The Federal Trade Commission’s (FTC) Gramm-Leach-Bliley Act (GLBA) is a federal regulation that requires Financial Institutions to safeguard sensitive customer information and clearly explain their information-sharing practices. In 2022, changes were made to the Act that requires non-banking financial institutions to increase cybersecurity measures to protect consumer data. The updates to the Safeguards Rule follow widespread data breaches and cyberattacks across the financial industry. Organizations that process consumer financial data have a December 9, 2022, deadline to comply with specific data security practices outlined by the GLBA Safeguards Rule.

The GLBA’s definition of a “financial institution” is extremely broad; and, as a result, many companies that would not normally consider themselves to be financial institutions fall within the definition.

Financial institution means any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k). An institution that is significantly engaged in financial activities, or significantly engaged in activities incidental to such financial activities, is a financial institution.

Financial institutions include, but are not limited to, mortgage lenders, “payday” lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, travel agencies operated in connection with financial services, collection agencies, credit counselors, and other financial advisors, tax preparation firms, non-federally insured credit unions, investment advisors, auto dealers, retailers, personal property and real estate appraisers, real estate settlement services, and others (see specific examples at the end of this document).

Penalties for non-compliance can include fines of up to $100,000 per violation, with fines for officers and directors of up to $10,000 per violation. And if that wasn’t enough, the provisions include criminal penalties of up to five years in prison and the revocation of licenses.

Ultimate Risk Services and our MSP partner can provide a turnkey cybersecurity compliance program to meet the new requirements.

Our MSP partner and URS start the process with the Regulation Core Subscription, including the cyber risk portal, compliance GLBA training, awareness training, NIST 800-171 Policies co-developed with Mullen Coughlin plus the Task Completion Monitoring & Reminder System, webinars, professional cyber insurance guidelines & SME services. Typically, the next step, our MSP partner will follow up and review specific additional requirements with you plus provide the IT/technology services required.