CFTC Issues GLBA Security Guidelines
The CFTC’s recommendations are consistent with the requirements and guidelines issued by the FTC in its “Safeguards Rule” and by the federal banking regulators in the “Interagency Guidelines Establishing Standards for Safeguarding Customer Information” (although the FTC recently announced plans to review and solicit comments on the Safeguards Rule, suggesting that changes to the Rule may be forthcoming). In particular, the CFTC recommends that covered institutions:
- Designate a specific employee with privacy and security management oversight responsibilities;
- Identify, in writing, all reasonably foreseeable internal and external risks to security, confidentiality, and integrity of personal information and systems processing personal information;
- Design and implement safeguards, in writing, to control the identified risks;
- Train staff to implement the program;
- Regularly test and monitor the safeguards;
- Oversee service providers;
- Regularly evaluate and adjust the program; and
- Design and implement policies and procedures to respond to incidents involving unauthorized access, disclosure, or use of personal information.
CFTC-regulated entities should review the Staff Advisory for additional details on implementing the above recommendations. In addition, institutions seeking to enhance their information security programs may find it useful to useful to review the new NIST Cybersecurity Framework (which we discussed at length in a recent post). The Framework provides a voluntary set of standards, guidelines and best practices that financial institutions and other organizations can use to assess and manage cybersecurity risks, and is likely to become an influential benchmark in all industries for assessing the reasonableness of an organization’s information security program.