GLBA / FTC Safeguards Rule: the 2023 update changed everything

• Designated qualified individual with authority and expertise
• Comprehensive written information security program
• Periodic written risk assessments identifying threats and evaluating safeguards
• Annual written report to board or governing body

• Access limited to authorized users based on business need
• Multi-factor authentication for all access to customer information
• Inventory of all data, systems, and devices handling customer information

• Encryption of customer information in transit and at rest
• Secure disposal within 2 years of last use
• Change management for systems handling customer information

• Annual penetration testing OR continuous monitoring
• Biannual vulnerability assessments (if pen test path)
• Activity logging and monitoring for unauthorized access
• Findings documented and remediated within defined timeframes

• Due diligence before providers access customer information
• Contracts requiring appropriate safeguards
• Breach notification requirements in contracts
• Periodic assessment of provider safeguard adequacy

• Written incident response plan with defined roles
• FTC notification within 60 days for breaches affecting 500+ consumers
• Evidence preservation and containment procedures
• Post-incident review and plan updates

• Security awareness training for all personnel
• Specialized training for security staff and qualified individual
• Training on current threats, policies, and incident reporting
• Documented completion records

How is this different from SEC Reg S-P?

Reg S-P applies to SEC-registered entities. The FTC Safeguards Rule applies to financial institutions under FTC jurisdiction — which includes mortgage brokers, tax preparers, non-SEC advisors, and many others. There is overlap in the requirements (both require written security programs, incident response, vendor oversight), but the FTC rule has specific technical requirements like mandatory MFA and encryption that Reg S-P does not.

Do we need annual penetration testing?

The rule gives you a choice: annual penetration testing plus biannual vulnerability assessments, OR continuous monitoring of your systems. Most smaller organizations choose the pen test path. The qualified individual must review test results and approve remediation plans.

What does 'qualified individual' mean?

Someone with the knowledge, skills, and experience to oversee your information security program. This can be an employee, an affiliate, or a service provider (like an outsourced CISO). If you use a service provider, you remain responsible for compliance. The qualified individual must report to your board annually.

Is there a small business exemption?

Partially. Financial institutions that maintain customer information on fewer than 5,000 consumers are exempt from some requirements: written risk assessment, annual penetration testing, continuous monitoring, incident response plan, and annual board reporting. They are NOT exempt from the core requirements: written security program, qualified individual, access controls, encryption, MFA, and employee training.

What about the encryption requirement?

The 2023 rule explicitly requires encryption of customer information both in transit over external networks and at rest. If encryption is infeasible for a specific system, you must document why and implement compensating controls approved by the qualified individual. In practice, there are very few legitimate reasons not to encrypt.