On February 28, 2020, the Department of Education issued a memo titled “Enforcement of Cybersecurity Requirements under the Gramm-Leach-Bliley Act.” The purpose of this memo was to remind institutions of higher education that protecting information is a shared obligation among the Department of Education, institutions, third-party servicers and other partners in the financial aid system. As a result, the expectation is that all partners must maintain strong security policies and effective internal controls to prevent unauthorized access or disclosure of sensitive information. Under the terms of the Program Participation Agreement that institutions signed with the Department of Education, they agreed to comply with GLBA.
Cyber incidents can be devastating to your educational institution. Here’s what you need to know to weather the storm.
The Role of Higher Education Institutions in Cybersecurity Efforts
One of the conditions of accessing the Department of Education’s systems is that each institution and servicer are required to sign the Student Aid Internet Gateway (SAIG) Enrollment Agreement. Under the SAIG Enrollment Agreement, an institution is required to ensure that all federal student aid applicant information is protected from access or disclosure to unauthorized personnel. An institution and third-party servicers are also required to demonstrate administrative capability under 34 CFR § 668.16. This includes the maintenance of GEN-15-18 and GEN-16-12, the Department of Education reminded institutions of the requirements of GLBA and the Department of Education’s intention to begin enforcing the legal requirements of GLBA through the annual compliance audits. In the Dear CPA Letter CPA 19-01, the Department of Education explained the procedures for auditors to determine if an institution was in compliance with GLBA. The announcement also explained the Department of Education’s procedures for enforcing those requirements and the potential consequences for institutions or servicers that fail to comply.
The Impact of Auditors on Cybersecurity
Auditors are required to evaluate the following three safeguard requirements of GLBA in audits of postsecondary institutions or third-party servicers under the regulations in 16 CFR Part 314:
- The institution must designate an individual to coordinate its information security program.
- The institution must perform a risk assessment that addresses three required areas described in 16 CFR 314.4(b):
- Employee training and management
- Information systems, including network and software design, as well as information processing, storage, transmission and disposal
- Detecting, preventing and responding to attacks, intrusions, or other system failures
- The institution must document a safeguard for each risk identified in Step 2 above.
If the auditor determines that an institution or servicer has failed to comply with any of the above GLBA requirements, the finding will be included in the institution’s audit report. For any audit reports that include a GLBA audit finding, the audit will be referred to the Federal Trade Commission (FTC). The FTC will determine what action may be needed as a result of the GLBA finding.
Any GLBA audit findings will also be forwarded to the Federal Student Aid’s Postsecondary Institution Cybersecurity Team (Cybersecurity Team) and additional documentation may be requested from the institution in order to assess the level of risk to student data presented by the institution or servicer’s information security system.
If the Cybersecurity Team determines that the institution or the servicer poses substantial risk to the security of student information, the Cybersecurity Team may temporarily or permanently disable the institution or servicer’s access to the Department of Education’s information systems.
If the Cybersecurity Team determines that, as a result of very serious internal control weaknesses of the general controls over technology, the institution’s or servicer’s administrative capability is impaired or it has a history of non-compliance, it may refer the institution to the Department’s Administrative Actions and Appeals Service Group for consideration of a fine or other appropriate administrative action by the Department of Education.
Prioritizing Cybersecurity in Your Higher Education Institution
Higher education institutions are a storehouse of private data. There is substantial guidance in place to ensure higher education organizations continue to comply in order to protect their data for their students and faculty. Make sure you’re taking the necessary steps in your higher education organization or be prepared for swift action.
Have questions about your cybersecurity needs?