What did the FTC Safeguards Rule update in 2023?

The FTC's updated Safeguards Rule, fully effective June 9, 2023, converted GLBA's information security requirements from a principles-based framework to a requirements-based one. Key additions include: a requirement to designate a named Qualified Individual responsible for the information security program; mandatory encryption of customer information at rest and in transit; mandatory multi-factor authentication for all access to systems containing customer information; a written incident response plan; annual board reporting by the Qualified Individual; and active oversight of service providers rather than contractual boilerplate.

Who counts as a 'financial institution' under GLBA?

GLBA's definition of 'financial institution' is broader than most organizations assume. It includes not only banks, credit unions, and insurance companies but also mortgage brokers, payday lenders, tax preparers, auto dealers that arrange financing, investment advisors, and any business engaged in activities 'incidental to financial activities' as defined by the Bank Holding Company Act. If your business collects, uses, or stores customer financial information as part of providing a financial service, GLBA likely applies.

Does the Qualified Individual under GLBA have to be an employee?

No. The FTC Safeguards Rule explicitly permits the Qualified Individual to be an external service provider — such as a virtual CISO (vCISO) — as long as that individual has the qualifications, authority, and resources to oversee the information security program. The Qualified Individual must still report to the board at least annually. For mid-market financial institutions without a dedicated CISO, a vCISO arrangement is a common and compliant approach to satisfying this requirement.

What must a GLBA Written Information Security Program (WISP) include?

Under the updated FTC Safeguards Rule, a WISP must be a written document addressing the twelve required elements: designation of a qualified individual, written risk assessment, implementation of safeguards to control identified risks, regular testing and monitoring, staff security training, service provider management, program currency, incident response planning, board reporting, encryption, multi-factor authentication, and access controls. A WISP that documents only policies without demonstrating operational implementation of required controls is not sufficient for examination purposes.

What is the relationship between GLBA compliance and NIST CSF 2.0?

The FTC Safeguards Rule specifies outcomes — encryption, MFA, continuous monitoring, incident response, board reporting — without mandating a specific security framework. NIST CSF 2.0 provides the organizational architecture for achieving those outcomes in a structured, governable way. Using CSF 2.0 as the program framework while mapping controls to Safeguards Rule requirements produces the most defensible examination position, because it demonstrates both technical controls and the governance structure that owns and oversees them.

Compliance

GLBA Compliance for Financial Institutions: The Updated Safeguards Rule Explained

The FTC’s updated Safeguards Rule, fully effective since June 2023, transformed GLBA compliance from a principles-based framework into a requirements-based one. Financial institutions that interpreted the original rule as a documentation exercise are now subject to specific, auditable controls — including a named qualified individual, a written information security program, and encryption and multi-factor authentication mandates. This guide covers what the updated rule requires, what it means operationally, and how to build a compliant program that survives examination.

Start the 90-Day Proof
Talk to an Expert

What Is GLBA and Who Must Comply?

The Gramm-Leach-Bliley Act (GLBA), enacted in 1999, governs how financial institutions collect, use, and protect customer financial information. The law applies broadly — “financial institution” under GLBA includes not only banks, credit unions, and insurance companies but also mortgage brokers, payday lenders, tax preparers, auto dealers offering financing, and any business engaged in activities “incidental to financial activities.”
Three rules implement GLBA’s privacy and security requirements:

The Privacy Rule — requires disclosure to customers about information-sharing practices and gives customers the right to opt out of certain disclosures.
The Safeguards Rule — requires covered financial institutions to develop, implement, and maintain an information security program to protect customer information. The FTC’s updated Safeguards Rule (effective June 9, 2023) is the operationally significant one for security and IT programs.
The Pretexting Rule — prohibits obtaining customer financial information through false pretenses.

Banks and credit unions operate under the GLBA framework implemented by their primary federal regulator (OCC, FDIC, NCUA, or Federal Reserve) rather than the FTC Safeguards Rule, but the substantive security requirements are substantially similar following recent regulatory harmonization. This guide focuses primarily on the FTC Safeguards Rule as the operative framework for non-bank covered entities.

The FTC Safeguards Rule: What Changed in 2023

The original Safeguards Rule (2003) required a written information security program but left implementation largely to each institution’s discretion. The 2023 update replaced flexibility with specificity. Institutions that were compliant under the original rule — meaning they had a documented program — are not necessarily compliant with the current rule. The updates impose twelve discrete operational requirements that are individually auditable.

The Twelve Safeguards Rule Requirements

Designate a Qualified Individual. A specific person must be responsible for overseeing, implementing, and enforcing the information security program. This is addressed in detail at /compliance/glba-qualified-individual/.
Conduct a risk assessment. The assessment must be written, identify reasonably foreseeable internal and external risks, and evaluate the sufficiency of existing safeguards.
Implement safeguards to control identified risks. Including monitoring and testing of the program.
Regularly monitor and test safeguards. Continuous monitoring or periodic penetration testing and vulnerability assessments are required.
Train staff. Security awareness training must be provided to all personnel with access to customer information.
Monitor service providers. Contracts with service providers must require appropriate safeguards, and oversight of those safeguards must be active, not assumed.
Keep the information security program current. It must be updated in response to results of testing and monitoring, changes in operations, and new threats.
Create a written incident response plan. The plan must address detection, response, recovery, and internal and external notification procedures.
Report to the Board. The Qualified Individual must report at least annually to the board of directors (or equivalent) on the status of the information security program.
Encrypt customer information. Both in transit and at rest.
Implement multi-factor authentication. Required for any individual accessing any information system containing customer information — with limited exception for technical infeasibility with a documented compensating control.
Limit and monitor who can access customer information. Access controls must reflect need-to-know principles and must be actively managed.

