The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, requires financial institutions to explain their information-sharing practices and to safeguard sensitive customer data. The act's Safeguards Rule, updated significantly in 2023, mandates that financial institutions develop, implement, and maintain a comprehensive information security program. GLBA applies broadly to entities 'significantly engaged' in financial activities, including banks, securities firms, insurance companies, mortgage brokers, tax preparers, and even automobile dealers that extend credit.
GLBA has three principal components. The Financial Privacy Rule requires institutions to provide privacy notices explaining what data they collect, how it is shared, and how it is protected. The Safeguards Rule mandates a written information security program with a designated qualified individual overseeing it, regular risk assessments, access controls, encryption of customer information in transit and at rest, multi-factor authentication for anyone accessing customer information systems, activity monitoring and logging, secure development practices, and vendor management programs. The updated rule requires periodic penetration testing and vulnerability assessments, incident response planning, and annual reporting to the board of directors. The Pretexting Rule prohibits using false pretenses to obtain customer financial information. Enforcement is shared among the FTC, federal banking regulators, state insurance regulators, and the SEC depending on the type of institution.
GLBA violations can result in fines up to $100,000 per violation for institutions and $10,000 per violation for individuals, plus potential imprisonment. The 2023 Safeguards Rule updates significantly raised the bar for cybersecurity programs at financial institutions. For organizations in financial services, GLBA compliance requires robust technical controls, documented security programs, qualified security leadership, and regular board-level reporting on security posture.