What the Gramm-Leach-Bliley Act Means for Financial Services Cybersecurity

For obvious reasons, the financial services industry has had the unfortunate distinction of being one of the largest high value targets for threat actors. Research shows that financial services businesses experience 300 more cyber attacks than organizations in other industries. Many of those attacks come through third-party suppliers whose networks may not be as secure as the organizations they work with.

Yet financial services companies are responsible not only for protecting the sensitive customer information held in their networks, but also for notifying customers of how their information is shared—and when it may have been exposed. That’s what the Gramm-Leach-Bliley Act is about.

What is the Gramm-Leach-Bliley Act?

Introduced in 1999, the Gramm-Leach-Bliley Act requires all financial services firms that offer loans, financial advice, and similar services, to provide their customers with detailed explanations of their information sharing practices and to take special precautions to safeguard customer information.

The Act includes provisions for three distinct rules. A Financial Privacy Rule restricts the sharing of personally identifiable information and requires a detailed privacy statement; a Safeguards Rule calls for the development of a comprehensive security response plan; and a Pretexting Protection requires financial services firms to take precautions against unauthorized access to customers’ data.

Importantly, the Act requires financial institutions to establish information security policies around the protection of customer data and establishes a high standard for transparency pertaining to the collection and use of customer data. Customers must be informed about data sharing policies with third parties and be allowed to easily opt out if they’re uncomfortable with the practice.

What does the Gramm-Leach-Bliley Act mean for third-party risk management?

The security policies the Gramm-Leach-Bliley Act calls for must protect against potential data breaches and misuse of customer information up and down the financial firm’s supply chain. That means companies must ensure their third-party suppliers are just as secure as they are. That can be difficult, especially the further one moves down the supply chain.

But financial services firms need that visibility to ensure compliance with Gramm-Leach-Bliley and feel assured that their partners are doing everything they can to protect customers’ data. They must have insight into their third parties’ risk postures and reduce vulnerabilities wherever they can. Security ratings should be a key component of this effort, as they provide an easy to understand metric through which companies can understand each partners’ security and risk levels.

What are the benefits of compliance?

There are tangible benefits that can result from compliance with the Gramm-Leach-Bliley Act

• A reduction in unnecessary costs. With the average cost of a data breach hovering near $4 million—and customer PII with the highest cost per record—there’s a lot of money to be saved in taking the precautions laid out in the Gramm-Leach-Bliley Act.
• An intact reputation. Loss of reputation can be more detrimental than the short-term financial hit from a data breach. The long-term impact can be deep and lasting, and it can take years from the date of an incident for a company to regain the trust of its customers. Implementing the proper preventative measures today can help a firm maintain a reputation for excellence.
• Better customer relationships. With greater transparency comes better and more trusted customer relationships. But that transparency must always be backed up by policies and technologies that fully protect customers’ data.

Want to learn more about financial services cybersecurity?

Be sure to read our special report on third-party cyber risk in the financial services sector and read about how Fanny Mae is managing risk up and down its supply chain.