The GLBA amendment was issued as a Final Rule by the Federal Trade Commission (FTC) on December 9th, 2021. It has an “effective date” of January 10, 2022. However, the new provisions in part 314.5 will not be applicable until December 9th, 2022, 12 months after the final rule was issued.
In essence, the rule puts a lot of “meat on the bones” of the original safeguards rule. It lays out much more specific security practices that covered organizations must follow. These include specific technical security controls like access control requirements, mandatory multi-factor authentication (MFA), encryption of data-at-rest and in-transit, etc. The rule also mandates things like requiring formal risk assessments, annual penetration tests, and semi-annual vulnerability assessments. It requires specific policies and practices for incident response, data retention, secure software development, change management, vendor risk management, and security awareness training. Overall, the new rule brings the GLBA in line with much more stringent security frameworks such as PCI-DSS and even NIST standards such as SP 800-171.
Read the full whitepaper here: 2022 GLBA Amendments