The Written Information Security Program requirement — the WISP — is the foundational document that ties these twelve elements together. Requirements for a compliant WISP are addressed at /compliance/glba-wisp-requirements/. The Safeguards Rule in full detail is at /compliance/glba-safeguards-rule/.

GLBA Safeguards Rule Requirements Summary

Requirement	Operational Implication	Common Failure Mode
Qualified Individual	Named person — can be internal CISO or qualified external service provider	Role assigned nominally without authority or resources
Written Risk Assessment	Annual at minimum; must be documented and dated	Generic templates substituted for actual risk analysis
Encryption (at rest and in transit)	All customer information systems must be covered; no exceptions without documented justification	Encryption deployed on primary systems; legacy endpoints excluded
Multi-Factor Authentication	Required for all access to systems containing customer information	MFA deployed for remote access only; internal access excluded
Incident Response Plan	Written, tested, includes notification procedures	Plan exists but has never been exercised; notification paths undefined
Board Reporting	Annual report from Qualified Individual to board or equivalent governance body	No documented board-level security review; program lives only in IT
Service Provider Oversight	Contracts must require safeguards; oversight must be active	Contracts include boilerplate security language; no ongoing oversight
Continuous Monitoring / Testing	Either automated continuous monitoring or periodic pen testing and vulnerability assessments	Annual vulnerability scan treated as sufficient; no continuous telemetry

The Qualified Individual Requirement in Practice

The Qualified Individual designation is frequently misunderstood. The FTC Safeguards Rule does not require a full-time CISO. It requires a specific individual — internal or external — with the qualifications, authority, and resources to oversee the information security program. That individual must report to the board at least annually.
For many mid-market financial institutions, an internal IT director is designated as the Qualified Individual, but the designation is procedurally hollow: the individual lacks CISO-level security expertise, has insufficient time dedicated to security program management, and has no direct board relationship. This creates the appearance of compliance while leaving the institution exposed during examination and, more importantly, during an actual incident.
The vCISO structure — where a qualified external practitioner serves as the designated Qualified Individual with defined authority and board access — satisfies the rule’s requirements and is explicitly contemplated by the FTC. Armorstack’s VERITY advisory practice provides vCISO services structured to meet the Qualified Individual obligation, including the required annual board reporting deliverable.
For a complete analysis of the Qualified Individual requirement and how to structure the role compliantly, see /compliance/glba-qualified-individual/.

GLBA and the NIST CSF: Using Both Frameworks Together

The FTC Safeguards Rule does not mandate a specific security framework — it specifies outcomes. NIST CSF 2.0 provides the organizational architecture for achieving those outcomes in a structured, auditable way. Using CSF 2.0 as the program framework while mapping controls to Safeguards Rule requirements is the most defensible approach during FTC examination because it demonstrates both the existence of controls and the governance structure that owns them.
The GOVERN function in CSF 2.0 directly supports the Qualified Individual, board reporting, and risk management policy requirements. The PROTECT and DETECT functions map to encryption, MFA, and continuous monitoring requirements. The RESPOND function supports the incident response plan requirement. Institutions that frame their GLBA program through CSF 2.0 produce examination evidence that is organized, traceable, and demonstrates program maturity rather than point-in-time compliance.
Armorstack’s SENTRY managed detection and response program provides the continuous monitoring and anomaly detection capability that satisfies the Safeguards Rule’s monitoring requirement. Our CORE managed IT services address encryption, MFA deployment, and access control implementation. Together, these capabilities can reduce the time from gap assessment to technical compliance from quarters to weeks.

Examination Readiness: What FTC and State Regulators Look For

FTC examinations of financial institutions under the Safeguards Rule have historically focused on documentation — does the WISP exist, does it address required elements, is it current? Post-2023, examination expectations have shifted toward operational evidence: not just “do you have an MFA policy” but “show us MFA is enforced across all systems covered by the rule.”
State financial regulators — particularly those in New York (NYDFS Cybersecurity Regulation), California, and others with independent cybersecurity rules — have additionally raised the evidentiary bar. Many now expect continuous monitoring telemetry, penetration testing results, and documented board discussions of cybersecurity risk, not just policy documents.
Building examination-ready evidence requires the same discipline as building an operationally effective security program. Institutions that build for operations rather than documentation typically produce better examination artifacts — because the evidence is generated by running controls rather than assembled before an examination date. For an assessment of your current GLBA posture, contact our advisory team or review the 90-Day Proof program at armorstack.ai/compliance/.
Typical market-rate costs for GLBA compliance programs vary based on institution size, complexity, and current-state maturity. For organizations with limited existing controls, initial implementation investment is typically more substantial; for organizations with strong infrastructure and gaps primarily in governance and documentation, advisory-led programs can close critical gaps more rapidly. Contact us at /contact/ for a scoped engagement estimate specific to your situation.