Nonprofit Resources


Education Department Highlights Enforcement of GLBA Cybersecurity Requirements and Potential Penalties

The United States Education Department (ED) has released another memo related to the Student Financial Assistance program, specifically focused on postsecondary and third-party service organizations’ requirements to comply with the Gramm-Leach-Bliley Act (GLBA) and the potential consequences of noncompliance.

Key Takeaways

The memo notes that:

  • Noncompliance with GLBA could result in a breach of the Program Participation Agreement (PPA) and a finding in the audit report.
  • The Federal Student Aid (FSA) Postsecondary Institution Cybersecurity Team will be informed of any findings and may request additional information to assess the level of risk.
  • If it is determined that substantial risk to the security of the information exists, the Cybersecurity Team may disable access to the ED’s information systems or recommend a fine or other administrative action.
GLBA Considerations

Institutions participating in the FSA program have agreed to comply with GLBA as part of the Program Participation Agreement with the ED. The goal is to ensure the confidentiality, security, and integrity of student and parent information gathered as a result of FSA programs.

While GLBA is not new guidance, the compliance of these postsecondary institutions with GLBA is becoming scrutinized by auditors as part of the Uniform Guidance audits.

Under the 2019 compliance supplement effective for fiscal year ends June 30, 2019 through May 31, 2020, auditors are required to evaluate the following three components of GLBA:

  • Has the institution designated an individual to coordinate its information security program?
  • Has the institution performed a risk assessment that evaluates the risks to student and parent information? The risk assessment should address, at a minimum, risks related to these areas:
    • Employee training and management
    • Information systems, including network and software design, as well as information processing, storage, transmission, and disposal
    • Detecting, preventing, and responding to attacks, intrusions, or other system failures
  • Are risks and their mitigating safeguards documented?

While only a few components of GLBA are included in audit testing under the 2019 compliance supplement effective for fiscal year ends June 30, 2019 through May 31, 2020, institutions have attested to full compliance with GLBA as part of their PPA. Therefore, it’s imperative to ensure your institution is in compliance or, at a minimum, actively working toward compliance with a documented timeline and plan.

It’s also important to note that even if the GLBA requirements don’t apply to your institution, they can help reduce your cybersecurity risk.

CapinTech, a CapinCrouse company, has been helping organizations comply with GLBA for over 20 years. Please contact us as [email protected] to discuss how we can assist your institution or to request a sample risk assessment plan template.


Additional Resources:

The Gramm-Leach-Bliley Act: What Higher Education Institutions Need to Do Now

5 Steps to Strengthen Your Institution’s Cybersecurity Defenses

CapinTech Cyber Fitness Self-Test

How to Develop an Effective IT Audit Program

Cybersecurity Training: Who, What, When, Where, and Why


Authors: Allison Davis Ward, Partner, CapinTech and Lisa Saul, Partner and Uniform Guidance Director, CapinCrouse

Leave a Comment