Gramm-Leach Bliley Act – Safeguards Rule Policy

GRAMM-LEACH BLILEY ACT - SAFEGUARDS RULES POLICY

OVERVIEW

The Gramm-Leach-Bliley Act (GLBA) was enacted in 1999 to provide a framework for regulating the privacy and data security practices of a broad range of financial institutions. Subtitle A of Title V of the GLBA required the Federal Trade Commission (FTC) and other federal agencies to establish standards for financial institutions relating to administrative, technical, and physical safeguards for certain information. Pursuant to the GLBA's directive, the FTC promulgated the Safeguards Rule, 16 CFR 314, which became effective on May 23, 2003. The Safeguards Rule (Rule) requires financial institutions to develop, implement, and maintain comprehensive information security programs that consist of the administrative, technical, and physical safeguards the financial institution uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.

On October 27, 2021, the FTC announced a Final Rule amending the Safeguards Rule as it applies to covered financial institutions. The Final Rule provides guidance on developing and implementing information security programs, such as access controls, authentication, and encryption. Notably, the Final Rule expands the definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities now subject to the FTC’s enforcement authority under the Safeguards Rule.

In October 2023, the FTC approved an amendment to the Safeguards Rule that would require non-banking institutions to notify the FTC as soon as possible, and no later than 30 days after discovery, of a security breach involving the information of at least 500 consumers. Such an event requires notification if unencrypted customer information has been acquired without the authorization of the individual to which the information pertains.

Terms defined in section 314.2 of the GLBA:

  • Authorized user means any employee, contractor, agent, customer, or other person that is authorized to access any of your information systems or data.

  • Consumer means an individual who obtains or has obtained a financial product or service from you that is to be used primarily for personal, family, or household purposes, or that individual's legal representative.

  • Customer means a consumer who has a customer relationship with you.

  • Customer information means any record containing nonpublic personal information as defined in 16 CFR 313.3(n), about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of a financial institution or their affiliates.

  • Customer relationship means a continuing relationship between a consumer and you under which you provide one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes.

  • Financial institution means any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k). An institution that is significantly engaged in financial activities, or significantly engaged in activities incidental to such financial activities, is a financial institution. Information security program means the administrative, technical, or physical safeguards you use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.

  • Information system means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information containing customer information or connected to a system containing customer information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental controls systems that contains customer information or that is connected to a system that contains customer information.

  • Information security program means the administrative, technical, or physical safeguards you use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.

  • Nonpublic personal information (NPPI) means personally identifiable financial information and any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available.

  • Personally identifiable financial information means any information:

    • (i) A consumer provides to you to obtain a financial product or service from you;

    • (ii) About a consumer resulting from any transaction involving a financial product or service between you and a consumer; or

    • (iii) You otherwise obtain about a consumer in connection with providing a financial product or service to that consumer. Service provider is defined in section 1002(26) of the Dodd-Frank Act as, “any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service. A service provider may or may not be affiliated with the person to which it provides services.

  • Service provider means any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a financial institution that is subject to this part.

Section § 314.3 establishes standards for safeguarding customer information, which states: (a) You shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue. The information security program shall include the elements set forth in § 314.4 and shall be reasonably designed to achieve the objectives of this part, as set forth in paragraph (b) of this section.

(b) Objectives. The objectives of section 501(b) of the Act, and of this part, are to:

  1. Insure the security and confidentiality of customer information;

  2. Protect against any anticipated threats or hazards to the security or integrity of such information; and

  3. Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.

Section § 314.4 establishes the elements required to achieve a reasonably designed information security program, which states: In order to develop, implement, and maintain your information security program, you shall:

(a) Designate a qualified individual responsible for overseeing and implementing your information security program and enforcing your information security program (for purposes of this part, “Qualified Individual”). The Qualified Individual may be employed by you, an affiliate, or a service provider. To the extent the requirement in this paragraph (a) is met using a service provider or an affiliate, you shall:

  1. Retain responsibility for compliance with this part;

  2. Designate a senior member of your personnel responsible for direction and oversight of the Qualified Individual; and

  3. Require the service provider or affiliate to maintain an information security program that protects you in accordance with the requirements of this part.

(b) Base your information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks.

  1. The risk assessment shall be written and shall include:

    • (i) Criteria for the evaluation and categorization of identified security risks or threats you face;

    • (ii) Criteria for the assessment of the confidentiality, integrity, and availability of your information systems and customer information, including the adequacy of the existing controls in the context of the identified risks or threats you face; and

    • (iii) Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks.

