July 13, 2020 — The Federal Trade Commission is seeking to ramp up mandated cybersecurity efforts for financial institutions by altering the Gramm-Leach-Bliley Act’s Safeguards Rule, which requires financial institutions to develop, implement and maintain a comprehensive information security program.
After collecting public comments throughout 2019, the commission proposed certain alterations to the act, which has been left untouched for nearly two decades since being enacted in 2002.
In a virtual FTC workshop on Monday, David Lincicum, an attorney for the FTC, discussed the changes the proposed rulemaking hopes to bring about with a panel of cybersecurity professionals.
Sam Rubin, vice president at cybersecurity consulting firm The Crypsis Group, said that the two biggest threats to financial institutions currently occur through business email compromise and ransomware attacks.
The amendments the FTC has proposed aim to alleviate these issues, protecting consumers and decreasing overall risk, he said.
Current rules maintain that financial institutions must design safeguards to control risks and must regularly test the effectiveness of those safeguards.
The new proposal seeks to maintain the flexibility of the current rule, while providing more guidance about the contents of an information security program, according to Lincicum.
Under the proposed rule, financial institutions would be required to designate one qualified individual to be responsible for overseeing the program.
This individual would be responsible for ensuring that the program is constructed off of a written risk assessment.
Panelists agreed that this is an important issue currently being overlooked.
“People are not generally doing what we would consider risk assessments,” said Chris Cronin, a partner at HALOCK Security Labs. “Instead, they’ll have an auditor come in and run an audit.”
Financial institutions are not grappling with the real risks, he added.
Cronin argued what FTC regulators are aiming for is not an audit, but an evaluation of the likelihood and magnitude of possible harm.
The proposed rule calls for regularly testing and monitoring the effectiveness of institutions’ defense programs.
“Risk assessments are not something that can be done once and forgotten,” Lincicum said. “New threats arise and new vulnerabilities are discovered.”
Two further consumer protection elements that would require specific action under the proposed rule are encryption and multifactor authentication.
The proposed encryption requirement demands that all customer information held or transmitted be encrypted at all times, both in transit over external networks and at rest.
The proposed multifactor authentication requirement would require any individuals accessing customer information to go through a two-step authentication process.
Some financial institutions would be an exception from aspects of the proposed rule, including institutions that maintain the information of fewer than 5,000 consumers, which are exempt from most of the written requirements.
The participating panelists expressed a shared fear that people may call the proposed rule unreasonable, as the only benefit of implementing these programs is something not happening.
“A lot of people are going to have a hard time demonstrating reasonableness,” Cronin said.
Companies that have not experienced a breach may have a hard time understanding the benefits of conducting risk assessments, predicted panelists.
“It’s hard to explain,” Rubin said. “You don’t get a bonus for not getting hacked.”
Pablo Molina, chief information security officer at Drexel University, argued that many community members currently remain ill-informed on the issue and called for educating employees, clients and society at large.
- 5G in China, BroadbandNow’s Q3 2020 Report, FiOS Subscriber Growth Reaches 5-Year High
- Broadband Breakfast Live Online on Wednesday, October 28, 2020 — National Security, 5G and Trusted Partners
- Breakfast Media Minute: October 28, 2020
- Federal Communications Commission Vote on Net Neutrality Reprises Deep Partisan Divisions
- No Change on Chevron, Suit Says Apple Rigged iOS 13, Will 6G End the Smart Phone?
Signup for Broadband Breakfast
Broadband Roundup1 month ago
Nathan Simington is Trump’s New Man for FCC, New Speed Test, Challenges for State Net Neutrality
Artificial Intelligence4 months ago
U.S. State Department Employing Artificial Intelligence Against COVID-19 Misinformation
Broadband's Impact3 months ago
Broadband Breakfast Live Online Launches Weekly Series Featuring ‘Champions of Broadband’
Fiber2 months ago
Ubiquitous Fiber Infrastructure is Essential to Maximize the Advantages of 5G, According to WIA Report
Open Access4 months ago
In Danville, Virginia, an Early Adopter of Open Access Seeks to Prove the Business Model
5G4 months ago
Verizon CEO Hans Vestberg Describes 5G-to-the-Home Vision, Claiming U.S. Leads in 5G Deployment
Innovation2 months ago
Governments and Central Banks Continue to Be Necessary with ‘Stable Coins’ and Cryptocurrencies
Section 2304 months ago
Parler, Gab, and Section 230: Right-Leaning Social Networks Push Alternative to Twitter and Facebook