Skip to content

Frustration-Free Risk Management

Simplify cybersecurity risk management and tackle your cybersecurity challenges with ease. TRAC automates the tedious risk assessment process and produces customized results that align with regulations, best practices, and your strategic goals.

The U.S. Capitol building.
Joe DavisNovember 09, 20228 min read

Safeguards Rule Update

If your organization, or part of your organization, is a financial institution, you are required to be in compliance with the Gramm-Leach-Bliley Act (GLBA) of 1999. Banks have long been aware of GLBA and what it requires to safeguard customer information. Further, enforcement agencies defined in GLBA provide compliance guidelines to organizations within their jurisdiction.

It's important to understand how GLBA defines "financial institution" to understand that it applies to a broader range of companies. GLBA defines a financial institution as "any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k). An institution that is significantly engaged in financial activities, or significantly engaged in activities incidental to such financial activities, is a financial institution."

The list of organizations that are required to comply with GLBA, then, extends well beyond banks and lenders. The list included entities such as:

  • A retailer that extends credit by issuing its own credit card directly to consumers.
  • An automobile dealership that, as a usual part of its business, leases automobiles on a nonoperating basis for longer than 90 days.
  • A personal property or real estate appraiser.
  • A career counselor that specializes in providing career counseling services to individuals currently employed by or recently displaced from a financial organization, individuals who are seeking employment with a financial organization, or individuals who are currently employed by or seeking placement with the finance, accounting or audit departments of any company.
  • A business that prints and sells checks for consumers, either as its sole business or as one of its product lines.
  • A business that regularly wires money to and from consumers is a financial institution because transferring money.
  • A check cashing business.
  • An accountant or other tax preparation service that is in the business of completing income tax returns.
  • A business that operates a travel agency in connection with financial services.
  • An entity that provides real estate settlement services.
  • A mortgage broker.
  • An investment advisory company and a credit counseling service.
  • A company acting as a finder in bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate.

Do you fit the above definition of a "financial institution" or is your organization on the list? If so, then you may be required to be GLBA compliant.

Section 501(b) of GLBA requires that each agency with an enforcement authority shall establish appropriate standards for the financial institutions in their jurisdiction. These standards shall address administrative, technical, and physical safeguards to:

  • Insure the security and confidentiality of customer records and information;
  • Protect against any anticipated threats or hazards to the security or integrity of such records; and
  • Protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

Section 505(a) of GLBA lists the agencies responsible for developing and enforcing these standards for financial institutions. The section assigns authority to the Federal Trade Commission (FTC) for any entity that is not subject to the jurisdiction of the Office of the Comptroller of the Currency (OCC), Federal Reserve, Federal Deposit Insurance Corporation (FDIC), Office of Thrift Supervision, National Credit Union Administration (NCUA), Securities and Exchange Commission (SEC), or the State insurance authority. This means that many of the non-bank financial institutions are within the enforcement jurisdiction of the FTC. Any financial institution subject to the jurisdiction of the OCC, Federal Reserve, FDIC, NCUA, SEC, etc. are not subject to the Safeguards Rule (16 CFR Part 314), but rather the Interagency Guidelines Establishing Information Security Standards (12 CFR 364 – Appendix B or 12 CFR Part 30 – Appendix B).

On December 9, 2021, the FTC updated 16 CFR Part 314: The Standards for Safeguarding Customer Information - the "Safeguards Rule" - to strengthen the information security requirements by including specific criteria for what safeguards financial institutions must implement. The changes align the Safeguards Rule with the rules for other financial institutions and raise the level of information security in an evolving threat landscape. Most of the requirements are set to take effect on December 9, 2022.

On November 15, 2022, the FTC announced a six-month extension for compliance with certain provisions of the Safeguards Rule. The deadline for complying with some of the updated requirements of the Safeguards Rule is now June 9, 2023. 