  2. You shall periodically perform additional risk assessments that reexamine the reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and reassess the sufficiency of any safeguards in place to control these risks.

(c) Design and implement safeguards to control the risks identified through risk assessment, including by:

  1. Implementing and periodically reviewing access controls, including technical and as appropriate, physical controls to:

    • (i) Authenticate and permit access only to authorized users to protect against the unauthorized acquisition of customer information; and

    • (ii) Limit authorized users' access only to customer information that they need to perform their duties and functions, or, in the case of customers, to access their own information;

  2. Identify and manage the data, personnel, devices, systems, and facilities that enable you to achieve business purposes in accordance with their relative importance to business objectives and your risk strategy;

  3. Protect by encryption all customer information held or transmitted by you both in transit over external networks and at rest. To the extent you determine that encryption of customer information, either in transit over external networks or at rest, is infeasible, you may instead secure such customer information using effective alternative compensating controls reviewed and approved by your Qualified Individual;

  4. Adopt secure development practices for in-house developed applications utilized by you for transmitting, accessing, or storing customer information and procedures for evaluating, assessing, or testing the security of externally developed applications you utilize to transmit, access, or store customer information;

  5. Implement multi-factor authentication for any individual accessing any information system, unless your Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls;

  6. intentionally left blank

    • (i) Develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates, unless such information is necessary for business operations or for other legitimate business purposes, is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained; and

    • (ii) Periodically review your data retention policy to minimize the unnecessary retention of data;

  7. Adopt procedures for change management; and

  8. Implement policies, procedures, and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users.

(d) intentionally left blank

  1. Regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures, including those to detect actual and attempted attacks on, or intrusions into, information systems.

  2. For information systems, the monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments. Absent effective continuous monitoring or other systems to detect, on an ongoing basis, changes in information systems that may create vulnerabilities, you shall conduct:

    • (i) Annual penetration testing of your information systems determined each given year based on relevant identified risks in accordance with the risk assessment; and

    • (ii) Vulnerability assessments, including any systemic scans or reviews of information systems reasonably designed to identify publicly known security vulnerabilities in your information systems based on the risk assessment, at least every six months; and whenever there are material changes to your operations or business arrangements; and whenever there are circumstances you know or have reason to know may have a material impact on your information security program.

(e) Implement policies and procedures to ensure that personnel are able to enact your information security program by:

  1. Providing your personnel with security awareness training that is updated as necessary to reflect risks identified by the risk assessment;

  2. Utilizing qualified information security personnel employed by you or an affiliate or service provider sufficient to manage your information security risks and to perform or oversee the information security program;

  3. Providing information security personnel with security updates and training sufficient to address relevant security risks; and

  4. Verifying that key information security personnel take steps to maintain current knowledge of changing information security threats and countermeasures.

(f) Oversee service providers, by:

  1. Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue;

  2. Requiring your service providers by contract to implement and maintain such safeguards; and

  3. Periodically assessing your service providers based on the risk they present and the continued adequacy of their safeguards.

(g) Evaluate and adjust your information security program in light of the results of the testing and monitoring required by paragraph (d) of this section; any material changes to your operations or business arrangements; the results of risk assessments performed under paragraph (b)(2) of this section; or any other circumstances that you know or have reason to know may have a material impact on your information security program.

(h) Establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in your control. Such incident response plan shall address the following areas:

  1. The goals of the incident response plan;

  2. The internal processes for responding to a security event;

  3. The definition of clear roles, responsibilities, and levels of decision-making authority;

  4. External and internal communications and information sharing;

  5. Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls;

  6. Documentation and reporting regarding security events and related incident response activities; and

  7. The evaluation and revision as necessary of the incident response plan following a security event.

(i) Require your Qualified Individual to report in writing, regularly and at least annually, to your board of directors or equivalent governing body. If no such board of directors or equivalent governing body exists, such report shall be timely presented to a senior officer responsible for your information security program. The report shall include the following information:

  1. The overall status of the information security program and your compliance with this part; and

  2. Material matters related to the information security program, addressing issues such as risk assessment, risk management and control decisions, service provider arrangements, results of testing, security events or violations and management's responses thereto, and recommendations for changes in the information security program.

Section § 314.5 establishes the effective date of the amendments, which states: Section 314.4(a), (b)(1), (c)(1) through (8), (d)(2), (e), (f)(3), (h), and (i) are effective as of December 9, 2022.

