KPMG+高等教育和醫(yī)療保健行業(yè)的更新 Higher education and healthcare industry update webcast,part I

Highereducationandhealthcareindustryupdatewebcast,partI

August17,2023

CPEregulations

Technical

issues

Content

questions

Administrative

KPMGisapprovedbyNASBA

todeliverCPE-worthytraining

InordertoreceiveCPEcredit:

?attendforentiresession

?participateininteractivitychecks

Interactivitycheckswillappearinyourmediaplayerandmayormaynotbeverballyaddressedbypresenters.

Participationistracked,andfailuretoactivelyparticipatewillresultindenialofCPEcredits.

?Ifyouhaveanytechnicalissues,pleasesubmitaquestionthroughtheQuestions&Answerspanelandour

producerswillrespondtoyoudirectly.

?SubmitallcontentquestionsthroughtheQuestions&Answerspanel.

?2023KPMGLLP,aDelawarelimitedliabilitypartnershipandamemberfirmoftheKPMGglobalorganizationofindependentmember

firmsaffiliatedwithKPMGInternationalLimited,aprivateEnglishcompanylimitedbyguarantee.Allrightsreserved.NDP489810-1A

2

?2023KPMGLLP,aDelawarelimitedliabilitypartnershipandamemberfirmoftheKPMGglobalorganizationofindependentmemberfirmsaffiliatedwithKPMGInternationalLimited,aprivateEnglishcompanylimitedbyguarantee.Allrightsreserved.NDP489810-1A

1:00PM

1:05PM

Agenda

1:45PM

2:30PM

3:00PM

TimesinEDT

Welcomeandopening

Highereducation

industryupdate

Singleauditupdate

SOCreportsand

cybersecurityupdate

Closing

3

Withyoutoday

Rosemary

Meyer

Partner,DeputyNationalIndustryLeader,Higher

Education

David

Gagnon

Partner,NationalIndustryLeader,Higher

Education

Gina

Devine

Senior

Manager,

Audit

Jennifer

Hall

Partner,

Audit

Alison

Upton

Managing

Director,

Audit

Adrianne

Henderson

ManagingDirector,

TechnologyAssuranceIndustryLeader,

HigherEducation

?2023KPMGLLP,aDelawarelimitedliabilitypartnershipandamemberfirmoftheKPMGglobalorganizationofindependentmember

firmsaffiliatedwithKPMGInternationalLimited,aprivateEnglishcompanylimitedbyguarantee.Allrightsreserved.NDP489810-1A

4

Highereducation

industryupdate

DavidGagnon,Partner,NationalIndustryLeader,Higher

Education,KPMGLLP

GinaDevine,SeniorManager,KPMGLLP

Topics

Thestateofcybersecurityinhigher

education

Higher

National

industry

developments

education

fundraisingin2022andrisksinthecurrent

environment

Highereducation

auditcommittee

andinternalaudit

focusareasin

2023

2022

Changesin

accountingforcreditlosses

NACUBO-

TIAAStudyofEndowments

Cryptocurrency

inhigher

education

?2023KPMGLLP,aDelawarelimitedliabilitypartnershipandamemberfirmoftheKPMGglobalorganizationofindependentmemberfirmsaffiliatedwithKPMGInternationalLimited,aprivateEnglishcompanylimitedbyguarantee.Allrightsreserved.NDP421957-1A

6

01

Nationalindustry

developments

Nationalindustrydevelopments

?Industrydevelopments

?HigherEducationPriceIndex(HEPI)

?DepartmentofEducation(ED)activity

?2023KPMGLLP,aDelawarelimitedliabilitypartnershipandamemberfirmoftheKPMGglobalorganizationofindependentmember

firmsaffiliatedwithKPMGInternationalLimited,aprivateEnglishcompanylimitedbyguarantee.Allrightsreserved.NDP421957-1A

8

Industrydevelopments

?2023–whatayearsofar

?Financialresultsin2023andoutlook:

?Operatingresults(includingfederalCOVIDfunding)

?Endowmentreturnsandfundraising

?Tuitionpricing

?Industrycosts

?Inflationandworkforcedisruption

?Economy

?Washington,DC:newCongress,federalfunding

?Debtforgiveness

?2023KPMGLLP,aDelawarelimitedliabilitypartnershipandamemberfirmoftheKPMGglobalorganizationofindependentmember

firmsaffiliatedwithKPMGInternationalLimited,aprivateEnglishcompanylimitedbyguarantee.Allrightsreserved.NDP421957-1A

9

TheCommonfund

HigherEducation

PriceIndex(HEPI)-2022Updatewas

issuedinlate2022.

