GLBA Gap Assessment - Pre Audit
Essentials
The Gramm-Leach-Bliley Act (GLBA), or The Financial Services
Modernization Act, requires financial institutions to have a security
program in place to safeguard the confidential information of their
customers; as well as to determine the general risk levels of their third
parties. GLBA broadly defines financial institutions to include credit
unions, banks, savings and loans, investment and insurance firms and
possibly retail merchants; granted they provide their own credit solution.
To help support the GLBA efforts, the Federal Financial Institutions
Examination Council (FFIEC) developed the FFIEC IT Examination Handbook in
concert with multiple agencies; for example: Federal Reserve System (FRB),
the Federal Deposit Insurance Corporation (FDIC), the National Credit Union
Administration (NCUA), the Office of the Comptroller of the Currency (OCC),
and the Consumer Financial Protection Bureau* (CFPB). Each agency may have
additional controls outside the FFIEC. GLBA requires financial institutions
to understand the risks within their organization by implementing a formal
risk management program that identifies, quantifies, and employs controls to
mitigate risks where appropriate.
* Provisions of the Dodd-Frank Wall Street Reform and Consumer
Protection Act of 2010 (the Dodd-Frank Act) the Director of the newly
created Consumer Financial Protection Bureau joins the membership of the
Council, replacing the Director of the former Office of Thrift Supervision
Additionally, GLBA requires financial institutions to perform due
diligence (e.g., 3rd party GLBA assessments) to ensure third parties have
appropriate controls. This risk based approach consists of a vendor
management program that includes surveys and on-site assessments.
Benefits
- Compliance with GLBA Safeguards and Privacy Rules
- Identification of non-compliant areas and understanding of what
actions are needed to comply with GLBA Safeguards and Privacy Rules
- Proper 3rd party objective demonstration of GLBA compliance
- Avoidance of fines that could result of a failing a GLBA Audit
- Reduction of the cost, confusion, and complexity of GLBA compliance
Expertise
SecureState’s Audit & Compliance consultants are experts in understanding
both the technical aspects as well as the business aspects of your
organization. SecureState’s experience and knowledge, developed while
working with some of the top Fortune 500 financial institutions in the
country and a governing body, provides your organization with a true picture
of your compliance with GLBA.
Did You Know?
- GLBA is comprised of three (3) major components 1) Financial Privacy
Rule 2) Safeguards Rule and 3) Pretexting Protection
- GLBA privacy notices need to incorporate Fair Credit Reporting Act
information sharing provisions
- In 2009 the interagency regulators released a Model Privacy Notice, a
table format designed to make comparing Privacy Notices between financial
institutions easier, that was voluntary, but adopting provided safe harbor
- In 2005 the interagency regulators adopted guidelines that under
specific circumstances, consumers of breached records were required to be
notified. 28 states have since adopted their own data breach laws
- A GLBA Gap Assessment – Pre-Audit should be performed annually