Safeguards for financial records

Sep 1, 2002 12:00 PM, By DANIEL J. LANGIN

Many years ago, a famous bank robber, when asked why he robbed banks, said “that's where the money is.” Bank regulation and reform since then have created a strong and vibrant financial services industry, but unfortunately, hackers and information thieves have continued to follow the bank robber's advice.

Faced with a continued increase in breach-of-security incidents affecting financial institutions, the government passed the Gramm-Leach-Bliley Act (GLB) to regulate the privacy and protection of customer records maintained by financial institutions. Although attention has been focused on the privacy requirements of the act, a lesser-known (but perhaps more important) set of requirements exists. These are the information security requirements known as the “financial institution safeguards.”

Essentially, GLB authorizes the agencies that regulate financial institutions (FTC, SEC, etc.) to create information security standards for the institutions in order to:

• ensure the security and confidentiality of customer records and information;

• protect against threats or hazards to the security or integrity of such records; and

• protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

As required by this section of GLB, the agencies have now issued the “Interagency Guidelines Establishing Standards for Safeguarding Customer Information,” which create common standards for financial institution security. According to a May 31, 2001 letter from the Federal Reserve System, financial institution examiners are to “assess compliance with the guidelines during each safety and soundness examination or examination cycle (which may include targeted reviews of information technology) and monitor ongoing compliance as needed.” In other words, whether as part of regular institution examinations or “targeted reviews,” federal examiners must now review the information security status of the institution. The guidelines specifically name the financial institution's board of directors as the primary body responsible for information security. The board or a committee of board members is required to approve the bank's security policy, and to “oversee the development, implementation, and maintenance of the bank's information security program, including assigning specific responsibility for its implementation and reviewing reports from management.⁴” Although a number of institutions apparently asked the agencies to tone down this portion of the guidelines and to substitute management instead of the board as the primary entity responsible for information security, the agencies refused, and reinforced the board's duties.

The board is required to review its information security measures annually. The day-to-day handling of information security matters can be delegated to management, but the core message is clear: The financial institution's board of directors has the primary, non-delegable duty to meet the information security requirements under the guidelines.

Financial institutions are required to adopt the following measures to the extent that they are likely to protect customer information:

• Access controls on customer information systems;

• Access restrictions at physical locations containing customer information;

• Encryption of electronic customer information;

• Procedures to ensure that system modifications do not affect security;

• Dual control procedures, segregation of duties, and employee background checks;

• Monitoring systems to detect actual attacks on or intrusions into customer information systems;

• Response programs that specify actions to be taken when unauthorized access has occurred; and

• Protection from physical destruction or damage to customer information.

Although the guidelines do not require institutions to use specific products, the agency Examination Procedures specifically advise examiners to look for intrusion detection systems in connection with detecting cyber-attacks.

These Examination Procedures were created by the agencies as a checklist for examiners to use when determining whether institutions meet GLB requirements under the guidelines. Although the guidelines have been in effect since July 1, 2001, many institutions may only now be preparing for their regular agency examinations.

The agencies may enforce GLB with the same sanctions that they currently use to regulate financial institutions. For example, the FDIC may enforce violations under Section eight of the Federal Deposit Insurance Act, which gives the FDIC the authority to impose penalties ranging from $5,000 per day up to $1,000,000. There are also enhanced criminal penalties for persons who gain fraudulent access to protected financial information.

Unlike the bank robber of yesteryear, today's criminals do not always need to burst in the front door toting a machine gun. Protections such as intrusion detection systems and the other measures required by GLB can keep both robbers and regulators from causing losses to financial institutions.

For the record

About the Author

This article was written by Dan Langin, a lawyer with eight years' experience in providing legal advice and consulting to information technology and security professionals and insurance companies. It was submitted by Recourse Technologies, a supplier of threat management solutions that detect, analyze, and respond to both known and novel threats, including intrusions, internal attacks and denial of service attacks.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue