The Federal Trade Commission (FTC) has published a Notice of Proposed Rulemaking seeking industry feedback on a number of proposed changes to the Gramm-Leach-Bliley Act (“GLBA”) Safeguards Rule, many of which are drawn from the New York Department of Financial Services’ robust cybersecurity regulations. If implemented as proposed, the information security requirements applicable to financial institutions that are subject to the FTC’s enforcement authority – including many fintech companies – would significantly expand. Notably, the proposed rule would also add “finders,” which are entities that facilitate certain transactions between third parties, to the definition of “financial institution” on the basis that these entities are “significantly engaged in activities incidental to . . . financial activities.” Comments on the proposed rule must be submitted by June 3, 2019.
Expanded Requirements
In addition to a number of definitional changes, the proposed rule would significantly expand the elements required of a financial institution’s information security program, some of which could be quite onerous, such as:
- designating a CISO;
- encrypting all customer information at rest or transmitted over external networks;
- employing software development lifecycle security controls;
- implementing multi-factor authentication for all access to customer information; and
- adopting change management procedures.
Taking its cue from the NY DFS regulations, the proposed rule would also require financial institutions to, among other things, conduct “continuous monitoring” to detect changes that may create vulnerabilities on an ongoing basis or, in the alternative, annual penetration testing and biannual vulnerability assessments. The proposed rule would also require financial institutions under the FTC’s jurisdiction to implement an incident response plan designed to promptly respond to and recover from any security event “materially affecting the confidentiality, integrity, or availability of customer information” in its possession. Similarly, the proposed rule would mandate specific oversight of financial institutions’ information security programs by their boards of directors.
Inclusion of Finders
Beyond expanding the information security obligations applicable to financial institutions, the FTC’s proposal would also expand the scope of the definition of “financial institution” itself by including “finders.” The proposed addition would include, as an example of a financial institution:
A company acting as a finder in bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate[.]
This change would, for the first time, bring significant ‘‘incidental’’ financial activities within the scope of the financial institution definition. The broadly worded addition is potentially a cause for concern, as it is unclear whether the “transactions” in question must be for financial products or services or if the FTC intends to include any platform where third parties separately negotiate and consummate transactions of any kind.