There’s a lot of interest in the new Gramm-Leach-Bliley Act’s (GLBA) revised Safeguards Rule. The new Rule gets more specific about exactly what dealers must have in place to comply. The intent of the new Rule appears to be to encourage businesses to move faster in the implementation of baseline cybersecurity best practices. For too long, businesses have been slow to accept the new reality that cybercrime is a serious threat that is only becoming more widespread and severe. Cybercrime is getting worse, and we are losing the battle. Things need to change.
There is a great deal to absorb in this new Rule. But a good place to start is with the requirement that dealers have a “qualified individual” overseeing and implementing their cybersecurity. The Rule states that “a qualified individual be responsible for overseeing and implementing your information security program.” But what does it mean to be “qualified?”
The Rule walks a fine line when defining what it means to be “qualified.” Although the Rule is more prescriptive than the previous Rule, it still provides organizations with some flexibility. The Rule simply states that “in order to effectively comply, a coordinator must have some level of information security training and knowledge.” However, it doesn’t specify exactly what type of cybersecurity training and certifications the qualified individual should have to effectively protect the organization. It does however require “verification that security personnel are taking steps to maintain current knowledge on security issues.” So, it appears that the Rule requires some type of “verification” or certification of knowledge and training in cybersecurity best practice. They just don’t dictate a specific type of information security training.
Further, the Rule requires that the qualified individual be responsible for the implementation of multi-factor authentication and provide an annual report in writing to your dealership’s executive management that includes:
- Results from an annual risk assessment
- Risk management and control decisions
- Results of vulnerability assessments and penetration testing
- Security events or violations and appropriate responses
- Recommendations for changes and improvements in the dealership’s information security program
To do these things – you need cybersecurity expertise.
Many businesses – including dealers – have put responsibility for information security on the shoulders of someone who simply is the most technically proficient person in the organization. In many cases, this person has no formal cybersecurity training. In the past, this might have been sufficient. But today’s cybersecurity threat is just too sophisticated. Things have changed and this change requires that businesses evolve. The new Rule aims to encourage this evolution in the organizations that are subject to GLBA.
So, if you don’t have a “qualified individual” that meets the expectations of the new Rule then it’s time to do something about it. You can try to recruit a cybersecurity professional – but this will be very difficult. The unemployment rate for cybersecurity professionals is next to zero. These professionals are in very high demand and as you would expect they are very expensive.
The new Rule, however, offers some advice on how to secure a “qualified individual” in a cost-effective manner. First, the Rule allows for “the use of service providers to meet this [qualified individual] requirement.” It goes on to suggest that use of a service provider to address the qualified individual requirement “can significantly reduce costs as services exist to share the expense of qualified personnel and offer information security support at significantly less than the cost of employing a single qualified employee.” Voila, there is solution! Now, we just need to do it.