GLBA Compliance & FTC Safeguards Rule Information Security Program

The Gramm-Leach-Bliley Act (GLBA) and its implementing FTC Safeguards Rule underwent a significant overhaul in 2021 — effective June 2023 — transforming what was once a flexible, principles-based framework into a prescriptive set of mandatory security requirements. A breach notification requirement was added in May 2024. Financial institutions that fail to comply now face penalties of up to $100,000 per violation, with individual officers facing $10,000 per violation and up to five years imprisonment.

Cyber Security Services helps banks, credit unions, mortgage brokers, auto dealers, fintech companies, insurance firms, and all other GLBA-covered entities design, implement, and maintain the updated Information Security Program (ISP) that the FTC Safeguards Rule now mandates.

$100K

per violation penalty

The FTC Safeguards Rule imposes civil penalties of up to $100,000 per violation for institutions and up to $10,000 per violation plus imprisonment for individual officers. Penalties are cumulative — a single unaddressed control gap can generate millions in exposure across multiple violation findings.

78%

increased cybersecurity budgets

78% of financial institutions increased their cybersecurity budgets specifically in response to the updated GLBA Safeguards Rule — recognizing that the new mandatory requirements require significant investment in technical controls, annual pen testing, and continuous monitoring infrastructure. (Okta via Avatier, 2025)

10

mandatory ISP elements

The updated Safeguards Rule elevated 10 specific ISP elements from advisory to mandatory — including a designated Qualified Individual, written risk assessment, annual penetration testing, semiannual vulnerability assessments, MFA, encryption of customer information, and 30-day breach notification to the FTC.

Who Is Covered by GLBA?

GLBA applies to “financial institutions” — a term that extends far beyond traditional banks. Covered entities include:

If your organization collects, maintains, or uses nonpublic personal information (NPI) about consumers in connection with financial products or services, GLBA likely applies to you.

Banks, savings institutions, and credit unions
Mortgage brokers & lenders, auto dealerships with financing
Insurance companies and agencies
Investment advisors, broker-dealers, and accountants
Fintech companies and payment processors handling consumer financial data
Tax preparers and financial planning services
Tax preparers and financial planning services

The 10 Mandatory ISP Elements (Updated Safeguards Rule)

The 2023 FTC Safeguards Rule requires all covered entities to implement a comprehensive Information Security Program containing these specific elements:

Designation of a Qualified Individual (QI) responsible for the ISP

Conduct a written risk assessment identifying threats to customer information

Design and implement safeguards to address identified risks

Regularly monitor & test the effectiveness of safeguards

Train and manage personnel to implement the ISP

Oversee service providers through written contracts and monitoring

Keep the ISP current with changes in operations, personnel, threats, and business arrangements

Create a written incident response plan covering breach identification, containment, notification, & recovery

Report to the board of directors (or senior officer) at least annually on the ISP

Notify the FTC within 30 days of a breach affecting 500+ customers (effective May 2024)

Technical Requirements Under the Updated Rule

Annual penetration testing by a qualified internal or external party
Semiannual vulnerability assessments with documented remediation
Multi-factor authentication (MFA) for all personnel accessing customer information systems
Encryption of all customer information in transit and at rest
Implement security event monitoring and logging with regular review
Secure development practices for in-house developed applications
Procedures for disposal of customer information — digital and physical

Our GLBA Compliance Services

ISP Development & Gap Assessment

We assess your current information security program against all 10 mandatory elements, identify gaps, and develop a comprehensive written ISP that satisfies FTC Safeguards Rule requirements and positions you favorably in regulatory examinations.

Qualified Individual Support

If you do not have an internal resource to serve as Qualified Individual, our virtual CISO service can fill this role — providing the oversight, reporting, and accountability the regulation requires without the cost of a full-time hire.

Annual Penetration Testing

The Safeguards Rule now mandates annual penetration testing. Our certified penetration testers conduct comprehensive assessments of your external perimeter, internal network, and application layer, delivering the documented results and remediation evidence that regulators require.

Vulnerability Assessment Program

We design and execute semiannual vulnerability assessments, implement continuous monitoring tooling, and provide the documented remediation tracking that demonstrates your program is actively managed — not just assessed once and forgotten.

Breach Notification Support

A breach notification to the FTC must be filed within 30 days for incidents affecting 500+ customers. We help you build the incident response procedures, notification templates, and escalation workflows to meet this deadline while managing the concurrent regulatory and legal response.

Is Your Information Security Program FTC-Compliant?

The updated Safeguards Rule is in full effect. Get your GLBA gap assessment and ISP review today.

Schedule Your Free GLBA Compliance Consultation

Frequently Asked Questions

What is a "Qualified Individual" under the Safeguards Rule?

The Safeguards Rule requires designation of a single individual responsible for overseeing, implementing, and enforcing the ISP. This person does not need specific credentials but must have appropriate background and authority. They must report to the board at least annually. Small institutions may use an external service provider — our virtual CISO service fulfills this requirement.

Does the 30-day breach notification requirement apply to all institutions?

The FTC breach notification requirement (effective May 2024) applies to financial institutions subject to the Safeguards Rule when a breach affects 500 or more customers. This is in addition to state breach notification requirements, which may have shorter timeframes. Organizations must have detection and response procedures in place to meet these deadlines.

Are there exemptions for small financial institutions?

Financial institutions with fewer than 5,000 customer records are exempt from the annual penetration testing and semiannual vulnerability assessment requirements — but all other Safeguards Rule elements apply, including the ISP, risk assessment, MFA, encryption, and breach notification requirements.

How does GLBA relate to state privacy laws?

GLBA is a federal floor, not a ceiling. States including California (CCPA/CPRA), New York (NYSDFS), and others have additional requirements that may apply to financial institutions. Our compliance programs address applicable federal and state obligations in an integrated framework.

GLBA Compliance & FTC Safeguards Rule Information Security Program