Four Steps for Standing Up An Information Security Program

Wed October 05, 2022 - National Edition #2
Trnsact

Commercial equipment dealerships often do not put a lot of time and effort into information security. This is because of all of the other responsibilities they have or mistakenly believing they are too small to be a target of a data breach or of regulators seeking to conduct an audit.

However, this mindset is slowly starting to change across the industry, and for good reason. According to Insurance Business America, data breaches are costing more money than ever before.

"The global average cost of a data breach in 2022 is $4.35 million, higher by $0.11 million than last year's cost and the highest to date," per the IBM Cost of A Data Breach report.

The other major reason is the changing regulatory landscape. As of Dec. 9, 2022, most commercial equipment dealers will be expected to be compliant with new federal regulations for managing and protecting customers' financing information. Following updates to the Safeguarding Rule under the Gramm-Leach-Bliley Act (GLBA), the Federal Trade Commission (FTC) is mandating financial institutions, which includes dealers, to strengthen to meet minimum requirements to protect customers' personal and financial information.

Unlike the earlier version, the updated rule includes criteria for what financial institutions must implement as part of their information security program.

An Information Security Program Is a Must

While previously viewed as a luxury for large equipment dealers, the new regulations have made information security a necessity. Among the new requirements in the GLBA Safeguards Rule, dealers will discover a mandate to develop a documented security and safeguard program. In other words, dealers need an Information Security Program.

Specifically, the rule asks dealers to develop and establish a comprehensive written information safeguards program. More commonly referred to as an information security program, the program is expected to establish best practices across the dealership to protect and manage the customers' personal and financial information.

Steps on Path to Information Security

While specific elements of the programs, including risk assessments and reporting requirements, are outlined in our dealers' guide, Trnsact wanted to step back and provide you with an overview of some of the steps you can take when first setting up your information security program.

Step 1: Select a Trust Team Leader

This is a requirement under the revised GLBA Safeguards Rule that takes effect in December. Moreover, it is just a good idea. Managing customer's personal and financial information is increasingly important and increasingly complex.

By naming an Information Security Officer, you take a vital step for someone on your team to take ownership of those responsibilities. This person needs to have a high level of trust and authority in the organization, and understand the importance of information security. This is about more than just meeting regulatory standards. It also is about maintaining the trust of your customers while working collaboratively with lenders and vendors to ensure there is a clear understanding of how information is handled. This person also needs to commit time to staying abreast of regulatory and technological changes that can impact your dealership's management of customer information.

Step 2: Conduct a Risk Assessment

Again, this is another requirement under the revised GLBA Safeguards Rule, but it's also a good place for your new Information Security Office to start. A risk assessment gives your dealership a baseline to build your program, and it also addresses specific areas in the regulations around encryption, monitoring, authentication, disposal, etc.

Per the Tandem Blog, whether managing it on your own or working with a security consultant, there will be generally six steps you will want to take in your assessment:

Identify Data & Assets
Identify Threats
Assess Risk
Apply Controls
Create Risk Management Plans
Validate Control Sufficiency

Each of these steps has specific elements that should be explored and implemented, but on a high level if they provide a good overview of the task that lies ahead.

Step 3: Educate Your Employees

Employee training is another requirement for the GLBA Safeguards rule. The safeguards program must be shared with dealership employees, while employee training must be developed based on risk assessments and any changes in practices. Additionally, dealers must verify that employees have completed this training to satisfaction.

However, education takes the training a step further. Your team should understand the importance of the information security program, and that should go beyond just the need to meet federal regulations and avoid audits and fines. Your team should understand the risks to your customers and your business if personal and financial information is mishandled.

Step 4: Create a Security, Compliance Mindset

Education is necessary to execute an Information Security Program, but it also sets the stage for step 4. More than just training, an assessment or a designated leader, dealerships need to change how they think about customer information. Rather than just an end to a sale, customer information must be viewed as sensitive information and must be protected and cared for by the dealership.

Obviously, this is where the Information Security Office can play a key role. Through regular education and communication, rather than just one-off annual training, your team will come to understand the importance of the program and its role in it. Even those who do not have regular contact with customer information should have an appreciation and understanding of the program and be on the lookout for possible violations.

Once the Information Security Program is under way, it is the mindset that will make it effective and allow it to evolve with future risks and future changes in regulatory requirements.

Webinar: Complying with Privacy & Financial Protection Regulations for Equipment Dealers

Topic: The regulatory landscape related to the management of customers' personal and financial information is ever-changing at the federal and state levels. Heavy equipment and truck dealers must comply with mandates that could result in costly audits and hefty fines, including under new revisions to the Gramm-Leach-Bliley Act (GLBA) Privacy and Safeguards Rules and key state regulations. This webinar will explore these issues and address what dealers need to do to stay updated on regulatory and compliance issues.

When: Oct. 20, 2022, 1 p.m. ET / 10 a.m. PT

Moderator/Presenters: