Seclored: The Data Security News Blog

GLBA and Data-Centric Security for Financial Services

Category: Compliance

Data Security, Secure Collaboration, and GLBA Compliance

In an era marked by data breaches, regulatory scrutiny, and the evolving cyber threat landscape, CISOs are at the forefront of a relentless battle. Today’s CISOs face daunting challenges. They are constantly fending off increasingly sophisticated attacks, balancing scarce resources, and working with a board that often doesn’t understand the inevitability of a breach and the criticality of the CISO’s role.

In some industries, the CISO is also responsible for adhering to additional regulations. This is particularly true of CISOs of enterprises in financial services, who have to protect sensitive financial data while ensuring compliance with stringent regulations like the Gramm-Leach-Bliley Act (GLBA).

The Gramm-Leach-Bliley Act (GLBA) is one of the cornerstone regulations for financial organizations. Its primary objective is to protect consumers’ nonpublic personal information (NPI) held and processed by financial institutions. This includes regulating how financial institutions and their service providers collect, use, and share personal financial information. The act requires these institutions to give consumers privacy notices that explain their information-sharing practices and to protect the security and confidentiality of their customers’ nonpublic personal information. For readers looking for a deeper look into the requirements of GLBA, I encourage you to check out the American Bankers Association’s overview.

Compliance with GLBA is not optional; it’s a legal obligation. Failing to comply with GLBA regulations puts businesses at risk for serious legal repercussions and may damage their reputation and credibility among potential customers.

Data, Data Everywhere.

Enterprises have spent a lot of time, energy, and money protecting enterprise infrastructure – networks, applications, and devices – to control and protect the enterprise from risk. This was all fine until we woke up and realized what we were trying to protect – the data itself – was in constant motion. And not just inside the enterprise. We share our data, including our most sensitive data, outside the control of the traditional parameters daily to carry out standard business functions.

Think about it this way. We’ve essentially invested boatloads of money, time, and resources in a fence, and we never intended to keep the gate closed.

Today, we all recognize that data has no perimeter. Data moves across all boundaries, enterprises, and countries. To add to the complexity, how organizations store and access data has been shifting and evolving significantly over the last decade. With more enterprises making data-driven decisions, data is being generated at a pace never seen before. This proliferation of enterprise data has increased risks of data theft, misuse, and human error.

Imagine being a CISO for a large financial firm and being asked to assess risk.

Humbling thought.

CISOs must remain vigilant in the face of evolving cyber threats and regulatory changes. By adopting data-centric security solutions like those offered by Seclore and implementing best practices, financial organizations can fortify their defenses and stay ahead in the ever-evolving landscape of data security and compliance.

So, how are CISOs responding?

In short, CISOs are placing bubble wrap around the data itself. Data security has become the center of companies’ overall cybersecurity strategy to avoid increasingly high-profile and complex cyberattacks, data breaches, and abused privileged access. Their cybersecurity efforts are shifting to focus on securing data to ensure an airtight system that protects the company’s assets. Seclore calls this “data-centric security.” Many CISOs believe that data must be protected wherever it is, whether at rest, in motion, or use. Anything else is a career-limiting move.

Organizations are further leveraging and extending their security posture when data-centric security is coupled with best-of-breed technologies in data discovery (DLP/CASB), data encryption, and SIEM/XDR.

Satisfying GLBA Requirements with Seclore

Seclore’s solutions align with essential GLBA requirements:

