Login to your TrustKeeper Portal Account
Thank You. One of our sales specialists will be in touch shortly.
Speak with a Trustwave sales specialist to learn more.
The Gramm-Leach-Bliley Act of 1999, or GLBA, is a deregulation bill meant to enhance competition in the financial services industry. But it is best known by IT and security professionals for requiring the protection of personal information and the disclosure of privacy policies. The Federal Financial Institutions Examination Council (FFIEC) has established guidelines for meeting and maintaining GLBA compliance.
of financial firms say they've
experienced some kind of economic
crime in the past year (PwC study)
of financial services
employees didn't undergo
any security awareness training
financial firms believe the threat of cybercrime is rising year over year
GLBA applies to companies that provide financial products or services to consumers. This includes: banks, mortgage brokers, insurance firms, real estate appraisers, tax preparation businesses, check-cashing businesses, accountants, ATM op erators and others.
There are two main security- and privacy-related provisions under GLBA:
Introduced under Section 501(b) of GLBA and issued by the Federal Trade Commission (FTC), the rule aims to:
Required by Section 504(a) of GLBA and also issued by the FTC, this rule:
In particular, financial companies must have a written information security plan in place. As part of this plan, entities must, among other things: Identify and assess their risks to customer information, implement a "safeguards program" and regularly monitor and test it; and manage the selection of appropriate service providers.
Through its Information Security Examination Handbook, the FFIEC, in conjunction with its member agencies, has defined a process-based approach for complying with GLBA.
Among the guidance: financial institutions should test for vulnerabilities, monitor their network for anomalies, implement an incident response program, train staff on security awareness and ensure third-parties have adequate security controls in place.
In addition, the FFIEC has released “Authentication in an Internet Banking Environment (PDF) (PDF Supplement), which prescribes a risk management framework for financial institutions offering online banking. The guidance states that these entities should use adequate methods to authenticate the identity of customers as a way to protect against threats like phishing and account takeover.
While financial services companies traditionally are leaders compared to other industries when it comes to the effectiveness of their information security controls, they also remain a significant target of attackers due to the wealth of personal information under their control. Attackers constantly are developing new schemes to perpetrate fraud against these institutions. As Willie Sutton once said, when asked why he robs banks: “Because that’s where the money is.” The mindset is no different for cybercriminals.
A number of federal and state agencies are responsible for enforcement of GLBA, depending on whom the potential violator is. They are: the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corp. (FDIC), the Office of Thrift Supervision, the National Credit Union Administration, the Securities and Exchange Commission, state insurance authorities, the Commodity Futures Trading Commission and the FTC.
Trustwave provides a comprehensive portfolio that can help organizations of any size respond to GLBA regulations.
Conducting a Risk Assessment is the first step to identifying and implementing safeguards necessary to meet compliance. The customizable assessments, scaled individually for your financial institution, include identification of key assets and IT systems, assessment of controls and frameworks and a review of third-party providers and incident response programs.
GLBA requires companies to protect customer records and information, whether it’s being collected, stored or transmitted. Here are some of the ways we can help:
Allows you to discover and classify sensitive data and prevent it from leaving the network.
Ensures managed and unmanaged devices connecting to the network comply with policies and do not introduce malware.
Offers a token-less, cloud-based mechanism to prevent password interception and ensure the identities of customers.
Protects sensitive data against external attackers who may use vulnerabilities, such as SQL injection, to steal patient information.
Helps you gain broad visibility of threats to your network and improve your compliance process through logging, monitoring, and analysis of events.
Prepares your staff to proactively identify the indications of a breach and contain it quickly and effectively.
Instructs your employees and contractors to understand the threat of social engineering and follow best practices for security, including the safe use of web and social media tools and password management.
Identifies and manages potential vulnerabilities in your networks, applications or databases.