TheHEPIisan

inflationindex

designedspecificallyforusebycollegesanduniversities.

HEPI-2022Update

?HEPIincreaseforFY2022of5.2%

?RelationshiptoConsumerPriceIndex(CPI)

?Categoriesofcostscovered

?HEPIdatabyregionandinstitution-type

10

?2023KPMGLLP,aDelawarelimitedliabilitypartnershipandamemberfirmoftheKPMGglobalorganizationofindependentmember

firmsaffiliatedwithKPMGInternationalLimited,aprivateEnglishcompanylimitedbyguarantee.Allrightsreserved.NDP421957-1A

DepartmentofEducation(ED)activity

?FinancialResponsibilityStandards/eZ-Audit

?Federalnoticeforproposedrulemaking(CFR)inJune:

?Commentperiod,possibleissuanceandeffectivedates

?Potentialchanges:

?FRS–triggeringevents

?Additionaldisclosuresonrecruiting,advertisingandotherpre-enrollmentexpenditures;gainfulemployment,foreign-ownedinstitutions

?Related-partydisclosures(tightenedlanguageinproposedrule):

?GAAPvs.EDregulations

?Otheractivities

?2023KPMGLLP,aDelawarelimitedliabilitypartnershipandamemberfirmoftheKPMGglobalorganizationofindependentmember

firmsaffiliatedwithKPMGInternationalLimited,aprivateEnglishcompanylimitedbyguarantee.Allrightsreserved.NDP421957-1A

11

02

Highereducation

auditcommitteeandinternalauditfocusareasin2023

Highereducationauditcommitteefocusareasin2023

Beyonditscoreresponsibilitiesregardingoversightof

financialreportingand

internalcontrols,theaudit

committeeisdealingwithlong-standingandemergingindustryrisks,aswellasrisksspecifictotheinstitution.We’ve

highlightedseveralpotentialareasoffocusin2023.

?Workforcedisruption:leadershipandtalent

?Cybersecurityanddatagovernancerisks

?Environmental,social,andgovernance(ESG)risksandreporting

?IRSfocusareasandchanges

?Researchcomplianceandconflictmanagement

?Integrityandconsistencyofnonfinancialdata

?Institution’spostureandpoliciesregardingcryptocurrency

?Name,Image,Likeness(NIL):evolvingregulationsandpractices

?Institution’sfocusonethics,compliance,andculture

?Scopeandrisksofaffiliationsandinternationalactivities

?Internalaudit:optimizingriskandadvisoryfocusareas

?Evaluationofcommitteeagenda,workload,andcapabilities

?2023KPMGLLP,aDelawarelimitedliabilitypartnershipandamemberfirmoftheKPMGglobalorganizationofindependentmember

firmsaffiliatedwithKPMGInternationalLimited,aprivateEnglishcompanylimitedbyguarantee.Allrightsreserved.NDP421957-1A

13

Highereducationinternalauditfocusareasin2023

Collegeanduniversityinternal

audit(IA)functionscan

challengethestatusquoto

reducerisk,improvecontrols,andidentifyefficienciesand

costbenefitsacrossthe

institution.We’vehighlighted

severalrisksandotherfocusareastohelpmaximizeIA’s

valuetotheinstitutionin2023.