Section § 314.6 establishes exceptions to the amendments, which states: Section 314.4(b)(1), (d)(2), (h), and (i) do not apply to financial institutions that maintain customer information concerning fewer than five thousand consumers.

PURPOSE

This Policy and Procedure (PnP) has been created to formally establish the standards for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of consumer information.

POLICY

It is the policy of Kredit Financial Inc. (Kredit) to establish, implement, and maintain an information security program that complies with the requirements set forth in the Safeguards Rule.

SCOPE

This PnP is applicable to all Kredit information systems and individuals with access to those systems.

ROLES AND RESPOSNISBILITIES

Kredit’s Chief Compliance Officer (CCO) is responsible for ensuring this PnP reflects the most current requirements under the Safeguards Rule and that the procedures employed by Kredit to comply with the requirements meet both the letter and spirit of the law. The CCO is also responsible for reviewing this Policy on an annual basis.

Kredit’s Chief Technology Officer (CTO) is the named Qualified Individual responsible for overseeing and implementing and enforcing Kredit’s information security program. These responsibilities include: 1) Identifying and assessing the risks to customer information in each relevant area of the company’s operation and evaluating the effectiveness of the current safeguards for controlling these risks; 2) Designing and implementing a safeguards program, and regularly monitoring and testing it; 3) Taking reasonable steps to select and retain service providers that can maintain appropriate safeguards for the customer information at issue and requiring service providers by contract to implement and maintain such safeguards; and 4) Evaluating and adjusting the program based on relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.

Kredit’s Chief Executive Officer (CEO) is responsible for providing the Board of Directors with updates on any material matters of risk related to the information security program that are received from the CTO, on at least an annual basis.

PROCEDURE

Kredit has developed, implemented, and maintains a written information security program (Program) that contains the administrative, technical, and physical safeguards that insures the security and confidentiality of customer information, protects against anticipated threats and hazards to the security of such information, and protects against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer. Kredit’s CTO is the Qualified Individual responsible for overseeing and implementing and enforcing its Program.

Kredit has implemented technical access controls that permits access only to authorized users within its environment based on the following principles of need to know and least privilege (see Access Control Policy for more details).

Kredit stores all data at rest using AES 256-bit encryption. Data in transit is protected with TLS 1.2 or higher.

All users accessing Kredit’s environment are required to use multi-factor authentication.

Kredit has developed, implemented, and maintains a Record Retention and Destruction Policy that outlines the retention periods required to comply with legal, regulatory, and contractual requirements for the various records retained by the organization. Kredit utilizes methods of record destruction that are recommended by the National Institute of Standards Technology’s Special Publication 800-88 for the secure disposal of said records.

Kredit performs regular testing and monitoring of its environment via penetration testing and vulnerability scans. Kredit’s Program is adjusted based on the results of the ongoing testing and monitoring activities (see Vulnerability and Threat Management Policy for more details).

Kredit employees are required to take security awareness training at hire and annually thereafter (see Training Policy for more details).

Kredit has developed a service provider oversight program that fully evaluates the risk of using an outside service provider prior to entering into a contractual agreement. This process ensures new and existing service providers are capable of maintaining appropriate safeguards for keeping consumer information secure (see Service Provider Oversight Policy for more details).

Kredit has developed an Incident Response Plan that ensures any security event materially affecting the confidentiality, integrity, or availability of customer information is promptly responded to, and recovered from (see Incident Response Plan for more details).

Kredit’s Board of Directors (Board) meets on a quarterly basis to discuss matters of risk within the organization. Kredit’s CTO reports matters of risk related to information security directly to the CEO, who in turn provides the information to the Board during the quarterly meetings.

COMMUNICATION

This Policy shall be communicated to all affected employees via email and maintained in the Policies folder, sub-folder Regulatory Policies on Google Drive for reference purposes.

EFFECTIVE DATE

The revised Safeguards Rule became effective on June 9, 2023. The Amendment becomes effective 180 days after publication of the rule in the Federal Register.

CONTROL

On an annual basis, beginning one year from the effective date of the revised Safeguards Rule, Kredit’s CCO shall perform an audit of the above stated procedures.

VIOLATIONS

Failure to comply with the above stated procedures will result in a violation of the GLBA.

CHANGE SUMMARY

Purpose: Internal Policy

Category: Regulatory

Policy Name: Gramm-Leach Bliley Act - Safeguards Rule Policy

PreviousFraud Monitoring PolicyNextWeb Content Accessibility Guidelines Policy

Last updated