Skip to main content
> GLBA

Gramm-Leach-Bliley Act

Protecting consumer financial information through mandated safeguards

Established: 1999 (Safeguards Rule updated 2023) Last Updated: June 2023 (Revised Safeguards Rule effective) Scope: United States
Broadly Defined
Financial Institutions

What does the GLBA Safeguards Rule require?

The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to protect customer financial data under a written information security program. Since the FTC's 2023 Safeguards Rule update, covered institutions must appoint a Qualified Individual, encrypt customer data in transit and at rest, enforce multi-factor authentication, and test their defenses through penetration testing or continuous monitoring. A 2024 amendment adds breach notification: events affecting 500 or more consumers go to the FTC within 30 days. Non-compliance runs up to $100,000 per violation. GLBA is no longer a paperwork exercise; it is enforceable security engineering with deadlines.

// What is GLBA?

GLBA requires financial institutions to explain their information-sharing practices and protect sensitive consumer data. The Safeguards Rule, significantly strengthened in 2023, mandates specific security measures for non-banking financial institutions under FTC jurisdiction.

The Act's definition of 'financial institution' extends beyond banks to include mortgage brokers, payday lenders, finance companies, account servicers, check cashers, tax preparers, real estate settlement services, and many other businesses engaged in financial activities.

The 2023 Safeguards Rule updates transformed vague requirements into specific mandates including written security programs, designated security personnel, encryption requirements, multi-factor authentication, and penetration testing, making compliance significantly more demanding.

// Inside the Regulation

GLBA contains three principal components: the Financial Privacy Rule (customer notice), the Safeguards Rule (security requirements), and Pretexting Provisions (social engineering protections). The Safeguards Rule contains the cybersecurity-relevant requirements.

1

Safeguards Rule Requirements

16 CFR Part 314

The revised Safeguards Rule requires documented information security programs with specific technical and administrative controls.

Written Information Security Program

Document and maintain a written security program appropriate to company size, complexity, and the sensitivity of customer information handled.

Qualified Individual

Designate a qualified individual responsible for overseeing the information security program (can be employee or service provider).

Risk Assessment

Conduct periodic risk assessments identifying reasonably foreseeable internal and external risks, assessing safeguard sufficiency.

Safeguard Implementation

Design and implement safeguards controlling identified risks through access controls, encryption, secure development, and information disposal.

Continuous Monitoring

Implement continuous monitoring or annual penetration testing and vulnerability assessments to test safeguard effectiveness.

Personnel Training

Provide security awareness training to personnel and verify service providers maintain appropriate safeguards.

2

Specific Technical Requirements

The 2023 amendments added explicit technical requirements previously left to interpretation.

Multi-Factor Authentication

Require MFA for anyone accessing customer information systems, using knowledge, possession, and inherence factors.

Encryption

Encrypt customer information in transit over external networks and at rest. If encryption isn't feasible, document compensating controls.

Penetration Testing

Conduct annual penetration testing and vulnerability assessments (biannual scans). Continuous monitoring may substitute for annual testing.

Secure Development

Implement procedures for secure application development if you develop applications processing customer information.

Incident Response

Maintain a written incident response plan addressing goals, internal processes, communications, remediation, and documentation.

3

Board Reporting

Qualified individuals must report to boards of directors (or equivalent governing body) on information security program status.

Written Reports

Provide written reports at least annually covering overall program status, compliance, material matters, and recommendations.

Risk Assessment Results

Report on risk assessment findings and management decisions regarding identified risks.

Security Events

Report material security events and management response.

Note: The Safeguards Rule applies to 'financial institutions' which GLBA defines broadly based on activities, not charters. Auto dealers, mortgage brokers, tax preparers, and many non-traditional businesses fall under FTC jurisdiction for GLBA enforcement.