?Cybersecurityanddatagovernance

?Privacyandsecurityregulatorycompliance

?Adequacyofclouddataprotections

?Impactofchangestoworkforcemodes

?Digitizationofriskassessmentandtesting

?Integrityandconsistencyofnonfinancialdata

?KPIstomeasuretrainingandotherinitiatives

?Compliancewithgiftpolicies

?Endowmentandtreasuryprotocols

?Researchcomplianceandconflictmanagement

?Capitalprojectmanagement

?Name,Image,Likeness(NIL)compliance

?Waystoaddvaluetotheinstitution

?2023KPMGLLP,aDelawarelimitedliabilitypartnershipandamemberfirmoftheKPMGglobalorganizationofindependentmember

firmsaffiliatedwithKPMGInternationalLimited,aprivateEnglishcompanylimitedbyguarantee.Allrightsreserved.NDP421957-1A

14

03

Thestateof

cybersecurityinhighereducation

Thestateofcybersecurityinhighereducation

?Frequencyofcyberattacks

?Datarecovery

?Otherimpactsandcostsofcyberattacks

?Third-partyproviders

?Cyberinsurance

?2023KPMGLLP,aDelawarelimitedliabilitypartnershipandamemberfirmoftheKPMGglobalorganizationofindependentmember

firmsaffiliatedwithKPMGInternationalLimited,aprivateEnglishcompanylimitedbyguarantee.Allrightsreserved.NDP421957-1A

16

04

Highereducation

fundraisinginfiscal2022andrisksinthecurrentenvironment

Highereducationsectorfundraisinginfiscal2022

InFebruary2023,the

Councilfor

Advancementand

SupportofEducation(CASE)publishedits

annualVoluntary

SupportofEducation(UnitedStates)survey.Thesurveygathered

responsesfrom826U.S.institutions.

Estimatedvoluntarysupportofhighereducationbysource1

(Dollarsinmillions)

Donortype

2022

amount

%of

2022total

%increase

2021to2022

Organizations2

$36,500

61.3%

14.6%

Alumni

13,500

22.7

10.2

Non-alumniindividuals

9,500

16.0

8.0

Total

$59,500

100.0%

12.5%

Purposeofcontributions

Currentoperations

$34,250

57.6%

6.0%

Capitalpurposes

25,250

42.4

22.6

1Source:CASEVoluntarySupportofEducation(UnitedStates),2022survey.

2Categoryincludesfoundations,donor-advisedfunds(DAFs),corporations,andotherorganizations.

?2023KPMGLLP,aDelawarelimitedliabilitypartnershipandamemberfirmoftheKPMGglobalorganizationofindependentmember

firmsaffiliatedwithKPMGInternationalLimited,aprivateEnglishcompanylimitedbyguarantee.Allrightsreserved.NDP421957-1A

18

Fundraisingrisksinthecurrentenvironment

?FundraisingbyU.S.highereducationentitieswas$59.5billionin2022

?Increasinglycomplex,high-profileagreements

?TheNationalCouncilofNonprofitsandtheCouncilforAdvancementand

SupportofEducation(CASE)vs.GASBreporting

Giftacceptancepolicies

Thestartingpointforsoundfundraisingpractices

Risksaroundgiftanddonoradministration

Criticalityofadministrativeprocessesandcontrols

Othercommonchallengesandrisks

Fromdonoradministrationtoconflictmanagement…

?2023KPMGLLP,aDelawarelimitedliabilitypartnershipandamemberfirmoftheKPMGglobalorganizationofindependentmember

firmsaffiliatedwithKPMGInternationalLimited,aprivateEnglishcompanylimitedbyguarantee.Allrightsreserved.NDP421957-1A

19

05

2022NACUBO-TIAA

StudyofEndowments

2022NACUBO-TIAAStudyofEndowments

Respondentdata

Returns

Spending

Fundraising

ESGconsiderations

?2023KPMGLLP,aDelawarelimitedliabilitypartnershipandamemberfirmoftheKPMGglobalorganizationofindependentmember

firmsaffiliatedwithKPMGInternationalLimited,aprivateEnglishcompanylimitedbyguarantee.Allrightsreserved.NDP421957-1A

21

06

Cryptocurrencyinhighereducation

Whatiscryptocurrency?

Cryptocurrencyisadigitalasset(i.e.,property)designedtoworkasamediumofexchange

Blockchainisadigitalledgerthatkeepsrecordoftransactionsincode

Commoncryptocurrencies

Bitcoin

Ethereum

Ripple

Litecoin

Stellar

IOTA

Dash

Bitcoin

Bitcoin

…andthousandsmore.Anyonecancreatetheirownformofcryptocurrencywithamodifiedblockchaincode.

