Continue your mission
A technical breakdown of the Gramm-Leach-Bliley Act Safeguards Rule as updated in 2023: who is covered under the FTC's broad definition of "financial institution," the nine enumerated security program requirements including mandatory MFA, annual penetration testing, and Board reporting, and how CDA's Perpetual Compliance Assurance methodology operationalizes continuous GLBA compliance.
The Gramm-Leach-Bliley Act (GLBA), enacted in 1999, requires financial institutions under Federal Trade Commission jurisdiction to protect the security and confidentiality of customer information. The FTC's implementing regulation, the Safeguards Rule (16 C.F.R. Part 314), was substantially updated in 2021 with an effective compliance date of June 9, 2023 for most requirements. The 2023 Safeguards Rule is not a refinement of the original; it is a ground-up rewrite that introduces specific, enumerated technical requirements where the original rule offered only general principles.
The significance for security practitioners is the shift from a principles-based framework to a controls-based one. The original Safeguards Rule required a written information security program that was "reasonably designed" to protect customer information. The 2023 rule specifies what "reasonably designed" means in operational terms: who must own it, what risk assessment must cover, which controls must be deployed, how often penetration testing must occur, what must be reported to the Board, and when the FTC must be notified of a breach. This is a meaningful change for compliance teams that previously treated the Safeguards Rule as a policy exercise.
GLBA Safeguards Rule compliance maps squarely to the Risk Governance and Assurance (RGA) domain in the Planetary Defense Model. RGA governs how organizations establish, measure, and sustain compliance postures across regulatory obligations. The 2023 Safeguards Rule is, in practical terms, a codified information security program specification that RGA must operationalize, monitor, and report against on a continuous basis.
---
GLBA's scope is broader than most organizations expect. The FTC's rule applies to "financial institutions" as defined by the Gramm-Leach-Bliley Act, which covers any business that is "significantly engaged in financial activities." The FTC has jurisdiction over non-bank financial institutions; prudential regulators (OCC, Federal Reserve, FDIC) cover banks and credit unions under parallel interagency guidelines.
FTC-regulated financial institutions include:
This list surprises many organizations. A university that processes federal student loan applications is a financial institution for GLBA purposes. A tax prep franchise operating in 50 states is a financial institution. An independent used car dealer with in-house financing is a financial institution.
The 2023 rule includes a small business exemption for institutions that maintain customer information on fewer than 5,000 customers. Qualifying institutions are exempt from three specific requirements: annual penetration testing, the written Board reporting requirement, and the written risk assessment requirement (though they must still perform risk assessment; they are not required to document it in a specific written format). The exemption does not waive the core safeguards: encryption, access controls, MFA, audit logs, incident response, and staff training remain mandatory regardless of customer count.
---
The 2023 Safeguards Rule specifies nine elements that every covered institution's information security program must include.
1. Designate a Qualified Individual. The institution must designate a qualified individual responsible for overseeing, implementing, and enforcing the information security program. This is effectively a CISO requirement. The qualified individual may be an employee or an outsourced service provider, but the institution must retain accountability. The rule further requires this individual to report at least annually to the Board of Directors (or equivalent governing body) on the state of the information security program, material risks identified and addressed, and the effectiveness of safeguards.
2. Conduct a Written Risk Assessment. The institution must conduct a periodic risk assessment covering how customer information may be compromised, the likelihood and potential damage of each identified threat, the sufficiency of existing safeguards to control each identified risk, and how to prioritize additional safeguards. The risk assessment must be written and updated regularly. Regularity is not defined in the rule; FTC enforcement guidance suggests at least annually and after any significant change to operations, technology environment, or the threat landscape.
3. Implement Access Controls. The institution must limit access to customer information to authorized users only, using the principle of least privilege. Access controls must be designed to authenticate and permit access only to authorized individuals and must be sufficient to prevent unauthorized access to customer information.
4. Encrypt Customer Information. Customer information must be encrypted both in transit and at rest. The rule does not specify an encryption algorithm by name, but FTC guidance and enforcement practice align with the expectation of AES-256 at rest and TLS 1.2 or higher in transit. The encryption requirement applies to customer information held in any system and transmitted across any network, including internal networks.