  • Information Security Program: Seclore’s encryption and access controls are vital to an institution’s information security program.
  • Protecting Nonpublic Personal Information (NPI): NPI is safeguarded through Seclore’s strong encryption and access policies. Seclore’s solutions employ strong encryption to protect sensitive data in transit and at rest. Even if a data breach occurs, the stolen data remains unreadable without the encryption keys.
  • Data Breach Response: Seclore’s tracking and auditing capabilities aid in identifying the scope of a breach, enabling organizations to respond effectively.
  • Employee Training and Awareness: Seclore supports employee training by promoting secure data handling practices.
  • Third-Party Oversight: Seclore extends data protection measures to interactions with third-party service providers, giving organizations complete control over who, what, where, and how data is used.
  • Holistic Data Protection: Seclore’s solutions provide end-to-end data protection, from creation to sharing and storage, ensuring that data is secure at all stages, any user, any device, and any cloud.
  • Compliance Simplified: Meeting GLBA requirements becomes simplified with Seclore’s robust tracking and auditing features/reporting, simplifying compliance reporting.
  • Enhanced Access Control: CISOs can define and enforce access policies to ensure that only authorized personnel can access specific data. This minimizes the risk of insider threats, privileged access abuses, and unauthorized access.
  • Secure Collaboration: Financial institutions can collaborate securely without compromising sensitive information, fostering productivity in a remote work environment. Financial institutions can collaborate securely with external partners, customers, and employees, confident that sensitive information will not be compromised.
  • Data-Centric Visibility: CISOs gain comprehensive visibility into how data is used, allowing their teams to detect and respond to suspicious activities quickly.

What does Data-Centric Security look like?

Effective data security goes beyond perimeter defenses and traditional security measures. It requires a data-centric approach that focuses on securing the data itself, regardless of its location or how it’s shared. Let’s take a deeper dive into just some of the concerns CISOs have respective to their industry.

As financial institutions operate in increasingly complex technology ecosystems, defining access at the system, device, user, or even their own perimeter becomes less and less effective. Instead, they’re attaching security policies to the data itself. Data is regularly stored in multiple repositories within the organization and across different external audiences. By deploying encryption at the file level, with access policies that follow documents wherever they travel, information is protected as it is stored and forwarded across any system.

As a highly regulated industry, financial services organizations have long needed the ability to protect their data at rest and in transit with encryption to prevent malicious or unauthorized access. When data is shared across email, cloud tools, cloud storage, and other systems, Seclore can apply data-in-use dynamic protections that limit what recipients can do with nonpublic data – or revoke/recall access when necessary. This means CISOs sleep well at night, knowing that their digital assets are all encrypted and dynamically watermarked when shared internally and externally.

The frequency and disruptive nature of audits alone can be a challenge for financial institutions, especially when a specific inquiry comes in. The ability to show an audit trail explicitly outlining user access, chain of custody, and data usage to demonstrate regulatory compliance has saved countless hours for CISOs. GLBA requires increasing levels of visibility across complex networks. Providing an automated way to track logs and monitor access privileges, to provide a complete audit trail of where data has traveled, who has accessed it, and what actions they have performed with that data. Crucially, this needs to extend outside the organization when third parties and customers access sensitive digital assets.

When things go wrong, CISOs need a safety net. Within the financial services community, retaining data control through its entire lifecycle. When necessary, deploying dynamic access controls to mitigate risks to changes in personnel, geo-specific boundaries data shouldn’t travel, the ability to expire access after certain periods, and authorize or revoke user access on a granular level at any time is imperative. This approach aligns with the modern reality of remote work, cloud storage, and collaboration across organizational boundaries. CISOs sleep better at night, knowing that even when their supply chains or third-party partners or vendors are not safe, their data is.

Every organization is only hours away from the next SolarWinds breach, MOVEit cyber-attack, abused privileged access breach, or daily medley of mishandled documents/emails or mistakes to serve as a stark reminder of the cybersecurity threats facing CISOs and the organizations they serve daily. Effective data security goes beyond perimeter defenses and traditional security measures. It requires a data-centric approach that focuses on securing the data itself, regardless of its location or how it’s shared. This approach aligns with the modern reality of remote work, cloud storage, and collaboration across organizational boundaries.

Download our whitepaper to learn how Seclore can help your enterprise achieve GLBA compliance.

Ready to get started? Book a meeting with us!

Justin Endres

Justin Endres serves as the Chief Revenue Officer and brings two decades’ experience as a channel and sales leader for enterprise and cybersecurity software companies. Prior to joining Seclore, Justin held various executive roles at prominent cybersecurity companies, including SolarWinds, AlienVault (acquired by AT&T), and Webroot (acquired by Carbonite). He's responsible for driving revenue growth, expanding the company’s global market presence, and deepening relationships with the channel.

Related Posts