Laws & RegulationsGLBA Safeguards Rule
In Forcefinancial16 C.F.R. Part 314
Gramm-Leach-Bliley Act — FTC Safeguards Rule
Also known as: GLBA Safeguards Rule
The FTC Safeguards Rule, updated in 2023, requires non-bank financial institutions to implement a comprehensive information security program. The 2023 amendments added specific technical requirements including MFA, encryption, penetration testing, and a designated security officer. Financial institutions must also notify the FTC within 30 days of a breach affecting 500+ customers.
Jurisdiction
United States (Federal)
Regulator
Federal Trade Commission
Effective
6/9/2023
Sector
financial
Full Text / Summary
The 2023 amendments to the Safeguards Rule significantly strengthened requirements. Key additions include: mandatory designation of a Qualified Individual to oversee the program; specific technical safeguards (MFA, encryption, access controls, penetration testing, vulnerability assessments, audit logging); written incident response plan; annual board reporting; and FTC notification for significant breaches. The rule applies to a broad range of non-bank financial services companies that are not regulated by other federal financial regulators.