// Who Must Comply

  • 1 Banks, credit unions, and savings associations (regulated by banking agencies)
  • 2 Mortgage brokers and lenders
  • 3 Finance companies and payday lenders
  • 4 Automobile dealers providing financing
  • 5 Tax preparation services
  • 6 Investment advisers and brokers
  • 7 Real estate settlement services
  • 8 Debt collectors and credit counselors
  • 9 Check cashing and wire transfer services

// Key Requirements

Qualified Individual

Designate a qualified individual responsible for information security program oversight

Multi-Factor Authentication

Require MFA for all access to systems containing customer information

Encryption

Encrypt customer information at rest and in transit over external networks

Penetration Testing

Conduct annual penetration testing and biannual vulnerability assessments

Incident Response Plan

Maintain written incident response procedures addressing detection through recovery

Board Reporting

Report annually to board on security program status and material events

// Enforcement & Penalties

The FTC enforces GLBA Safeguards Rule violations through consent decrees, civil penalties, and injunctive relief. State attorneys general may also bring enforcement actions. Individuals may face personal liability.

Maximum Penalty

$100,000 per violation; $10,000 per individual

Examples:

  • FTC consent orders requiring 20+ years of third-party security assessments
  • Civil penalties for systematic Safeguards Rule violations
  • State attorney general enforcement under state financial privacy laws
  • Personal liability for officers and directors in egregious cases

// Cyber Insurance Impact

Cyber insurers evaluate GLBA Safeguards Rule compliance when underwriting financial institutions. The 2023 requirements (particularly MFA, encryption, and penetration testing) align with standard insurer expectations. Non-compliant organizations may face coverage exclusions or increased premiums.

// How Breach Craft Helps

We help organizations achieve GLBA compliance through genuine security improvements, not checkbox exercises. Our services address the specific requirements and challenges of GLBA.

// Common Questions

Does the GLBA Safeguards Rule require penetration testing?

Yes. The FTC's updated Safeguards Rule, effective June 2023, requires covered financial institutions to test the effectiveness of their safeguards. Institutions without continuous monitoring in place must run annual penetration testing plus vulnerability assessments at least every six months. The rule also mandates multi-factor authentication, encryption of customer data in transit and at rest, and a written security program led by a named Qualified Individual. See the FTC Safeguards Rule for the full text.

What changed in the 2023 GLBA Safeguards Rule update?

The 2023 update moved GLBA from general guidance to specific, testable controls. Covered institutions must appoint a Qualified Individual to run the security program, encrypt customer data, enforce MFA, keep an incident response plan, and report annually to their board. A 2024 amendment added breach notification: security events affecting 500 or more consumers must be reported to the FTC within 30 days. The change shifted GLBA from a documentation exercise to enforceable security work with deadlines.

Who must comply with GLBA?

GLBA applies to financial institutions, which the FTC defines broadly. It covers banks, credit unions, mortgage lenders and brokers, tax preparers, auto dealers that arrange financing, investment advisers, and many fintech and SaaS firms that handle consumer financial data. If your business is significantly engaged in providing financial products or services to consumers, the Safeguards Rule likely applies. Firms serving 5,000 or more consumers face the full requirements; smaller firms get limited exemptions.

What are the penalties for GLBA non-compliance?

GLBA violations carry civil penalties up to $100,000 per violation for institutions, and up to $10,000 per violation for officers and directors personally. Responsible individuals can face up to five years in prison. Beyond fines, the FTC can require years of third-party audits under a consent order. The larger cost is often commercial: failed vendor security reviews, lost banking relationships, and cyber insurance claims denied for missing a required control.

Can a virtual CISO satisfy the GLBA Qualified Individual requirement?

Yes. The Safeguards Rule lets the Qualified Individual be employed by a service provider rather than in-house (16 CFR 314.4(a)). Your institution keeps responsibility for compliance and must name a senior employee to oversee the relationship, but day-to-day program leadership can come from an outside expert. A virtual CISO is a common way smaller financial institutions meet this requirement without hiring a full-time executive.

// Related Frameworks

// Industries That Need GLBA

These industries commonly require GLBA compliance as part of their regulatory obligations.

Guide last reviewed: June 15, 2026

Ready to Strengthen Your Defenses?

Schedule a free consultation with our security experts to discuss your organization's needs.

Or call us directly at (445) 273-2873