Cyber One Solutions logo.
Get Support
Compliance / FTC Safeguards & GLBA

FTC Safeguards Rule and GLBA Compliance for Financial Institutions.

The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to protect the security and confidentiality of their customers' information. For non-bank financial institutions under Federal Trade Commission jurisdiction, the standard that gives GLBA its teeth is the FTC Safeguards Rule (16 CFR Part 314). The 2021 amendments, in effect since June 2023, replaced a short list of general expectations with nine specific, enforceable elements. The definition of a financial institution under the rule is broad. It reaches auto dealers, mortgage brokers and lenders, payday and consumer lenders, tax preparers and accounting firms, collection agencies, investment advisors that are not registered with the SEC, and businesses that simply bring parties together in a financial transaction. Many companies covered by the rule do not think of themselves as financial institutions at all.

Cyber One Solutions builds and manages the written information security program the Safeguards Rule requires. This covers the risk assessment the program is built on, the role of the Qualified Individual who oversees it, and the specific safeguards the rule names: access controls, a data inventory, encryption of customer information in transit and at rest, multi-factor authentication, secure disposal, change management, and logging and monitoring. It covers the regular testing, the staff training, the oversight of service providers, the written incident response plan, and the annual written report to your board or a senior officer. We implement the controls, operate them, and document the evidence, so the program holds up as your business and the rule evolve.

What You Get
A written information security program (WISP) built on a documented risk assessment, covering every system that touches customer information.
A designated Qualified Individual responsible for the program, with the annual written report the rule requires to your board or a senior officer.
Multi-factor authentication and encryption of customer information in transit and at rest, with access controls on the principle of least privilege.
A data inventory, secure disposal, change management, and continuous logging and monitoring of your systems.
Regular testing (continuous monitoring, or annual penetration testing plus biannual vulnerability assessments) and documented security awareness training.
Service-provider oversight, a written incident response plan, and readiness to notify the FTC of a security event affecting 500 or more consumers within 30 days.
The Short Answer

Who must comply with the FTC Safeguards Rule, and what does it require?

The FTC Safeguards Rule (16 CFR Part 314) implements the Gramm-Leach-Bliley Act's security requirements for non-bank financial institutions under FTC jurisdiction: auto dealers, mortgage brokers and lenders, payday lenders, tax preparers, collection agencies, investment advisors not registered with the SEC, and many others that handle customer financial information. It requires a written information security program built on a risk assessment, with a designated Qualified Individual, access controls, encryption of customer information in transit and at rest, multi-factor authentication, secure disposal, logging and monitoring, regular testing, staff training, service-provider oversight, a written incident response plan, and an annual written report to a board or senior officer. Cyber One Solutions implements and operates those controls and produces the documentation the rule expects.

  • A written information security program (WISP)
  • A designated Qualified Individual
  • A written risk assessment
  • MFA and encryption of customer information
  • A written incident response plan
  • Notice to the FTC of a breach affecting 500+ consumers within 30 days
The FTC Safeguards Rule Framework

The Nine Elements Every Covered Institution Must Implement.

The 2021 amendments to the Safeguards Rule define a written information security program through nine required elements. Institutions maintaining information on fewer than 5,000 consumers are exempt from a few of them (the written risk assessment, continuous monitoring or annual testing, the incident response plan, and the annual report), but the core program still applies. These are the elements the rule names, and the work we deliver against each one.

Qualified Individual & Written Risk Assessment

The rule requires you to designate a Qualified Individual to oversee and enforce the program, and to base the program on a written risk assessment that identifies reasonably foreseeable internal and external risks to customer information. We serve in or support the Qualified Individual role and conduct the written risk assessment that everything else is built on.

Access Controls & Data Inventory

You must limit access to customer information to those who need it and periodically review that access, and you must inventory where customer information is collected, stored, and transmitted. We implement least-privilege access, review it on a schedule, and map your customer-information data flows so the inventory is real, not assumed.

Encryption & Multi-Factor Authentication

The rule requires encryption of customer information both in transit and at rest, and multi-factor authentication for anyone accessing information systems that hold customer information. We deploy encryption across the systems that carry customer data and enforce MFA on access, two of the safeguards the FTC weighs most heavily.

Secure Development, Change Management & Disposal

You must adopt secure development practices for apps you build or use, manage change so security is maintained as systems change, and securely dispose of customer information no later than two years after the last use unless there is a legitimate business reason to keep it. We build these into how your systems are operated and retired.

Logging, Monitoring & Regular Testing

The rule requires monitoring and logging of authorized user activity and regular testing of safeguards: either continuous monitoring, or annual penetration testing plus vulnerability assessments at least every six months. We operate the logging and monitoring and run the testing on the cadence the rule sets.

Training, Service-Provider Oversight, Incident Response & Annual Report

You must provide security awareness training, select and oversee service providers capable of protecting customer information, maintain a written incident response plan, and have the Qualified Individual deliver a written report to your board or a senior officer at least annually. We deliver the training, build the vendor-oversight and incident-response processes, and produce the annual report.