Under the new Safeguards Rule, financial institutions are required to:

  • Designate a qualified individual responsible for overseeing and implementing your information security program and enforcing your information security program; 
  • Base your information security program on a risk assessment;
  • Design and implement safeguards to control the risks you identify through risk assessment;
    • Implement and periodically review access controls, including technical and, as appropriate, physical controls;
    • Identify and manage the data, personnel, devices, systems, and facilities that enable you to achieve business purposes in accordance with their relative importance to business objectives and your risk strategy;
    • Protect by encryption all customer information held or transmitted by you both in transit over external networks and at rest;
    • Adopt secure development practices for in-house developed applications utilized by you for transmitting, accessing, or storing customer information and procedures for evaluating, assessing, or testing the security of externally developed applications you utilize to transmit, access, or store customer information;
    • Implement multi-factor authentication for any individual accessing any information system, unless your Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls;
    • Develop, implement, and maintain procedures for the secure disposal of customer information in any format;
    • Periodically review your data retention policy to minimize the unnecessary retention of data; o Adopt procedures for change management; and
    • Implement policies, procedures, and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users.
  • Regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures.
  • For information systems, the monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments. Absent effective continuous monitoring or other systems to detect, on an ongoing basis, changes in information systems that may create vulnerabilities, you shall conduct:
    • Annual penetration testing;
    • Vulnerability assessments.
  • Implement policies and procedures to ensure that personnel can enact your information security program by:
    • Providing your personnel with security awareness training that is updated as necessary to reflect risks identified by the risk assessment;
    • Utilizing qualified information security personnel employed by you or an affiliate or service provider sufficient to manage your information security risks and to perform or oversee the information security program;
    • Providing information security personnel with security updates and training sufficient to address relevant security risks; and
    • Verifying that key information security personnel take steps to maintain current knowledge of changing information security threats and countermeasures.
  • Oversee service providers, by:
    • Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue;
    • Requiring your service providers by contract to implement and maintain such safeguards; and
    • Periodically assessing your service providers based on the risk they present and the continued adequacy of their safeguards.
  • Evaluate and adjust your information security program in light of the results of the testing and monitoring required; any material changes to your operations or business arrangements; the results of risk assessments performed; or any other circumstances that you know or have reason to know may have a material impact on your information security program.
  • Establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in your control. Such incident response plan shall address the following areas:
    • The goals of the incident response plan;
    • The internal processes for responding to a security event;
    • The definition of clear roles, responsibilities, and levels of decision-making authority;
    • External and internal communications and information sharing;
    • Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls;
    • Documentation and reporting regarding security events and related incident response activities; and
    • The evaluation and revision as necessary of the incident response plan following a security event.
  • Require your qualified individual to report in writing, regularly and at least annually, to your board of directors or equivalent governing body. If no such board of directors or equivalent governing body exists, such report shall be timely presented to a senior officer responsible for your information security program. The report shall include the following information:
    • The overall status of the information security program and your compliance with this part; and
    • Material matters related to the information security program, addressing issues such as risk assessment, risk management and control decisions, service provider arrangements, results of testing, security events or violations and management's responses thereto, and recommendations for changes in the information security program.

An important part of the FTC's updated Safeguards Rule is the exemption for financial institutions that collect information on fewer than 5,000 consumers. However, this exemption only applies to those financial institutions that are under the supervision of the FTC. Banks and credit unions do not fall under the supervision of the FTC and are not included in the exemption. The guidance provided by the FFIEC in regard to GLBA is not superseded by these updates to the Safeguards Rule. Rather, this update brings the guidance of the FTC in line with or even exceeds the guidance of other supervising agencies.

This set of criteria is extensive and may come as a surprise to an organization that may not have realized that they were classified as a financial institution or that they were required to be GLBA compliant. However, the Safeguards Rule is a good roadmap for any information security program. By updating the Safeguards Rule, the FTC has mandated to non-bank financial institutions for which it holds enforcement authority an up-to-date set of rules to not only be in compliance with GLBA, but to also better safeguard the customer information with which they are trusted.


Joe Davis

Joe Davis is an Information Security Consultant at SBS CyberSecurity. He specializes in information security management and bridging the gap between information technology and information security.