Who does the GLBA Safeguards Rule apply to?

The FTC's Gramm-Leach-Bliley Act Safeguards Rule applies to 'financial institutions' as defined by the FTC — a category that is much broader than banks. It includes: mortgage brokers and lenders, registered investment advisors and broker-dealers (those not regulated by the SEC as financial institutions), auto dealers that offer financing, payday lenders, tax preparers and accounting firms that prepare returns, real estate settlement companies, check cashing services, and credit counseling services. If your business engages in financial activities and collects customer nonpublic personal information (NPI), you almost certainly are covered.

What is the Qualified Individual requirement under the 2023 Safeguards Rule?

The 2023 update requires covered financial institutions to designate a 'Qualified Individual' responsible for overseeing and implementing the information security program. This person can be an employee (Chief Information Security Officer, Chief Information Officer, or similar) or a service provider (such as a virtual CISO from an IT provider). The Qualified Individual must report to the Board of Directors or senior officer at least annually on the status of the information security program. This requirement specifically names the board-level accountability that was often absent in financial services firms.

What does the GLBA Safeguards Rule require for encryption?

The 2023 Safeguards Rule requires encryption of customer information both in transit and at rest. In transit: all NPI transmitted over external networks must be encrypted using current cryptographic standards (TLS 1.2 or 1.3 minimum). At rest: all NPI stored on systems must be encrypted, including laptops, workstations, servers, and cloud storage. There is a limited exception where you can document in writing that the risk of exposure in a specific context is low enough that encryption isn't warranted — but this exception is narrow and should not be used routinely.

Does the limited exemption apply to small financial services firms?

The FTC created a limited exemption for covered institutions with fewer than 5,000 customer records. These firms are exempt from the annual penetration testing requirement, the biannual vulnerability assessment requirement, the change management requirement, the security log monitoring requirement, and some Qualified Individual reporting requirements. However, they must still implement a written information security program, conduct a risk assessment, implement the core safeguards (access controls, encryption, MFA, training, vendor oversight), and maintain an incident response plan. The exemption is narrower than most small firms assume.

GLBA Safeguards Rule Compliance Checklist for Financial Services Firms

The FTC's Gramm-Leach-Bliley Act Safeguards Rule was significantly updated in 2023, adding specific technical requirements that many non-bank financial institutions have not yet fully implemented. The original rule required a "written information security program" — the update specifies exactly what that program must contain.

This checklist covers every requirement. Use it to identify gaps in your current program and build a remediation roadmap.

1. Designated Qualified Individual

Required: Designate a Qualified Individual (QI) responsible for overseeing and implementing your information security program.

Can be an employee (CISO, CIO, IT Director) or a service provider (virtual CISO from your IT provider)
Must report to the Board of Directors or senior officer at least annually
Annual report must cover material matters related to the information security program, including risk assessment results, incidents, and testing outcomes

Documentation required: Written designation, evidence of annual board/officer report (board minutes referencing the IT security presentation).

Gap indicator: No one has a formal title or written responsibility for the security program; board has never received a security briefing.

2. Risk Assessment

Required: Conduct a written risk assessment at regular intervals and whenever there is a material change to operations or systems.

Identify foreseeable internal and external risks to customer NPI
Assess the likelihood and potential damage of each identified risk
Evaluate the sufficiency of current safeguards
Document findings in writing

Documentation required: Written risk assessment with date, scope, identified risks, risk ratings, and current safeguard evaluation.

Gap indicator: No formal risk assessment has ever been conducted or is undated/outdated (more than 12 months old without a material change review).

3. Access Controls

Required: Limit and monitor who can access customer NPI.

Access controls that limit access to NPI on a need-to-know basis
Principle of least privilege: users have minimum necessary access
Formal user access provisioning and de-provisioning process
Periodic access reviews (at minimum when roles change or employees depart)

Documentation required: Access control policy, user access review records, evidence of prompt access revocation for departed employees.

Gap indicator: Former employees still have active access to systems containing NPI; no documented access review process.

4. Multi-Factor Authentication

Required: Implement MFA for any individual accessing customer NPI.

MFA required for all users accessing systems that store or process NPI — not just administrators
Applies to remote access (VPN, RDP) and cloud systems (Microsoft 365, CRM, financial platforms)
Authenticator apps preferred over SMS for higher security

Documentation required: MFA enforcement configuration, screenshot or report showing MFA enrollment for all users, Conditional Access policy if using Microsoft 365.