5. Implement Multi-Factor Authentication. MFA is explicitly and specifically mandated by the 2023 rule for any individual accessing any information system that handles customer information. This is among the most operationally significant changes from the original rule. Prior to 2023, MFA was a best practice many covered institutions had not implemented; it is now a legal requirement. The only exceptions are where the institution's qualified individual has documented in writing a finding that alternative compensating controls provide equivalent or greater protection, and that documentation must be retained.
6. Develop, Test, and Maintain an Incident Response Plan. The institution must maintain a written incident response plan addressing the goals of the plan, internal processes for responding to a security event, roles and responsibilities of staff, external and internal communications, identification and remediation of root cause, documentation and reporting requirements, and evaluation of the plan after each security event. Testing is required; tabletop exercises or simulations qualify but must be documented.
7. Conduct Penetration Testing and Vulnerability Assessments. Penetration testing of information systems must occur at least annually. Vulnerability assessments must occur at least every six months and after any significant change to the operating environment. A patch management process must be in place to address identified vulnerabilities within a timeframe commensurate with risk. This requirement applies to all in-scope institutions except those qualifying for the 5,000-customer exemption.
8. Maintain Audit Logs. The institution must monitor and audit systems that contain or use customer information, maintain sufficient audit logging to detect and respond to security events, and retain logs for a period sufficient to support investigation. The FTC has not specified a minimum retention period in the rule text, but industry practice and FTC enforcement suggest a minimum of one year.
9. Oversee Service Provider Arrangements. The institution must select and retain service providers capable of maintaining appropriate safeguards for customer information, require service providers to implement such safeguards by contract, and periodically review service providers' safeguards. This is a vendor risk management requirement embedded in the compliance rule itself.
10. Train Staff. The institution must train staff to implement the information security program and educate them about their role in protecting customer information.
The 2021/2023 rulemaking also established a new breach notification requirement separate from the Safeguards Rule itself (16 C.F.R. Part 318). Covered institutions must notify the FTC within 30 days of discovering a breach affecting 500 or more customers. The FTC publishes this notification on a public website, creating de facto public disclosure. The notification must include the name and contact information of the institution, a description of the types of customer information involved, the date range of the breach, the number of customers affected if known, and a general description of the event.
---
The FTC can seek civil penalties of up to $50,120 per violation per day under the FTC Act. GLBA-specific criminal penalties include fines and imprisonment for officers and employees who knowingly and intentionally obtain customer financial information through false pretenses. The FTC has pursued enforcement actions against both large institutions and small operators; the 2023 rule's specificity makes it easier for examiners to identify non-compliance.
MFA has been an industry recommendation for over a decade. The 2023 Safeguards Rule converts that recommendation into a legal mandate for a broad class of organizations. Security teams at covered institutions now have regulatory authority to push back against organizational resistance to MFA rollout. The alternative to implementing MFA is a documented compensating control finding signed by the qualified individual, a process that creates accountability and audit exposure.
Many organizations conducted penetration tests when convenient or when a contract required it. Annual penetration testing with semi-annual vulnerability assessments establishes a minimum cadence that security teams can budget and plan around. It also sets a clear expectation: if a breach occurs and the institution cannot demonstrate annual penetration testing, the failure to comply with the Safeguards Rule becomes exhibit A in enforcement or litigation.
The 2023 Safeguards Rule requirements align closely with NIST SP 800-53 moderate baseline, SOC 2 Type II common criteria, and ISO 27001 Annex A controls. Organizations already pursuing those frameworks are largely building toward GLBA compliance simultaneously. The distinction is that GLBA compliance is not optional or customer-driven for covered institutions: it is a regulatory floor. A SOC 2 report does not substitute for GLBA compliance, but a well-designed SOC 2 program provides substantial evidence of Safeguards Rule compliance during an FTC examination.
---
Security teams at GLBA-covered institutions should map their technical program against the following concrete implementation requirements:
Qualified Individual and Board Reporting. The security program must have a named owner with documented authority. The annual Board report must address risk assessment results, safeguard effectiveness, material security events, and planned program improvements. The report must be documented and retained.
Risk Assessment. Annual written risk assessment covering all systems that hold or process customer information. The assessment must identify threats, evaluate likelihood and impact, assess current safeguard adequacy, and prioritize remediation. Assessments must be triggered again after major technology changes.
