Incident Response Policy and Security Incident Response Procedure. Note that these should be two different documents, even though the written text sometimes combines the two.

Breach Response and Notification Policies

Notification Requirement. The response program also requires that covered institutions provide a notification to individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. The default notification time is “as soon as practical” but not later than 30 days, after becoming aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred

The 30 day notice requirement and other procedures should be part of a Data Breach Response Procedure. Notice that your organization should have a separate document for “potential data breaches” that is outside of the scope of the standard Incident Response Policy. In short, there are many types of incidents that may not impact PII or trigger a breach notification.

The updated Rule also creates this notice exception:

Notice will not be required if a covered institution determines, after a reasonable investigation of the facts and circumstances of the incident that the sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience.

Again, supporting this control requires an Incident Response Procedure that specifically outlines the analysis step. Records should be kept to document management’s decisions as to whether or not an event requires notice.

Third Party Cyber Security Policies

Another new focus of the updated Rule concerns the cyber risk of third-parties, vendors and the information supply chain. Covered entities must now create and maintain a vendor risk management program. According to the update:

Service Providers. The final amendments to the safeguards rule include new provisions that address the use of service providers by covered institutions. Under these provisions, covered institutions will be required to establish, maintain, and enforce written policies and procedures reasonably designed to require oversight, including through due diligence and monitoring of service providers, including to ensure that affected individuals receive any required notices.

The controls for third-party risk and vendor management are part of a Third-Party Security Policy. A good Third-Party Security Policy requires the organization to identify vendors and other third-parties and prioritize them based on cyber risk. Then the organization must asses the cyber risk of each vendor and take corrective actions to manage risk.

Compliance Records and Documentation

A growing requirement of effective cyber governance is maintaining records of compliance activities. This trend started with HIPAA and came in focus with the NYS-DFS requirement that senior management formally attest to the effectiveness of cyber controls.

Recordkeeping and Annual Notice Amendments. The final amendments require covered institutions to make and maintain written records documenting compliance with the requirements of the safeguards rule and the disposal rule.

In the next section we discuss how the “recordkeeping” requirement translates into cyber security management.

Recordkeeping for Cyber Security Compliance

What does “written records” mean in the context of cyber governance and security policies? It implies at least three levels of documentation.

Compliance and Risk Identification – This implies that the organization identifies and lists the potential risks to customer data. This is done as part of a formal Risk Assessment. As part of this process, the organization can document specific regulatory or legal requirements that should provide input into the governance program.

Written Security Policies and Controls – Another element is to formally document the “controls” the organization must adopt to reduce the cyber risk and also address regulatory requirements (for example, breach notification timing.) A formal “control framework” has all of the essential controls documented and assigned to various roles. Written Information Security Policies are the formal description of these controls. Information security policies are an essential part of cyber documentation.

Evidence of Control Implementation – Another level of “records” is validation that controls are being followed and effective. These are typically outlined in frameworks like ISO 27002 and NIST CSF as “audits” and “control measurements”. These data items are essential in the event of a possible data breach that involves cyber insurance coverage.

Documented Responses and Recovery – A final key area of documentation is “response and recovery”. In short, cyber governance defines controls to protect information, but also to respond in case protective controls fail. These are usually part of the Incident Response Program that is required in all cyber frameworks such as ISO 27002, NIST CSF, CMMC and others. Another key area is “recovery”, which is formally documented within a Disaster Recovery Plan and related procedures.

Unless your Cyber Governance program provides these various levels of documentation, you are not truly keeping adequate records.

Using ComplianceShield for Cyber Governance

ComplianceShield is a software platform designed to specifically support the four different phases of cyber governance required to address the recordkeeping requirements. These functions are commonly referred to as “Governance Risk and Compliance” (GRC). ComplianceShield provides the following key features and benefits to support Privacy Rule compliance.

Security Policy Template Library – A compete library of written information security policies that include “best practices” based on 20 years of experience. The Templates address the “reasonable” clause by provided key controls in each area.

Control Status and Evidence Tracking – The software enables the organization easily track the status of each control throughout the lifecycle. Easily match written security policies to controls, assign control responsibility and store and manage evidence.

Risk Assessment – ComplianceShield supports a formal Risk Assessment process, including a “threat library” and Risk Wizard that dramatically reduced the time to identify and documents risks.

Compliance Control Baselines – A library of pre-built “Control Baselines” are key elements for quickly developing a robust cyber program. Easily created cyber programs that address ISO 27002, NIST CSF, HIPAA, FTC and many others.

Third Party Risk Management – ComplianceShield enables a robust vendor risk management program. This includes vendor (third-party) security policies, standardized assessments, and automation to fully support third party risk management procedures.

Streamline SEC Compliance Now

Want to learn more? Simply request a FREE DEMO of ComplianceShield. It takes less than 5 minutes to get started.