Overview
The Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, enforced by the FTC, requires financial institutions to develop, implement, and maintain a comprehensive information security program. The rule was significantly updated in 2023 with prescriptive requirements that replaced the earlier principles-based approach. If your organization is classified as a financial institution under the FTC definition (which is broader than you might expect), these requirements apply to you.
Who Must Comply
- The term "financial institution" under GLBA extends well beyond banks and credit unions. Covered entities include:
- Mortgage lenders and brokers
- Payday lenders and finance companies
- Account servicers and check cashers
- Financial or investment advisors and tax preparation firms
- Insurance companies and travel agencies operating in a financial capacity
- Real estate settlement services
- Automobile dealerships that arrange financing
- Higher education institutions participating in federal student loan programs
- Retailers that issue their own credit cards
Key Requirements Under the 2023 Updates
| Requirement | Description |
|---|---|
| Qualified Individual | Designate a qualified individual responsible for overseeing the information security program |
| Written Risk Assessment | Conduct periodic risk assessments that identify threats and evaluate existing safeguards |
| Access Controls | Implement and periodically review access controls for customer information |
| Data Inventory | Maintain an inventory of all systems and assets that store or process customer data |
| Encryption | Encrypt customer information both in transit and at rest |
| MFA | Implement multi-factor authentication for anyone accessing customer information |
| Disposal Procedures | Securely dispose of customer information no longer needed within two years |
| Change Management | Implement procedures to evaluate and adjust the security program after changes in operations |
| Monitoring | Implement continuous monitoring or annual penetration testing plus semi-annual vulnerability assessments |
| Incident Response | Develop and maintain a written incident response plan |
| Board Reporting | The qualified individual must report in writing to the board at least annually |
Building Your Information Security Program
Start by designating your qualified individual. This person does not need a specific certification, but they must have the knowledge and authority to oversee your security program. They can be an employee, an affiliate, or a service provider, though you remain responsible regardless. Next, complete your written risk assessment by identifying foreseeable internal and external threats, evaluating the sensitivity of customer information, and assessing the sufficiency of your current safeguards. This assessment drives every other compliance activity.
Implementation Priorities
- Complete your data inventory to know what customer information you hold and where it lives
- Implement MFA across all systems accessing customer information
- Deploy encryption for data at rest and in transit
- Establish access control policies with least-privilege principles
- Set up continuous monitoring tools or schedule penetration testing and vulnerability assessments
- Develop your written incident response plan with clear roles and notification procedures
- Create service provider oversight procedures including contractual security requirements
- Document employee security awareness training and deliver it at onboarding and annually
- Establish your annual board reporting process with written documentation
Enforcement and Consequences
The FTC enforces the Safeguards Rule through consent orders, civil penalties, and public enforcement actions. State attorneys general also have enforcement authority. Recent enforcement actions have resulted in millions in penalties and mandatory 20-year compliance monitoring. Beyond fines, a breach involving customer financial data triggers notification obligations under state breach notification laws, potential class action litigation, and significant reputational harm in the financial services sector.
Frequently Asked Questions
What changed with the 2023 Safeguards Rule updates?
The FTC replaced the original principles-based requirements with specific, prescriptive mandates. New requirements include designating a qualified individual, conducting written risk assessments, implementing MFA and encryption, continuous monitoring or regular testing, maintaining an incident response plan, and annual written board reporting.
Is there a small business exemption?
Financial institutions maintaining customer information on fewer than 5,000 consumers are exempt from some requirements including the written risk assessment, incident response plan, and annual reporting. However, they are still required to implement an information security program with appropriate safeguards.
Can we outsource the qualified individual role?
Yes. The qualified individual can be someone at an affiliate or service provider. However, your organization retains full compliance responsibility. You must oversee the qualified individual and ensure they have adequate authority and resources.
How does GLBA interact with state privacy laws?
GLBA preempts state laws that are inconsistent with its requirements, but states can impose additional requirements. Many state banking regulators have their own cybersecurity rules that apply alongside GLBA, and state breach notification laws apply to incidents involving customer financial data.
What security testing is required?
You must either implement continuous monitoring of your information systems or conduct annual penetration testing plus semi-annual vulnerability assessments. Continuous monitoring is the more robust option, but the testing alternative is available for organizations that cannot implement real-time monitoring.
Ready to use this resource?
Download it now or schedule a demo to see how Hunto AI can automate your security workflows.