Access Controls. Role-based access control (RBAC) applied to all systems holding customer information. Quarterly access reviews at minimum. Privileged access managed through a privileged access management (PAM) solution. Service account credentials rotated on a defined schedule.
Encryption. AES-256 or equivalent encryption for customer information at rest. TLS 1.2 minimum (TLS 1.3 preferred) for customer information in transit. Database encryption, full-disk encryption for endpoints holding customer data, and encrypted backups. Encryption key management documented and separate from encrypted data.
MFA. MFA required for all access to information systems containing customer information, including VPN, remote desktop, administrative consoles, cloud management interfaces, and any web application processing customer data. TOTP, hardware tokens, or phishing-resistant methods (FIDO2/WebAuthn) preferred. SMS-based OTP is acceptable but flagged as lower assurance.
Penetration Testing. Annual penetration test by a qualified third party (or sufficiently independent internal team with documented methodology). Scope must include systems containing customer information. Findings must be tracked to remediation. Test reports retained. Semi-annual vulnerability scans with documented patch management process.
Incident Response Plan. Written IRP, tested at least annually (tabletop minimum). The plan must include FTC notification procedures (30-day window for 500+ customer breaches), customer notification procedures consistent with applicable state breach notification laws, and a post-incident review process.
Audit Logging. Centralized log management covering all systems processing customer information. Logs must capture authentication events, access to customer records, configuration changes, and security events. Minimum retention of 12 months. Alerts configured for anomalous access patterns.
Service Provider Management. Current vendor inventory for all service providers receiving customer information. Executed contract language requiring adequate safeguards. Annual review of service provider security posture (questionnaire, SOC 2 report, or equivalent).
---
The GLBA Safeguards Rule exemplifies why CDA built Perpetual Compliance Assurance (PCA) as a continuous operational methodology rather than a point-in-time assessment service. "Compliance is not an event. It is a state." The 2023 Safeguards Rule's requirements, including annual penetration testing, semi-annual vulnerability assessments, Board reporting, and 30-day breach notification, are recurring operational obligations that demand infrastructure, not just effort.
Within the PDM, GLBA Safeguards Rule compliance is owned by the RGA domain (Risk Governance and Assurance). But its implementation touches every other domain. Encryption and data protection are DPS. Vulnerability assessments are VSD. Access controls and MFA are IAT. Audit log monitoring and anomaly detection are TID. The security program that satisfies the Safeguards Rule is not a siloed compliance artifact; it is a cross-domain security posture.
PCA operationalizes this by treating Safeguards Rule requirements as continuous compliance metrics rather than annual checklist items. PCA monitors: penetration test currency (are we within 12 months of a full scope test?), vulnerability scan currency (are we within 6 months?), MFA coverage (what percentage of user accounts accessing customer information systems have MFA enrolled?), encryption coverage (what percentage of customer information datastores are encrypted at rest?), audit log coverage (what percentage of in-scope systems are feeding a centralized log platform?), and service provider DPA currency.
For CDA clients in financial services, higher education, or any sector falling under GLBA's broad "significantly engaged in financial activities" standard, the PCA framework provides the instrumentation to answer the FTC examiner's questions before they are asked, and to maintain the posture continuously rather than scrambling before an examination.
One observation worth flagging: the 5,000-customer exemption is a ceiling that organizations can breach unexpectedly as they grow. A tax preparation service expanding its customer base, a small mortgage company growing through acquisitions, or a university adding online students can cross the threshold without realizing it. CDA recommends monitoring this threshold as part of the compliance posture assessment and building toward full Safeguards Rule compliance proactively rather than reactively.
---
---
---
CDA Theater missions that address topics covered in this article.
A GRC platform is software that centralizes governance, risk, and compliance operations into a single system of record.
Internal audit is an independent, objective assurance function that evaluates whether an organization's controls are designed appropriately and operating effectively.
Board-level cybersecurity reporting is the practice of translating an organization's security posture, risk profile, and material incidents into the language of governance: financial exposure, liability, regulatory standing, and competitive position.
Written by Evan Morgan
Found an issue? Help improve this article.