FTC Safeguards & GLBA by Industry

Safeguards compliance, built for your kind of business.

The Safeguards Rule applies the same nine elements across covered institutions, but the customer data, systems, and vendor relationships differ by industry. These pages map the program to specific financial-institution types, including those governed by a regulator other than the FTC.

Why the Safeguards Rule Applies to You

The rule's definition of a financial institution is far broader than banks.

The FTC Safeguards Rule applies to financial institutions under FTC jurisdiction, and the definition is deliberately wide. It covers any business significantly engaged in providing financial products or services to consumers, along with businesses that simply bring parties together in a financial transaction. If your business lends, finances, brokers, collects, prepares taxes, advises on investments, or handles the financial information behind those activities, you are very likely covered, whether or not you consider yourself a financial institution.

GLBA sets the obligation; the FTC Safeguards Rule is how it is enforced for non-bank institutions.

The Gramm-Leach-Bliley Act requires financial institutions to protect the security, confidentiality, and integrity of customer information. GLBA assigns enforcement to different regulators depending on the institution. Banks and credit unions answer to their prudential regulators; SEC-registered investment advisors answer to the SEC's Regulation S-P.

For the large population of non-bank financial institutions that fall under Federal Trade Commission jurisdiction, GLBA is enforced through the FTC Safeguards Rule at 16 CFR Part 314. That is the rule this program is built around. If your GLBA obligations run through a banking regulator, the SEC, or a state insurance authority instead, the underlying data-security expectations are similar but the governing standard differs, and we scope the program to the regulator that actually applies to you.

The 2021 amendments turned general expectations into nine specific, testable requirements.

The original Safeguards Rule required a reasonable written program but said little about what it had to contain. The 2021 amendments, in effect since June 2023, changed that. They name a Qualified Individual, a written risk assessment, specific technical safeguards including MFA and encryption, regular testing, service-provider oversight, a written incident response plan, and an annual written report.

That specificity cuts both ways. It tells you exactly what to implement, and it gives the FTC a concrete checklist to enforce against. A program that would have passed as reasonable a few years ago can now have named, documented gaps. We map your current controls to each of the nine elements, close the gaps, and keep the documentation that shows each element is met.

MFA, encryption, and vendor oversight are where most gaps and enforcement actions cluster.

Multi-factor authentication and encryption of customer information are two of the most concrete requirements in the rule, and two of the most common gaps. The FTC has pursued financial institutions whose weak authentication or unprotected data led to exposure of customer information. These are not abstract findings; they map directly to the safeguards the rule names.

Service-provider oversight is the other frequent gap. The rule makes you responsible for selecting providers that can protect customer information, contractually requiring them to do so, and monitoring them. A breach at a vendor that handles your customer data is still your exposure. We enforce MFA and encryption across your environment and build the vendor-oversight process that the rule requires and that a breach investigation will look for.

Breach notification to the FTC is now part of the rule.

A 2023 amendment, in effect since May 2024, added a breach-notification requirement to the Safeguards Rule itself. Covered financial institutions must notify the FTC as soon as possible, and no later than 30 days after discovery, of a security event involving the unencrypted customer information of 500 or more consumers.

That is a firm, short clock, and it rewards preparation. An institution that already has logging, monitoring, and a written incident response plan can determine what happened and meet the deadline. One that does not is exposed on both the breach and the missed notification. We build the detection, the response plan, and the notification workflow so a real event is handled inside the window rather than improvised under pressure. We implement and operate the controls; we do not provide legal advice, and your counsel confirms the specific notification obligations that apply to an event.

Frequently asked questions.

We are an auto dealer (or tax preparer, or mortgage broker). Are we really a financial institution?

Under the FTC Safeguards Rule, very likely yes. The rule defines a financial institution broadly as any business significantly engaged in providing financial products or services, which the FTC has made clear includes auto dealers that arrange financing, mortgage brokers and lenders, tax preparers, payday and consumer lenders, collection agencies, and more. The 2021 amendments even added businesses that act as finders, bringing parties together in a transaction. You do not have to think of yourself as a financial institution to be covered by the rule. We confirm your status during onboarding and scope the program to your business.

Is the FTC Safeguards Rule the same as GLBA?

They are related but not identical. The Gramm-Leach-Bliley Act (GLBA) is the federal law that requires financial institutions to protect customer information. The FTC Safeguards Rule (16 CFR Part 314) is the regulation that implements GLBA's security requirements for the non-bank financial institutions under FTC jurisdiction. Other GLBA-covered institutions are examined by other regulators: banks and credit unions by their prudential regulators, SEC-registered investment advisors under Regulation S-P, and insurance licensees generally under state law modeled on the NAIC. The data-security expectations are similar across all of them, but the governing standard and the examiner differ, so we scope your program to the regulator that actually applies.

Common Questions

FTC Safeguards Rule & GLBA Compliance, Answered.

Common questions from auto dealers, lenders, tax and accounting firms, and other non-bank financial institutions on who the Safeguards Rule covers, what it requires, and how enforcement works.

Don't see your question?
Our team answers questions like these every day, no sales pitch attached.
Ask a Question