Skip to main content


FTC Proposes Changes to GLBA Safeguards Rule

FTC Proposes Changes to GLBA Safeguards Rule

First Major Changes in Over 16 Years

The Gramm-Leach-Bliley Act (GLBA) was passed in 1999, and the Federal Trade Commission (FTC) issued the Safeguards Rule and the Privacy Rule in 2002, requiring financial institutions to document and implement an Information Security Program to protect customer information. The last 15+ years have been spent making sure financial institutions in the United States are adequately protecting customer information through examinations, assessments, and tests.

Since GLBA and the Safeguards Rule are now old enough to drive, the first major changes to these rules and regulations have been proposed. On March 5th, 2019, the FTC announced proposed revisions to the Safeguards Rule, including an expansion of the companies covered by the Rule and requiring specific controls to secure customers’ information, including encryption and multi-factor authentication.

The proposed Safeguards Rule amendments are based on newer cybersecurity regulations seen over the last few years, including the New York Department of Financial Services Cybersecurity Regulation and the National Association of Insurance Commissioners’  Insurance Data Security Model Law.


Major Changes to Covered Entities

The biggest change to the Safeguards Rule will be the expansion of who is considered a “covered entity.” Traditionally, that role has been played primarily by financial institutions; however, like the NY DFS Cybersecurity Regulation, “covered entities” will be expanded to include “entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities. Such a change would add ‘finders’ – companies that bring together buyers and sellers of a product or service – within the scope of the Rule.”

Who will be included as a “covered entity” in this proposed Safeguards Rule change? Much like in New York, a “covered entity” will include:

  • State-chartered banks
  • Licensed lenders
  • Private bankers
  • Foreign banks licensed to operate in the US
  • Mortgage companies
  • Insurance companies
  • Fintech companies
  • Colleges and Universities that issue student loans
  • Tax preparers and accountants
  • Retailers that issue their own credit card directly to consumers
  • Auto dealerships that lease vehicles for longer than 90 days
  • Counseling services that specialize finding current or former employees of financial institution employment
  • Businesses that print and sell checks for consumers
  • Any business that regularly wires money to and from consumers
  • Travel agencies with connections to financial services
  • Investment advisors and credit counseling services
  • Personal property or real estate appraisers
  • Any other business involved with transactions that are financial in nature or incidental to such financial activities

Small businesses and small financial institutions may be exempt from some of the more costly and burdensome controls, but not from the proposed Safeguards Rule changes altogether.


Additional Controls to Implement - Safeguards Rule

The proposed Safeguard Rule changes cover very prescriptive and detailed controls, such as:

  • A formal, written Information Security Program based on a risk assessment
  • Additional subsequent risk assessments periodically
  • A formal Incident Response Plan
  • Designating an official Chief Information Security Officer (CISO)
  • A formal, documented annual report to the Board from the CISO regarding the status of the Information Security Program
  • Formal access controls based on the principle of least privilege, and a review of user access
  • Physical access restrictions around customer information
  • Encryption of all customer information in transit and at rest
  • Multi-factor authentication requirements for users accessing customer information
  • Audit trails designed to detect and respond to security events
  • Procedures for the secure disposal of customer information no longer necessary for business operations
  • Procedures for change management – the addition, modification, and disposal of IT assets
  • Detection of unauthorized access to networks and customer information
  • Training and education for all employees
  • Vendor management (service provider oversight)
  • Regular testing and monitoring of key information security measures (minimum: annual Penetration Testing and biannual Vulnerability Assessment)

The FTC does not endorse a specific cybersecurity framework, such as PCI DSS or the NIST Cybersecurity Framework, and will not provide “safe harbor” for organizations complying with existing cybersecurity frameworks.


Making Comments on Proposed Changes

The proposed changes to the Safeguards Rule are open to comment for 60 days after publication in the Federal Register. Interested parties may file a comment online or on paper. Add “Safeguards Rule, 16 CFR Part 314, Project No. P145407,” to your comment and file your comment online at  by following the instructions on the web-based form.

If you prefer to file your comment on paper, mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue, N.W., Suite CC-5610 (Annex B), Washington, D.C. 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street S.W., 5th Floor, Suite 5610 (Annex B), Washington, D.C. 20024.


What’s Next?

The major takeaway from these proposed changes to the Safeguards Rule is that if your business stores, transmits, or processes confidential customer information – such as financial transactions, financial information, Personally Identifiable Information (PII), healthcare information, or anything else deemed “confidential” – you will be subject to cybersecurity regulation sooner rather than later.

If you have any business of any sort and rely on technology, especially the internet, to conduct business, please understand that you have something of value to an attacker. It’s not just confidential customer information; value may come in the form of login credentials (social media, online banking, payroll software, etc.), business information or trade secrets, employee information, or simply access to your network; all of which can be sold for profit. Don’t fall into the “nobody knows who we are” or “no one wants to hack a small business in the middle of nowhere” trap. YOUR BUSINESS IS VALUABLE. Protect your business and your customer information.


Want more information? SBS is hosting a webinar in partnership with GSB to review the proposed changes to the safeguard controls, scope of covered entities, how you can make comments on the proposed changes, and insight into the impacts on our banks, critical vendors, and business in our communities. Webinar Information


Written by: Jon Waldman
Partner, EVP of Information Security Consulting - SBS CyberSecurity, LLC

SBS Resources:

  • {Service} Consulting: In today's rapidly evolving business landscape full of cyber risks, both employees and business leaders are finding it harder and harder to handle all the demands of being a security expert. This is why SBS Consulting Services have been one of our most sought-after offerings for over ten years.
  • {Service} Penetration Testing: Safely simulate a cyber-attack to ensure your network is hardened against known vulnerabilities.
  • {Service} Vulnerability Assessment: Identify system shortcomings and arm your organization with information to fortify your network. 

Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Friday, March 22, 2019
Categories: Blog, In the News