Third-Party Risk Management and the Gramm-Leach-Bliley Act Safeguards Rule

The Standards for Safeguarding Customer Information, also known as 16 CFR Part 314, is a regulation issued by the U.S. Federal Trade Commission (FTC) that implements key provisions introduced in the Gramm-Leach-Bliley Act (GLBA). The regulation outlines the standards for financial institutions to follow in order to protect the security, confidentiality, and integrity of customer nonpublic personal information (NPI).

Because the law requires service providers or affiliates (such as third parties) to maintain an information security program that protects your customer data, third-party risk management teams should be aware of the provisions in the Safeguards Rule and be prepared to report on its controls.

This post examines the key provisions in the GLBA Safeguards Rule and recommends best practices for ensuring that third-party service providers maintain the security, confidentiality, and integrity of your organization’s customer data.

The GLBA Safeguards Rule and Third-Party Risk Management

The GLBA Safeguards Rule applies to all financial institutions under the jurisdiction of the FTC. It aims to ensure these institutions have robust systems to safeguard customer information. As part of the Rule, financial institutions are required to develop, implement, and maintain a comprehensive written information security program. The program must be appropriate to the institution’s size, complexity, and the level of sensitive customer information it handles. Additionally, financial institutions must designate one or more employees to coordinate their information security program, including with third-party service providers. Non-compliance with the standards can lead to penalties and corrective actions.

In general, the Safeguards Rule requires information security programs to include the following elements:

Risk Assessment

Financial institutions must identify and assess risks
to customer information in each relevant area of their operations. They must evaluate the effectiveness of current safeguards in place to control these risks.

Design and Implementation of Safeguards

Based on the risk assessment, financial institutions must design and implement safeguards to control the identified risks. These safeguards should be regularly tested and monitored to ensure their effectiveness.

Overseeing Service Providers

Financial institutions must take reasonable steps to ensure that their service providers (e.g., third parties) maintain appropriate safeguards for customer information. This includes requiring service providers by contract to implement and maintain such safeguards.

Adjusting the Program

The information security program should be adjusted based on the results of ongoing risk assessments, monitoring, and changes in the institution’s business operations or structure.

Key Third-Party Risk Management Provisions in the Safeguards Rule

According to section 314.3, financial institutions are required to “develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.”

The objectives of the program are to:

• “Insure” the security and confidentiality of customer information;
• Protect against any anticipated threats or hazards to the security or integrity of such information; and
• Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.”

The table below examines key third-party service provider-related provisions in the Safeguards Rule and suggests best practices to address the requirements.

NOTE: This table includes select provisions in section 314.4. For a complete examination of requirements, please review the full Safeguards Rule with your internal audit team or external auditor.

How Prevalent Can Help Address GLBA Safeguards Rule Requirements

The Prevalent Third-Party Risk Management (TPRM) Platform automates the critical tasks required to assess, monitor, and manage third-party service providers against security, privacy, and other critical risks. The Prevalent Platform enables third-party risk teams to centrally:

• Automate third-party service provider sourcing, selection, and onboarding with built-in risk insights and scoring.
• Profile, tier, and score inherent and residual risks to accurately categorize third-party service providers based on criticality and prescribe additional due diligence.
• Assess third-party service providers using more than 750 risk assessment templates across multiple risk domains with built-in AI-driven auto questionnaire completion, workflow, task and evidence management, and remediation recommendations.
• Continuously monitor third-party service provider cyber, business, reputational, and financial risks to validate controls against assessment results and fill gaps between regular assessments.
• Address complex regulatory reporting requirements with AI and machine learning analytics that normalize and correlate findings from multiple sources.

This regulation is essential for maintaining trust between financial institutions and their customers by ensuring that personal and financial information is adequately protected from unauthorized access and breaches. With 61% of companies reporting a third-party data breach or security incident in the last year, financial institutions must take adequate precautions to ensure third-party service providers are protecting their customer data.

For more on how Prevalent can help you understand your GLBA Safeguards Rule third-party service provider requirements, request a demonstration today.