FTC Safeguards Rule Guide
What small financial institutions need to know — LevoySec
What Is the FTC Safeguards Rule?
The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to protect customer information. The FTC's Standards for Safeguarding Customer Information (the "Safeguards Rule") specifies exactly how. The updated rule, effective June 2023, added significant new requirements.
Who does this apply to? Any business "significantly engaged" in financial activities: accounting firms, tax preparers, mortgage brokers, financial advisors, auto dealers offering financing, and more.
Key Requirements
- Designate a Qualified Individual — Appoint someone to oversee your information security program. This can be an employee or an outsourced provider (like a vCISO).
- Conduct a Risk Assessment — Identify internal and external risks to customer information. Document the assessment and update it regularly.
- Implement Safeguards — Design and implement safeguards to control the risks identified, including:
- Access controls and authentication (MFA required)
- Data inventory and classification
- Encryption of customer information at rest and in transit
- Secure development practices for in-house applications
- Change management procedures
- Monitor and Test — Continuously monitor or conduct annual penetration testing and semi-annual vulnerability assessments.
- Train Your Staff — Provide security awareness training upon hiring and periodically thereafter.
- Monitor Service Providers — Ensure vendors who access customer data maintain appropriate safeguards.
- Keep Your Program Current — Update your security program as business changes, new threats, or audit findings warrant.
- Create an Incident Response Plan — Document procedures for detecting, responding to, and recovering from security events.
- Report to the Board — The Qualified Individual must report in writing at least annually to the board or governing body.
Common Gaps We See
- No designated Qualified Individual or vCISO
- Risk assessment hasn't been updated since 2022 or earlier
- MFA not enabled on all systems accessing customer data
- No encryption on portable devices (laptops, USB drives)
- Missing or outdated incident response plan
- No vendor/service provider security assessments
Getting Started
Step 1: Gap Assessment
Compare your current security posture against the nine requirements above. Document what you have and what's missing.
Step 2: Prioritize
Focus on the highest-risk gaps first — typically MFA, encryption, and the risk assessment itself.
Step 3: Implement
Build out controls systematically. Many small firms partner with an MSSP to handle the technical requirements.
Step 4: Document Everything
The FTC expects written policies, procedures, and evidence of implementation. Documentation is as important as the controls themselves.