?2023KPMGLLP,aDelawarelimitedliabilitypartnershipandamemberfirmoftheKPMGglobalorganizationofindependentmember

firmsaffiliatedwithKPMGInternationalLimited,aprivateEnglishcompanylimitedbyguarantee.Allrightsreserved.NDP421957-1A

23

Risksandchallenges

Riskofloss

Reputationalrisks

Otherchallenges

Questionstoask

?Haveweengagedanoutsideadvisor?

?Whatapprovalsshouldoccur?

?Howarewestayingcurrent?

?Whatinformationwillberequiredforidentification?

?Howdoweassessriskofloss?

?Willwemakecryptoinvestmentsdirectlyorindirectly?

?Howwillcryptopaymentsorinvestmentsbeadministered?

?Areinternalcontrolsappropriate?

?2023KPMGLLP,aDelawarelimitedliabilitypartnershipandamemberfirmoftheKPMGglobalorganizationofindependentmember

firmsaffiliatedwithKPMGInternationalLimited,aprivateEnglishcompanylimitedbyguarantee.Allrightsreserved.NDP421957-1A

24

07

Changesin

accountingforcreditlosses

Changesinaccountingforcreditlosses

Overview

TheFinancialAccountingStandardsBoard’s(FASB’s)AccountingStandardsUpdate(ASU)2016-13,FinancialInstruments–CreditLosses

(Topic326):MeasurementofCreditLossesonFinancialInstruments,asamended,iseffectiveforprivateentities–includinghighereducation

institutionsandothernot-for-profits(NFPs)applyingFASBguidance–forfiscalyearsbeginningafterDecember15,2022.TheASUrequirescredit

lossestoberecognizedonmostfinancialassetscarriedatamortizedcost(suchasaccountsandloansreceivablefromstudents)andcertainotherinstruments.Theallowanceisdeductedfromtheamortizedcostbasisofafinancialassetsothatthebalancesheetreflectsthenetamountanentityexpectstocollect.UnderCECL,creditlossesareestimatedovertheentirecontractualtermoftheinstrument(adjustedforprepayment)fromthedateofinitialrecognition.Importantly,whereascurrentstandardsrequirerecognitionofthoselosseswhenitis“probable”alosshasbeenincurred,CECLrequiresrecognitionwhenlossesareexpected.

Existingguidance

(incurredlossmodel)

ASU2016-13(CECLmodel)

ExamplesofCECLapplication

Accounting

consideration

Whento

Whenitisprobablealosshasbeen

Lifetimelosses-Norecognitionthreshold.When

Expectedcreditlossesareestablishedforstudentaccounts

recognizecredit

incurred(generallysubsequentto

lossesareexpected(innearlyallcases,thisis

receivable,eventhosethatarecurrent(i.e.,notpastdue),as

losses

initialrecognitionoftheasset).

uponinitialrecognitionoftheasset).

oftheentity’sreportingdate.

Periodoftime

considered

Notanexplicitinputtotheincurredlossmodel.

Contractualterm,adjustedforprepayment.

Expectedcreditlossesforaprogrammaticloanwitha

contractualtermof10yearsareestimatedoverthecontractualterm(adjustedforprepayments).

Information

considered

Historicallossesandeconomicconditions.

Historicallosses,currenteconomicconditions,

reasonableandsupportableforecastsabout

futureconditions(withreversiontohistoricallossinformationforfutureperiodsbeyondthosethatcanbereasonablyforecast).

Whilelossesarecurrentlyconsistentwithhistoricaltrendsat

thereportingdate,managementincreasesexpectedlossratesforallagingcategoriesintheallowanceforstudentloan

receivablesduetoforecastingatthatdateofdeterioratingeconomicconditionsandhigherunemploymentoverthecontractualterm.

Unitofaccountfor

Poolingofindividualassetsgenerally

Poolingrequiredwhenassetssharesimilarrisk

Acollegepoolsitsstudentaccountsreceivabletoestimatethe

assessment

notrequired,butpermitted.

characteristics.

relatedallowancefordoubtfulaccounts.

