FTC Expands Requirements for GLBA to Brokers and Mandates Penetration Testing

On December 9, 2021, the Federal Trade Commission published a new final rule amending information security requirements under the Gramm-Leach-Bliley Act (GLBA). Among the updates in this rule, there are two that may be especially significant for your institution.

Expanding the Definition of “Financial Institution”

First, the rule expands the definition of a financial institution covered under GLBA to include companies engaged in “activities incidental to financial activity.” Primarily, this means mortgage brokers and agents who connect consumers with lenders. Payday lenders, auto dealers, collections agencies, and many others who previously escaped the requirements of GLBA may also now be covered by the law.

For many years, Financial institutions have dealt with the information security regulations of GLBA and built mature controls programs to satisfy them. But mortgage brokers and others now subject to GLBA may not have the same experience. We expect there will be significant gaps in the information security practices for many of these organizations. A thorough evaluation followed by corrective action plans will strengthen both the compliance and security of these organizations.

Requiring Penetration Testing

The final rule also updated some of the specific information security control requirements mandated within the statute. Most notably, this includes explicit requirements to perform annual penetration testing of the institution’s systems, in addition to at least semi-annual vulnerability assessments. The final rule also clarified the definition of a penetration test as follows:

“Penetration testing means a test methodology in which assessors attempt to circumvent or defeat the security features of an information system by attempting penetration of databases or controls from outside or inside your information systems.”

Given this definition, it’s clear that simple vulnerability assessments, gap analyses, or automated checks of your systems are not adequate. Regulators expect active, hands-on-keyboard attempts to breach systems and data on your network and related systems. This is a point that we often try to clarify, as providers sometimes muddy the definition of a penetration test.

Finally, the FTC considered whether social engineering testing should be included in the definition or requirements. Ultimately, they decided to remain silent on the subject, as social engineering may or may not be included in the techniques executed to achieve the definition above.

How Wolf Can Help

Wolf combines advanced penetration testing and related cybersecurity capabilities with a century of experience in financial institutions. Whether you’re interested in stepping up your cybersecurity program with more in-depth penetration testing and threat emulation, or if your organization is brand new to GLBA and its requirements, our experts can help you strengthen your security, defend against modern threats, and meet all regulatory requirements.