Updates to the GLBA safeguards rule for higher education

Colleges and universities that administer student financial aid associated with Title IV programs have had to comply with the Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA) since May 2003. That regulation was updated Dec. 9, 2021, with some new requirements that went into effect on June 9, 2023.

The updates provide additional details and enhancements to the data security requirements to reflect the cyber threats, risks, and challenges in helping to secure student financial aid data.

Security control requirements

The original six security control requirements of the Safeguards Rule have been expanded to nine. Some of the original six have been reworded to provide further clarity. These requirements, essential to a formalized and written information security program, are to:

• Designate a qualified individual to implement and supervise your company’s information security program
• Conduct a risk assessment
• Design and implement safeguards to control the risks identified through your risk assessment
• Regularly monitor and test the effectiveness of your safeguards
• Train your staff
• Monitor your service providers
• Keep your information security program current
• Create a written incident response plan
• Require your qualified individual to report to your board of directors

Colleges and universities should have a documented information security program ;in place that incorporates these requirements as of June 9, 2023.

The Safeguards Rule is scalable to your institution. Not every institution has the same risk profile, size and complexity of IT, and resources to work toward compliance. The GLBA takes this into account and gives some leeway to smaller institutions with fewer than 5,000 students. For those smaller institutions with fewer than 5,000 students, only the first seven requirements apply.

Start compliance work