?2023KPMGLLP,aDelawarelimitedliabilitypartnershipandamemberfirmoftheKPMGglobalorganizationofindependentmember

firmsaffiliatedwithKPMGInternationalLimited,aprivateEnglishcompanylimitedbyguarantee.Allrightsreserved.NDP421957-1A

26

Changesinaccountingforcreditlosses(continued)

Otherkeypoints

?CECLrequiresdeterminingexpectedlossesfromdayoneandgenerallyrequiresanallowance(eveniftheriskoflossisremote).

?Anentity’sprocessfordeterminingexpectedcreditlossescannotconsideronlyhistoricalinformation.

?Anentityisnotrequiredtoconsiderallsourcesofavailableinformationwhenestimatingexpectedlosses.However,itshouldconsiderrelevantinformationthatisreasonablyavailableandwhichcanbeobtainedwithoutunduecostandeffort.Inaddition,itshouldnotignoreavailable

informationrelevanttotheestimatedcollectabilityofthereportedamount.

?AdoptionofthestandardbyNFPsisrequiredforfiscalyearsbeginningafterDecember15,2022andisgenerallyonamodifiedretrospectivebasis.Colleges,universities,andotherNFPsmustapplytheASUthroughacumulative-effectadjustmenttonetassetsatthebeginningofthefirst

reportingperiodtowhichtheguidanceiseffective.

Financialassetsinscope

?Financialassetsmeasuredatamortizedcost,includingloansandnotesreceivable(includingtoofficers,employees,orotherrelatedpartiesthatarenotundercommoncontrol)

?Loancommitments,standbylettersofcredit,financialguarantees(notinsurance

contracts),andothersimilarinstruments(exceptforinstrumentswithinthescopeofTopic815)

?ReinsurancereceivableswithinthescopeofTopic944

?Netinvestmentsinleasesrecognizedbyalessor

?Receivablesthatresultfromrevenuetransactions

?LoansmadebyaNFPtomeetitsmission(i.e.,programmaticloans)

Outofscope

?Contributionsreceivable(includingreceivablesforfederalandothergrantsandcontractsaccountedforasconditionalcontributionsunderTopic958)

?Loansandreceivablesbetweenentitiesundercommoncontrol

?Operatingleasereceivables(assessedforimpairmentTopic842)

?Equityinstruments

?Financialinstrumentsmeasuredatfairvaluethroughnetincome(changesinnetassets)

?Policyloansreceivableofaninsuranceentity

?Loansmadetoparticipantsbydefinedcontributionemployeebenefitplans

?2023KPMGLLP,aDelawarelimitedliabilitypartnershipandamemberfirmoftheKPMGglobalorganizationofindependentmember

firmsaffiliatedwithKPMGInternationalLimited,aprivateEnglishcompanylimitedbyguarantee.Allrightsreserved.NDP421957-1A

27

Singleauditupdate

JenniferHall,Partner,Audit,KPMGLLP

AlisonUpton,ManagingDirector,Audit,KPMGLLP

01

2023ComplianceSupplement

highlights

Part5–EliminatedHighwayPlanningandConstructionCluster

Part5-SeveralchangestoSFACluster

Part8–Severalchangestodesignationofhigherriskprograms

2023ComplianceSupplement

Part3–CashManagement

Part3-BuildAmerica,BuyAmericaAct(BABAA)provisionsaddedto

Procurement

Part4–Severalnewprogramsaddedandotherchangesmadetoexistingprograms

?ALN97.036DisasterGrants(FEMA)

addedclarificationastowhenawardismade

?Performancereportingupdates

?ChangestointroduceIIJAprovisions

?2023KPMGLLP,aDelawarelimitedliabilitypartnershipandamemberfirmoftheKPMGglobalorganizationofindependentmemberfirmsaffiliatedwithKPMGInternationalLimited,aprivateEnglishcompanylimitedbyguarantee.Allrightsreserved.NDP421957-1A

30

2023ComplianceSupplement–Part3–CashManagement

Changesmadetoclarifyauditorresponsibilitywhentestingfederalawardsfundedonareimbursementbasis

2023Supplement

?Auditobjectiveandprocedurerevisedtorequireauditortodeterminewhetherexpenditurewas“incurred”priortoreimbursement

