GLBA Risk Assessment Requirements for 2020

Here are the key takeaways from this blog:

• GLBA Safeguards Rule Compliance: The GLBA Safeguards Rule requires financial institutions to maintain a robust information security program to protect customer data, emphasizing confidentiality, integrity, and protection against unauthorized access
  
  
• Importance of the Availability Rating: Removing the availability rating from IT risk assessments undermines the full scope of information security. A comprehensive assessment includes confidentiality, integrity, and availability, as outlined by the FFIEC
  
  
• Unified Risk Assessment Process: GLBA and IT risk assessments should not be separate processes. Combining them helps eliminate redundant efforts and creates a unified roadmap
  
  
• Value of Quantifying Risk: A quantified risk assessment translates potential threats into financial terms, providing clearer prioritization, improving decision-making, and helping financial institutions justify cybersecurity investments which Rivial excels in!
  
  
  

  Examiner Approved Cyber Risk Model

  Check out the Cyber Risk Management Model that examiners reference

   

A while back, I received a call from one of our partners (known to the outside world as clients) about a recent audit of their GLBA Risk Assessment. Their audit firm recommended that they remove the Availability rating of each information system. The auditor also recommended performing a separate GLBA risk assessment, in addition to the IT Risk Assessment that Rivial had already performed for them.

What Is the GLBA Safeguards Rule?

Before diving into the risk assessment challenges, it’s important to understand the Gramm-Leach-bliley Act (GLBA) Safeguards Rule. Enforced by the FTC, this rule requires financial institutions to develop, implement, and maintain an information security program to protect customer data. The rule emphasizes three key objectives:

• Ensuring the confidentiality and integrity of customer information
• Protecting against anticipated threats to data security
• Guarding against unauthorized access that could harm consumers
  

A core component of compliance is conducting thorough risk assessments—which brings us back to the issue our partner faced.

The Availability Rating in IT Risk Assessment

Suggesting that availability ratings should be removed presents a myopic view of information security risk assessment and exacerbates the challenges of performing proper risk assessments. I won’t dig into that topic in great detail in this post because the FFIEC makes my argument for me by stating 

“Information security risk assessment is the process used to identify and understand risks to the confidentiality, integrity, and availability of information and information systems.”

Separate GLBA Risk Assessment?

After exploring the issue with our partner (aka client), we determined it was a misconception based on what the auditor was used to seeing. They were accustomed to IT risk assessments (I use the term in name only) that list technologies and associated controls, with some arbitrary measure of ‘risk’ attached.

The problem with this is twofold:

1. Financial institutions are paying for Information Security Risk Assessments and only getting half the package, much like ordering a Happy Meal and not getting the cheeseburger. If all of your prior Happy Meals came without a cheeseburger, you don’t expect to see one. Rivial’s data risk assessments have the cheeseburger—or perhaps some kind of healthy, great-tasting sandwich.
   
2. Because so many companies do risk assessments improperly, financial institutions duplicate efforts to meet regulatory requirements. This leads to disjointed Information Security (or GLBA) risk assessments being conducted separately from IT risk assessments.
   

If you inspect any major model—NIST 800-30, ISO 27005, etc.—you’ll see that risk assessments should examine information, systems, threats, and controls in a unified way. This is one process that gets called many names: cybersecurity risk assessment, IT risk assessment, Information Security risk assessment, GLBA risk assessment.

Why Quantifying Risk Matters

As an IT leader, it's critical to understand not just what risks exist but how significant they truly are. A quantified risk assessment provides that clarity by translating risks—such as data breaches, fraud, or system outages—into financial terms. This helps bridge the gap between technical threats and business impact, making it easier to prioritize the issues that matter most. Instead of reacting to every possible threat, we can focus on those that pose the greatest risk to our members, operations, and reputation.

This approach is especially valuable in resource-constrained organizations, as it offers a clearer cost-benefit view, helping evaluate whether the investment in a new control or technology is justified by the reduction in potential loss. It also improves communication with executives and board members, positioning cybersecurity as a strategic asset—not just an operational expense.

Rivials Cyber Risk Quantification Methodology 

Of course, the value of a quantified risk assessment depends heavily on the methodology that is used. Rivial’s platform leverages Monte Carlo simulations and real-world breach data to provide accurate, financially grounded risk measurements. With assessments typically taking between 15–30 minutes per system, quantifying risk is available at the click of a button.

In a highly regulated and trust-driven industry, that level of rigor stands up to auditors and builds executive confidence. 

Check out our Cyber risk white paper to learn more, or schedule a demo to get your questions answered quickly. 

Examiner Approved Cyber Risk Model

Check out the Cyber Risk Management Model that examiners reference