GLBA penetration testing mandate requirements in 2024

Since June 2023, strict requirements for GLBA penetration testing and vulnerability scanning have finally arrived. Learn everything about pentesting for GLBA compliance in this article. This post will continue to be updated with new requirements for 2024, should they come into force.

In an era where data breaches are becoming increasingly commonplace, organizations across various sectors are forced to adapt to stringent cybersecurity rules stemming from regulatory compliance.

While cybersecurity is crucial for all verticals, it’s particularly important for the financial services industry due to its regulated nature and the volume of sensitive data such organizations handle. Financial institutions in the United States are mandated to comply with a myriad of federal regulations to protect this data and adhere to standards.

One such piece of legislation is the Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999. With its stringent requirements for protecting customers’ private information, this law has fundamentally reshaped the way financial institutions approach data security.

This article will explore the GLBA from a cybersecurity standpoint, its recent additions in 2022, and, more importantly, the role of penetration testing and vulnerability scanning in ensuring compliance with the latest changes in GLBA’s Safeguard Rule.

What is GLBA?

The Gramm-Leach-Bliley Act (GLBA) is a federal law enacted in November 1999 in the United States to protect consumers’ personal financial information held by financial institutions.

In the context of data security, the primary purpose of GLBA is to require financial institutions to ensure the security and confidentiality of their customers’ nonpublic personal information (NPI). This could include any personally identifiable data collected from a consumer in the process of offering a financial product or service or such data provided to the institution by another organization.

The GLBA is administered and enforced by several agencies, predominantly the Federal Trade Commission (FTC), but also may include the Federal Reserve Board (FRB), the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), the Office of Thrift Supervision (OTS).

While the GLBA is complex, with several aspects related to the business operations of financial institutions, the focus of this article will be on its implications for security assurance and pen testing, specifically the requirements under its Safeguard Rule. To meet GLBA compliance, financial institutions must employ robust measures, including risk assessments, security programs, and employee training. Since June 2023, from an initially planned date in November 2022, GLBA has required penetration testing and vulnerability scanning.

The Gramm-Leach-Bliley Act can be broken down into several key components, with each playing a vital role in safeguarding customer information and private financial data:

The most relevant rule regarding pentesting is probably the Safeguards one, which we will briefly discuss in the upcoming section.

GLBA compliance – Safeguards Rule

A crucial component of the GLBA is the Safeguards Rule, which specifically addresses the need for financial institutions to implement information security programs to protect their customers’ nonpublic personal information (NPI). Under this rule, organizations are required to have a comprehensive written information security program that describes how the institution plans to protect NPI.

The Safeguards Rule doesn’t provide one-size-fits-all directives. Instead, it requires financial institutions to consider their size, complexity, nature and scope of activities and the sensitivity of the customer information they handle when developing their security programs. It emphasizes the necessity for a risk management approach that identifies reasonably foreseeable risks, ensures the adequacy of current safeguards, and regularly monitors and tests these safeguards.

The role of penetration testing in GLBA compliance

Penetration testing, also known as ethical hacking, has emerged as a crucial tool for maintaining robust cybersecurity practices, especially in the context of financial institutions. A key aspect of safeguarding customer data, penetration testing, is seen as a critical element of technical safeguards under the GLBA’s Safeguards Rule.

Penetration testing, in the context of GLBA, involves a series of simulated cyber attacks on an organization’s network, system, application, or entire IT infrastructure to identify potential vulnerabilities. The purpose of these tests is to exploit vulnerabilities in the same way a malicious actor might, with the ultimate goal of identifying and patching these vulnerabilities before they can be exploited in a real-world attack.

GLBA penetration testing allows financial institutions to:

• Identify weaknesses in their network infrastructure, systems, and applications that could be exploited to gain unauthorized access to nonpublic personal information.
• Assess their security controls’ effectiveness and determine whether they can withstand an actual cyber attack.
• Meet regulatory expectations around regularly testing and monitoring the effectiveness of key controls, systems, and procedures related to information security.
• Validate the effectiveness of their information security training by testing whether employees follow security practices.
• Demonstrate due diligence in safeguarding sensitive customer information.

