Last week, we discussed the rules and regulations of the Federal Depository Insurance Corporation (FDIC) and the National Credit Union Administration (NCUA) that financial institutions must follow for their internet security program to be compliant. In the last of the two-part series, we review federal and state laws that govern bank and credit union cybersecurity programs.
- Bank Secrecy Act (BSA)
- Gramm-Leach-Bliley Act (GLBA)
- The Federal Trade Commission’s Safeguards Rule
- Final Words
Under the Bank Secrecy Act (BSA), banks and credit unions work with the federal government by monitoring suspicious activity that might be tied to money laundering, counter-terrorist financing, or other criminal activity. When filing a Suspicious Activity Report (SAR) that involves a cybersecurity breach, the bank or credit union should follow Financial Crimes Enforcement Network (FinCEN) guidelines, including but not limited to recording IP, URL, and email addresses; file names and email content; system modifications; and account information.
Data privacy is the cornerstone of the Gramm-Leach-Bliley Act (GLBA). Financial institutions must safeguard customer records and information from falling into the hands of cyberthieves. Bank and credit unions must proactively secure their websites and networks from unauthorized access. Firewalls, daily malware scanning, third-party assessments, and hosting your website on a secure server can mitigate cyberattacks and maintain internet security.
Don’t confuse the Federal Trade Commission’s Safeguards Rule with the Privacy of Consumer Financial Information Rule (Privacy Rule). The Privacy Rule requires financial institutions to notify customers how they collect, disclose, and protect their nonpublic personal information. Although the Privacy Rule is an important component of an internet security program, the Safeguards Rule obliges banks and credit unions to develop a written information security plan.
The plan might include limiting access to the website and network, encrypting sensitive information, monitoring your network for abnormal activity, and installing a secure sockets layer (SSL) certificate on your website. Your bank security plan should also outline procedures for handling a cyberattack.
Having a solid internet security plan is vital for banks and credit unions. Not only is safeguarding data privacy the law for financial institutions, but it’s also good business practice. When you host your bank website with BankSITE® Services, you can be confident that it will be compliant and meet federal regulations.