?2023KPMGLLP,aDelawarelimitedliabilitypartnershipandamemberfirmoftheKPMGglobalorganizationofindependentmemberfirmsaffiliatedwithKPMGInternationalLimited,aprivateEnglishcompanylimitedbyguarantee.Allrightsreserved.NDP421957-1A

31

2023ComplianceSupplement–Part3–Procurementchanges–BuildAmericaBuyAmericaAct

?BABAAestablisheddomesticprocurement

preferenceforfederalfinancialassistanceobligatedforinfrastructureprojectsafterMay14,2022

?Non-federalentitiesshouldbeinformediftheyarerequiredtocomplywithBABAAbyfederalagenciesthroughawardtermsandconditions

-Insomecases,waiversmayhavebeenprovided

-Auditorsareresponsibleforverifyingwhetherwaiversareinplace

?2023KPMGLLP,aDelawarelimitedliabilitypartnershipandamemberfirmoftheKPMGglobalorganizationofindependentmemberfirmsaffiliatedwithKPMGInternationalLimited,aprivateEnglishcompanylimitedbyguarantee.Allrightsreserved.NDP421957-1A

32

2023ComplianceSupplement–SFACluster

SFAClusterNewand/orExpandedSpecialTestsandProvisions

03

UsingaServicerorFinancialInstitutiontoDeliverTitleIV

CreditBalancestoaCardor

OtherAccessDevice

10

AdditionalLocations

08

Incentive

Compensation

11

ProgramEligibility

09

SatisfactoryAcademic

Progress

?2023KPMGLLP,aDelawarelimitedliabilitypartnershipandamemberfirmoftheKPMGglobalorganizationofindependentmemberfirmsaffiliatedwithKPMGInternationalLimited,aprivateEnglishcompanylimitedbyguarantee.Allrightsreserved.NDP421957-1A

33

2023ComplianceSupplement–SFACluster

SFAClusterSpecialTestsandProvisions

05

EnrollmentReporting

—ElectronicAnnouncement(General23-24)forfiscalyearsendingafterFebruary28,2023

—NotrequiredtobetestedfromJuly19,2022thruFebruary28,2023(periodofNSLDSsystemissues)

12

Gramm-Leach-BlileyAct–StudentInformationSecurity

—Limitedsuggestedauditprocedurestodeterminingwhether:

—Designatedqualifiedindividual

—Writteninformationsecurityprogramthataddressessixrequiredelementsexists

?2023KPMGLLP,aDelawarelimitedliabilitypartnershipandamemberfirmoftheKPMGglobalorganizationofindependentmemberfirmsaffiliatedwithKPMGInternationalLimited,aprivateEnglishcompanylimitedbyguarantee.Allrightsreserved.NDP421957-1A

34

2023ComplianceSupplementhigherriskprograms

Part8AppendixIV:

Agency

AssistanceListingNumber

Title

Education

84.425

EducationStabilizationFund

HHS

93.498

ProviderReliefFund

HHS

93.778/93.777/93.775

MedicaidCluster

Treasury

21.023

EmergencyRentalAssistance

Treasury

21.026

HomeownerAssistanceFund

Treasury

21.027

CoronavirusStateandLocalFiscal

RecoveryFunds

Treasury

21.029

CapitalProjectsFund

Interior

15.252

BipartisanInfrastructureLaw(BIL)

AbandonedMineLand(AML)Grants

SocialSecurity

96.001/96.006

DisabilityInsurance/SupplementalSecurityIncome

?2023KPMGLLP,aDelawarelimitedliabilitypartnershipandamemberfirmoftheKPMGglobalorganizationofindependentmemberfirmsaffiliatedwithKPMGInternationalLimited,aprivateEnglishcompanylimitedbyguarantee.Allrightsreserved.NDP421957-1A

35

02

RecentchangestotheGramm-LeachBlileyAct

SafeguardsRule

RecentchangestotheGramm-LeachBlileyAct(GLBA)safeguardsrule

TheGLBAregulatesthecollection,disclosureandprotectionofconsumers’nonpublicinformation.HighereducationinstitutionsaresubjecttotheSafeguardsRulein16CFRPart314,underwhichtheGLBAappliestoprogramparticipationagreements

withtheU.S.DepartmentofEducationforfederalstudentaid.Accordingly,institutionsmusthaveaninformationsecurity

programandpoliciesforhandlingandprotectingdatacoveredbythelaw.SeveralkeychangestotheSafeguardsRuleareduetobecomeeffectiveJune9,2023(deferredfromtheiroriginaleffectivedateofDecember9,2022)andarediscussedbelow.

