How often does GLBA require a risk assessment?

The GLBA Safeguards Rule requires financial institutions to conduct risk assessments as part of their written information security program. While the rule does not specify an exact frequency, FFIEC examiners expect to see annual assessments at minimum, plus reassessments after significant changes to systems, vendors, or business operations.

What is the difference between a GLBA risk assessment and an FFIEC IT exam?

Your GLBA risk assessment is an internal exercise your bank conducts to identify threats to customer information. The FFIEC IT exam is your regulator's evaluation of whether your information security program — including that risk assessment — meets expectations. Examiners use the FFIEC IT Examination Handbook as their benchmark. A strong internal risk assessment is your best preparation for the exam.

Can a community bank conduct its own GLBA risk assessment?

Yes, and many do. The FFIEC does not require you to hire a third party. What matters is that the assessment is thorough, documented, covers all systems that access customer information, and feeds into a remediation plan. That said, examiners do look at whether the people conducting the assessment have sufficient expertise. If your IT team is one person who also manages the help desk, consider outside support for the assessment itself.

January 17, 2026·10 min read

How to Conduct a GLBA-Compliant Risk Assessment for Your Community Bank

The Gramm-Leach-Bliley Act Safeguards Rule requires every financial institution to maintain a written information security program. At the center of that program is the risk assessment. FFIEC examiners treat it as the foundation — if the risk assessment is weak, the rest of the program is suspect.

What the Safeguards Rule actually requires

The GLBA Safeguards Rule (16 CFR Part 314, as amended by the FTC in 2021 and enforced by prudential regulators for banks) requires financial institutions to develop, implement, and maintain a comprehensive information security program. The risk assessment is the first step — you cannot design safeguards without first understanding what you are protecting and what threatens it.

For community banks, the relevant regulatory overlay is the FFIEC IT Examination Handbook. Your OCC, FDIC, or state examiner uses this handbook when evaluating your information security program. The handbook's Information Security booklet specifically requires that institutions "identify, measure, monitor, and control" risks to customer information.

The five components examiners look for

Based on FFIEC guidance and examination procedures, a compliant risk assessment for a community bank should include:

Asset inventory. Every system, application, and data repository that stores, processes, or transmits customer information. This includes your core banking system, online banking platform, email, file shares, backup systems, and any third-party services with access to customer data.
Threat identification.Realistic threats to your specific environment — ransomware, business email compromise, insider threats, third-party vendor compromise, physical theft of equipment. Generic lists from the internet are not sufficient. Examiners want to see threats relevant to your bank's size, geography, and technology footprint.
Vulnerability assessment. Weaknesses in your controls that could be exploited by those threats. Missing patches, excessive user privileges, lack of MFA, unencrypted data at rest, inadequate logging. This should be informed by actual testing — not guesswork.
Risk rating. A consistent method for evaluating the likelihood and impact of each threat-vulnerability pair. A simple matrix works. The key is consistency and documentation — examiners want to see that you applied the same methodology across all assets.
Remediation plan. For every risk rated medium or above, a documented plan with ownership, timelines, and status tracking. Identified risks without remediation plans are examination findings waiting to happen.

Where community banks get it wrong

The most common examination findings related to risk assessments fall into predictable categories:

1. Treating it as an annual checkbox

A risk assessment that gets completed every January and filed away is not a living document. Examiners look for evidence that the risk assessment drives decisions throughout the year — budget allocations, vendor selections, control implementations. If your risk assessment says email phishing is your top threat but you have not invested in email security or training, that disconnect will be noted.

2. Missing third-party risk

Community banks rely heavily on third-party service providers — core processors, cloud providers, managed IT firms. Your risk assessment must account for the risks these relationships introduce. The FFIEC Third-Party Risk Management guidance (updated 2023) makes this explicit. If your core processor has access to all your customer data, the risks associated with that access belong in your assessment.

3. No connection between the risk assessment and the ISP

Your information security program should be built on the findings of your risk assessment. If the assessment identifies 15 high risks but the ISP only addresses 5, examiners will ask about the other 10. The risk assessment and the security program are not separate documents that exist independently — one feeds the other.

4. Insufficient scope

Some banks assess their core banking system and call it done. But customer information lives in email, in loan origination systems, in scanned documents on shared drives, in the CRM the commercial lending team uses. Every system that touches customer NPI needs to be in scope.

A practical approach for community banks

If you are a community bank preparing for your next exam cycle, here is what works:

Start with your asset inventory. If you do not know where customer information lives, you cannot assess the risks to it. Walk every department. Check every system. Include cloud services.
Use the FFIEC CAT or equivalent framework. The Cybersecurity Assessment Tool gives you a structured way to evaluate your risk profile against your current maturity. It is not mandatory, but examiners are familiar with it and it provides a common language.
Map threats to your actual environment. A bank in rural Iowa with 3 branches faces different threats than a bank in downtown Chicago with a large commercial lending operation. Be specific.
Document everything with dates and owners.Every risk needs an owner. Every remediation item needs a deadline. Examiners check whether last year's findings were addressed.
Review and update continuously. When you add a new vendor, change a system, or experience an incident, update the assessment. Do not wait for the annual cycle.

How BlackSheep fits in

BlackSheep's GLBA compliance platform provides a structured risk assessment workflow built around FFIEC expectations. It guides your team through asset inventory, threat identification, risk scoring, and remediation tracking — with everything timestamped and version-controlled for examiner review.

The platform does not replace your risk committee or your judgment about your own environment. It gives you the structure and documentation trail that examiners expect to see, without spending months building spreadsheets from scratch.

Build a risk assessment your examiners will actually accept.

Start your GLBA risk assessment with BlackSheep