To help address concerns relating to consumer information, the Gramm-Leach-Bliley Act (GLBA) ensures certain privacy protections and safeguards are in place for financial institutions. Financial institutions covered by the GLBA are obligated to inform consumers of its information sharing practices and maintain adequate checks and balances in its systems of internal controls. Institutions and third-party servicers are covered by the GLBA – and as of 2019, so are proprietary school audits and third-party servicer compliance attestation engagements with fiscal years ending on or after December 31, 2019, per the Department of Education.
As the world we live in becomes more and more digital, it’s no surprise the Federal Trade Commission (FTC) has updated the Standards for Safeguarding Customer Information (Safeguards Rule) – an important component of GLBA requirements. If financial institutions don’t take the proper precautions to protect personal information, consumers are left susceptible to hackers and thieves.
The below is an overview of the recent changes made to the Standards for Safeguarding Customer Information (Safeguards Rule), effective June 9, 2023.
The requirements have not changed drastically from their prior iteration. Starting June 9, they are the following:
Institutions and third-party servicers are required to have a written information security program that includes the following nine elements, according to 16 C.F.R. 314.4:
The addition of these elements expands on the information security requirements already in place to improve institutions’ security position. The Department of Education is tasked with resolving any GLBA findings during its final determination of an institution’s administrative capability.
Further, the Department plans to issue guidance on NIST 800-171 compliance, which deals with Controlled Unclassified Information in nonfederal systems and will form the foundation of these cybersecurity programs. This doesn’t mean schools shouldn’t work to incorporate the information security controls under this guidance prior to that time – keep in mind that NIST 800-171 compliance requires meeting over 100 individual controls across an array of categories, which is no small task.
A lot of this implementation will hinge on Element 1, meaning, designating a qualified individual responsible for overseeing the information security program is of the utmost importance. This will involve using a cybersecurity expert and could take a year or two to properly implement. Unless your institution has a large internal IT staff with the proper training, you will likely need to work with an external IT provider that possesses the required skills and expertise to implement and maintain your cybersecurity program.
We are just over two months away from the required implementation date – if you haven’t started to make these updates yet, we highly recommend you begin to gather information, so you can make informed decisions on meeting the requirements. The Department of Education offers cybersecurity resources here, which is a good place to start your research and follow as updates are provided.
If you’d like to talk through these changes with a Title IV audit expert, please get in touch with our team:
This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.