Keychangesinclude:

?QualifiedIndividual(16CFR314.4(a)):Requiresasingle“QualifiedIndividual”

bedesignatedtooversee,implement,andenforcetheinstitution’sinformation

securityprogram(ISP).Thisindividualwouldtypicallybethechiefinformation

securityofficer.However,itmaybeanaffiliateorserviceprovideriftheinstitution

retainscomplianceresponsibility,designatesaseniorofficertooverseethe

QualifiedIndividual,andensurestheQualifiedIndividual’sISPadequately

protectstheinstitution.

?Riskassessment(16CFR314.4(b)(1)):Reinforcesthecriticalityofrisk

assessment,whichisrequiredtobewritten,indesigninganISPthrough

expandeddescriptions,includingtherequirementtoperiodicallyperformadditional

riskassessmentstore-evaluatereasonablyforeseeableinternal

andexternalsecurityrisks.

?2023KPMGLLP,aDelawarelimitedliabilitypartnershipandamemberfirmoftheKPMGglobalorganizationofindependentmember

firmsaffiliatedwithKPMGInternationalLimited,aprivateEnglishcompanylimitedbyguarantee.Allrightsreserved.NDP421957-1A

37

RecentchangestotheGramm-LeachBlileyAct(GLBA)safeguardsrule(continued)

Keychangesinclude(continued):

?Securitycontrolsidentifiedintheriskassessment(16CFR314.4(c)(1)-(8)):In

additiontoaddressingelementsofadequateriskassessments,safeguardsspecifiedintheCFRinclude:

-Logicalandphysicalaccesscontrolslimitingaccesstoauthorizedusersandtothescopeofthoseusers’authorizations.

-Encryptionofcustomerinformation,bothintransitandatrest.

-Securedevelopmentpracticesforinternallydevelopedapplicationsandsecurityassessmentsforexternallysourcedapplications.

-Multi-factorauthenticationforindividualsaccessingsystems.

-Securedisposalofcustomerinformationnomorethantwoyearsaftertheinformationwaslastusedtoprovideaproductorservice.

-Implementationandreviewofadataretentionpolicy.

-Changemanagementprocedures.

-Measurestomonitorandlogactivityofauthorizedusersanddetectunauthorizedaccessto,useof,ortamperingwithcustomerinformation.

?2023KPMGLLP,aDelawarelimitedliabilitypartnershipandamemberfirmoftheKPMGglobalorganizationofindependentmember

firmsaffiliatedwithKPMGInternationalLimited,aprivateEnglishcompanylimitedbyguarantee.Allrightsreserved.NDP421957-1A

38

RecentchangestotheGramm-LeachBlileyAct(GLBA)safeguardsrule(continued)

Keychangesinclude(continued):

?Regularcontroltestingandmonitoring(16CFR314.4(d)(2)):Absenteffectivecontinuousmonitoringorothersystemstodetect,onanongoingbasis,changesininformationsystemsthatmaycreatevulnerabilities,theinstitutionmustconduct

annualpenetrationtestingandvulnerabilityassessments.

?Personnelpoliciesandprocedures(16CFR314.4(e)):Requiresupdatedand

relevantsecurityawarenesstrainingforpersonnel.Inaddition,qualifiedinformationsecuritypersonnelmustmanagesecurityrisksandoverseeISPs,securityupdatesandtrainingmustbeprovidedtosuchpersonneltoaddressrelevantrisks,andsuchpersonneldeemedkeymustbecurrentonchangingthreatsandcountermeasures.

?Serviceproviders(16CFR314.4(f)(3)):Overseeingserviceprovidersmustincludeassessmentsbasedontherisktheypresentandtheadequacyof

theirsafeguards.

?Incidentresponse(16CFR314.4(h)):Requiresestablishmentofawrittenincidentresponseplanwithspeci