Gap indicator: Any user accesses NPI systems without MFA, including users who say "I work in the office and don't need it."

MFA is the most commonly missing control in FTC Safeguards Rule examinations. Regulators and plaintiff attorneys look for this first. If you have any uncovered users, remediate this before anything else.

5. Encryption

Required: Encrypt customer NPI in transit and at rest.

In transit: All NPI transmitted over networks must use TLS 1.2 or 1.3. This includes email with NPI, web portals, API connections between systems.
At rest: NPI stored on servers, workstations, laptops, and cloud must be encrypted. BitLocker (Windows), FileVault (Mac) for endpoints; server-side encryption for cloud storage; database encryption for financial databases.
Laptops are the highest risk — a stolen laptop without encryption is a reportable breach. BitLocker enforced via Intune or Group Policy is the standard control.

Documentation required: Encryption policy, BitLocker deployment report, TLS configuration documentation for web services.

6. Secure Development Practices (If Applicable)

Required: If you develop your own applications that access NPI, implement secure development practices.

For most financial services firms that use commercial software only, this requirement doesn't apply. If you have custom web portals, client-facing applications, or internal tools developed in-house, secure coding standards and code review are required.

7. Penetration Testing and Vulnerability Assessments

Required (for organizations above the 5,000-record exemption threshold):

Annual penetration test: Conducted by a qualified internal or external party. Must test both the external attack surface and internal lateral movement. Results documented with remediation tracking.
Biannual (twice yearly) vulnerability assessments: Authenticated vulnerability scans of all in-scope systems. Critical and high findings must be remediated within defined timeframes.

Documentation required: Pen test report with findings and remediation status, vulnerability scan reports with CVSS scores and remediation tracking.

Gap indicator: No pen test has been conducted in the past 12 months; no vulnerability scanning is in place.

8. Change Management

Required: Implement policies and procedures for change management — how systems are changed, updated, or modified.

Changes to systems in scope must be documented, tested, and approved before deployment
Emergency change procedures for urgent security patches
Change log maintained

Documentation required: Change management policy, change log or ticketing system records.

9. Security Log Monitoring

Required: Monitor and filter security events to identify unauthorized access to NPI.

Logging enabled on all systems that access or process NPI
Logs reviewed for anomalies — either automated (SIEM) or manual review process
Logs retained for a minimum of 2 years
Alerts configured for high-risk events (failed login attempts, after-hours access, large data exports)

Documentation required: Logging configuration, retention policy, alert configuration, evidence of log review process.

10. Security Awareness Training

Required: Provide security awareness training to all personnel with access to NPI.

Training at hire and annually thereafter
Must address current threats — phishing, social engineering, password hygiene, incident reporting
Completion records maintained

Documentation required: Training completion records with dates and user acknowledgments, curriculum description.

11. Vendor / Service Provider Oversight

Required: Oversee service providers that have access to customer NPI.

Select vendors based on their ability to maintain appropriate safeguards
Require vendors to implement appropriate safeguards by contract (written agreement)
Monitor vendors' compliance on an ongoing basis — at minimum annually

Documentation required: Vendor inventory with NPI access noted, data processing agreements or security addendums with each vendor, annual vendor review process.

12. Incident Response Plan

Required: Develop and implement a written incident response plan.

Defines what constitutes a security incident
Roles and responsibilities for incident response
Steps to contain, assess, and remediate incidents
Notification requirements: the 2023 update requires notifying the FTC within 30 days of discovering a breach affecting 500 or more customers via the FTC's online portal
Post-incident review process

Documentation required: Written IR plan with version date, evidence of annual review or tabletop exercise.

Reporting to the Board

The Qualified Individual must report to the board or senior officer at least annually. The report should cover:

Overall security program status
Risk assessment findings
Testing results (pen test, vulnerability scans)
Any incidents and remediation steps taken
Material changes to the program

For financial services firms building or upgrading their compliance program, working with an IT provider experienced in financial services is essential. The documentation requirements alone — written policies, evidence of controls, board reporting — require a provider who understands what examiners and auditors look for. Find out more about what to look for in a financial services IT provider, including how to evaluate their compliance documentation capabilities.