The Interagency Guidelines Establishing Information Security Standards are a set of requirements designed to protect customer information held by financial institutions in the United States. These guidelines are issued under the Gramm-Leach-Bliley Act (GLBA) and are developed collaboratively by regulatory agencies and other federal banking agencies.
The Interagency Guidelines provide a comprehensive framework for safeguarding sensitive customer information against threats, ensuring the security, confidentiality, and integrity of customer data. Here’s a detailed overview…
Application and scope
The guidelines apply to financial institutions as defined under the GLBA, including:
- Banks
- Credit unions
- Savings and loans institutions
- Non-bank financial companies engaged in activities such as lending, investing, or providing financial advisory services.
These institutions must also oversee third-party service providers who handle customer information on their behalf.
Penalties for non-compliance
Non-compliance can result in:
- Regulatory fines and penalties.
- Reputational damage.
- Legal action from customers or affected parties.
Increased scrutiny from regulatory bodies.
Impact on the industry
The Interagency Guidelines have established a benchmark for protecting financial data, influencing global practices and standards. Importantly, they foster trust in financial institutions while enhancing resilience against cyber threats.
Core objectives
Security and confidentiality
- Protect customer information from unauthorised access or use.
- Ensure the integrity and confidentiality of data.
Threat mitigation
- Protect against anticipated threats or hazards to data security.
- Mitigate risks of data breaches or unauthorised access.
Compliance
- Ensure compliance with applicable laws and regulations regarding data security.
Key requirements
| Requirement | Description |
|---|---|
| Information security program (ISP) | Develop and maintain a written ISP tailored to the institution’s size, complexity, and nature of activities. |
| Risk assessment | Identify and assess risks to customer information and evaluate the likelihood and impact of those risks. |
| Risk management | Design and implement safeguards to control identified risks and regularly test their effectiveness. |
| Oversight of service providers | Exercise due diligence in selecting third-party providers and require them to maintain appropriate safeguards. |
| Incident response | Develop procedures for addressing security incidents, including notifying affected customers and regulators. |
| Board oversight and accountability | Ensure the board of directors or a designated committee oversees the ISP and assigns accountability to appropriate individuals. |
Steps for compliance
Step 1: Develop an information security program
- Identify internal and external threats.
- Assess the sufficiency of existing policies and controls.
Step 2: Implement safeguards
- Implement technical, administrative, and physical safeguards.
- Align measures with the identified risks.
Step 3: Test periodically
- Conduct regular tests to evaluate the effectiveness of the security measures.
- Use independent third parties or internal auditors to conduct tests.
Step 4: Training and awareness
- Provide regular training for employees on security policies and practices.
- Ensure employees understand their roles in maintaining information security.
Step 5: Monitoring and updating
- Continuously monitor the environment for new threats.
- Update the ISP to address emerging risks and technological advancements.
Recent updates and trends
In light of evolving cybersecurity threats, agencies have increasingly emphasized:
- Cybersecurity risk management: Integration of cybersecurity frameworks like the NIST Cybersecurity Framework.
- Incident reporting: Timely notification of significant cyber incidents to regulatory authorities.
- Third-party risk management: Enhanced oversight of vendors and service providers.
Relation to other regulations
The Interagency Guidelines complement other regulatory frameworks, such as:
- Federal Financial Institutions Examination Council (FFIEC) IT Handbook.
- NIST Cybersecurity Framework for baseline security standards.
- State Laws like the California Consumer Privacy Act (CCPA) for broader consumer protections.
Best practice for implementation
Practice 1: Adopt a layered security approach
Use firewalls, encryption, multi-factor authentication, and intrusion detection systems.
Practice 2: Engage leadership
Involve senior management and the board in information security governance.
Practice 3: Conduct regular audits
Review ISP components and adjust based on audit findings.
Practice 4: Focus on data minimisation
Limit the collection and retention of sensitive customer information.
Practice 5: Enhance incident response
Use tabletop exercises to simulate breaches and improve readiness.
How ITLawCo can help
At ITLawCo, we specialise in navigating the intersection of legal, technological, and regulatory challenges. We’ve designed our services to help financial institutions comply with the Interagency Guidelines and to elevate their overall information security posture.
Here’s how we can assist
- Developing and enhancing information security programs
- Risk assessments and management
- Third-party risk management
- Incident response planning
- Policy and procedure development
- Training and awareness
- Regulatory compliance audits
- Board-level strategy support
- Global standards alignment
