• Service Hours

    Monday - Friday
    9 AM to 5 PM Eastern

    Emergency On-Call Support
    24 Hours

What the New GLBA Safeguards Means for CPA Firms

The Federal Trade Commission (FTC) recently published a new safeguards regulation incorporating most of the recommended revisions to the 2002 GLBA guidelines for safeguarding client information, on 10th January 2022. Although most of the new safeguards rule’s provisions do not take effect until a year after the guidelines’ publication in the Federal Register, some do so within 30 days.

Concurrently, the Federal Trade Commission released an addendum of prospective regulations requiring financial firms to disclose particular data security occurrences. Financial firms will be obliged to inform the FTC in less than 30 days of uncovering an actual or foreseeable event that has or may result in a breach of client’s data stored in a firm’s information database and affects or may affect at least 1000 clients.

New GLBA Safeguards For CPA Firms

The New GLBA Safeguards Guidelines

The updated safeguards regulation broadens the scope of the previous GLBA Safeguards guidelines and adds new standards, including access restrictions, encryption approaches, and multifactor authentication.

New GLBA Safeguards Guidelines Scope

The expanded safeguards regulation broadens the description of “financial firms” to include entities substantially involved in activities deemed ancillary to financial operations. As a result, the expanded safeguards rule covers a wide range of non-banking institutions, from tax preparers to those who provide career guidance to those who are now employed or have just been ousted from financial institutions. The FTC states in its additional information to the New Safeguards regulation that this change is designed to include “finders”—entities that connect purchasers and vendors of any goods or service for transactions—under the scope of the latest safeguards rule.

Finders, such as marketers that help clients discover financial institutions for a loan, frequently save highly sensitive financial data about their clients. Concerns that the broad definition of “financial institution” would cover an excessive number of finders were addressed by the FTC. FTC stated that the data protected is restricted to client information but does not extend to finders who have only detached interactions with clients and do not collect data about those organizations’ clients from other financial firms.

According to the new rule, financial institutions with less than 5,000 customers are excluded from some obligations, such as documented risk assessments, continuous evaluation or yearly vulnerability scanning, biennial vulnerability evaluation, and written emergency preparedness plans, according to the current rules. This exception addresses the worry that some risk assessment standards may be too costly and challenging to execute for micro-financial institutions.

Risk Assessment

The newly modified safeguards guideline outlines particular risk assessment requirements for CPA firms, including that financial institutions write and document how potential risks will be addressed or embraced. Financial institutions are required to do extra risk assessments regularly. Risk assessment is meant to evaluate possible vulnerabilities to client data that might result in an illegal breach. Concerns that putting risk evaluation in writing may give a blueprint for malevolent cyber attackers if accessed were addressed by the FTC, which noted that financial firms should secure risk assessment documents like they would any sensitive data.

The New Safeguards Rule further expands financial institutions’ service provider monitoring responsibilities, requiring them to evaluate their service providers regularly depending on the threat they pose and the continuous sufficiency of their countermeasures. In addition, the revised guidelines require financial institutions to establish, enforce, and maintain processes for safely discarding client data no later than two years since the last time the data was used. However, financial institutions can keep such data if obligated under the EU’s data minimization precepts.

Data Security Management

The new guidelines require financial institutions to nominate a “Qualified Individual” to be in charge of the institution’s information security management system. Requirements for functioning as an eligible professional will differ for every organization. An eligible professional for a financial institution with a modest and essential infrastructure will not need as much training and expertise as a qualified professional for a massive and complex institution.

The designated professional must submit a written statement on the organization’s information security management system and adhere to the new guidelines regularly and annually. The frequency with which an institution delivers such a statement is determined by the demands of a particular institution. The individual in charge of managing an institution’s security management system should provide the written security report to the company’s directors or comparable ruling body of the institution. If there is no governing body in the institution, they should submit the report to a senior official in charge of the security program. The statement must detail the overall state of the information security program and its adherence to the new rules.

Privacy Guidelines

The revised Privacy Rule, which is only applicable to vehicle dealers, has two significant changes. For starters, it broadens the definition of “financial institution” to encompass businesses that are heavily involved in non-financial operations. This will result in “finders” being included in the scope of the revised privacy guidelines. However, given the FTC’s assessment that most vehicle dealers covered by the previous privacy guidelines are actively involved in securing funding for their clients, this adjustment is only expected to have a minor impact.

The current privacy regulations have altered the yearly privacy notice specifications to align with the GLBA’s statutory modifications. The present privacy regulation states that a financial institution is not required to submit an annual privacy notice if they only provide nonpublic information to non-affiliated external parties in a way that doesn’t involve an opt-out notice to be given to their clients. Financial institutions are also obligated to submit an annual privacy notice if they have not altered their privacy policies since they last provided one to their clients.

Bottom Line

Regardless of one’s position on the revised safeguards regulations, its implementation reflects a more dynamic cybercrime landscape and its implications for financial firms in particular. As the volume and complexity of cyber-attacks on financial institutions grows, they must become ever more proactive and efficient in their data protection strategies.

The new consumer protection guidelines are part of an attempt to hold financial firms liable for the consumer data they are responsible for protecting. Even though many companies have already adopted some of the data security procedures specified in the new guidelines, they should re-evaluate their current practices.

If your financial institution is subject to GLBA but does not conform with the new safeguards guidelines, reach out to us at LAN Infotech and talk to our data privacy experts. Our IT experts will assess your current compliance status and help you check off the compliance obligations you must fulfill in the revised safeguards guidelines.

Thanks to the team at Velocity IT in Dallas for their help with this article.