By including penetration testing in their cybersecurity strategy, financial institutions can ensure that they’re not just compliant with GLBA but are also taking a proactive approach to managing cyber risks.

GLBA penetration testing requirements

Since the update of the Act in 2021, with enforcement initially planned for November 2022 but then postponed to June 2023, GLBA has specified annual penetration testing and regular vulnerability scanning as a mandatory requirement for compliance.

What should GLBA penetration testing look like?

• Scope of testing: The scope of the penetration test should include all systems where nonpublic personal information is stored, processed, or transmitted.
• Frequency of penetration test: Per Section 314.4, annual pentesting is required for GLBA compliance. However, cybersecurity industry best practices say more frequent security testing (quarterly, for instance) is recommended, especially for high-risk systems.
• Frequency of vulnerability assessments: Section 314.4 says that vulnerability assessments, which may include vulnerability scans, must be performed every six months. As a matter of fact, this rule is similar to the one enacted by PCI DSS, a compliance requirement for credit card merchants.
• Testing methodology: Security testing should be comprehensive, covering both internal and external systems, and should include testing of network security controls and application security controls. It’s important to note that social engineering tests and user awareness (phishing engagements, for instance) are not part of the mandate, but nevertheless, they’re best practices that should be added to your information security program.
• Remediation and reporting: Identified vulnerabilities should be categorized and prioritized based on risk level. A detailed report should be provided, outlining the findings, along with recommendations for remediation. Once vulnerabilities have been addressed, a retest should be conducted to confirm that the remediation activities were successful.

To quote directly from the revised rule of the Act:

• 314.4 (d) (2) For information systems, the monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments. Absent effective continuous monitoring or other systems to detect, on an ongoing basis, changes in information systems that may create vulnerabilities, you shall conduct:

• (i) Annual penetration testing of your information systems determined each given year based on relevant identified risks in accordance with the risk assessment; and
• (ii) Vulnerability assessments, including any systemic scans or reviews of information systems reasonably designed to identify publicly known security vulnerabilities in your information systems based on the risk assessment, at least every six months; and whenever there are material changes to your operations or business arrangements; and whenever there are circumstances you know or have reason to know may have a material impact on your information security program.

Conclusion

Understanding and maintaining compliance with the Gramm-Leach-Bliley Act (GLBA) is crucial for any financial institution. With its primary focus on protecting customers’ nonpublic personal information, GLBA demands rigorous cybersecurity measures and a comprehensive information security program.

Penetration tests are a necessary element for GLBA compliance, but it’s only one component of an organization’s cybersecurity strategy. A solid information security program, as required by the Act, should involve a multi-layered security approach, a robust written risk assessment, and an incident response plan, incorporating administrative, technical, and physical safeguards to protect the confidentiality, integrity, and availability of nonpublic personal information.

Since 2022, with an enforcement deadline in June 2023, GLBA does explicitly require covered entities to regularly perform penetration testing and vulnerability scanning as part of a financial institution’s cybersecurity activities.

Both GLBA penetration testing and vulnerability assessments, conducted by qualified professionals, can help organizations uncover potential vulnerabilities and improve their defenses against cyber threats, thereby significantly reducing the risk of a data breach.

The goal of GLBA compliance isn’t just about meeting regulatory requirements – it’s about demonstrating your organization’s commitment to protecting sensitive customer information. By showing that your institution takes this responsibility seriously, you can not only avoid hefty fines but also maintain the trust of your customers and uphold your organization’s reputation in the financial industry.

If you’re looking for a penetration testing company with several years of experience in serving the financial services industry in the US and Europe, contact our experts to understand how we can help you in your next GLBA compliance pentest.

FAQ