The FTC Safeguards Rule is a regulation issued under the Gramm–Leach–Bliley Act (GLBA) that requires certain businesses to develop, implement, and maintain a comprehensive information security program to protect customer information.
While GLBA establishes the obligation to protect nonpublic personal information (NPI), the FTC Safeguards Rule defines how regulators expect organizations to do it—especially from a cybersecurity and IT operations standpoint.
Recent updates to the Safeguards Rule significantly raised the bar, making cybersecurity controls, documentation, and accountability explicit rather than implied.
The FTC Safeguards Rule applies to financial institutions regulated by the FTC, which includes many organizations that do not consider themselves “financial companies.”
Covered entities include:
Mortgage brokers and lenders
Auto dealerships offering financing
Payday lenders and financing companies
Debt collectors
Tax preparation firms
Credit counseling services
Investment advisors not regulated by the SEC
Fintech and financial SaaS providers
Service providers handling customer financial data
If your organization handles customer financial information to provide a financial product or service, the FTC Safeguards Rule likely applies.
The Safeguards Rule protects customer information, including:
Names, addresses, and contact information
Social Security numbers
Bank account and routing numbers
Credit card and loan information
Tax and income data
Any information obtained in connection with providing a financial product or service
From an IT perspective, this data often exists across multiple systems, cloud platforms, and third-party vendors, increasing risk if not properly managed.
It’s important to understand the relationship:
GLBA establishes the legal requirement to protect customer information
FTC Safeguards Rule defines minimum security program expectations
FFIEC provides exam guidance for banking regulators
NIST and ISO frameworks provide best-practice control structures
In short:
GLBA is the “what.” The FTC Safeguards Rule is the “how.”
Unlike many regulations, the Safeguards Rule is explicit and prescriptive about security expectations.
Key requirements include:
Organizations must designate a Qualified Individual responsible for the information security program.
This role oversees:
Risk assessments
Control implementation
Incident response
Reporting to leadership
Organizations must:
Identify reasonably foreseeable internal and external risks
Assess the sufficiency of safeguards
Document risk assessment results
Use assessments to drive security decisions
Risk assessments are no longer optional.
The updated Safeguards Rule explicitly calls out controls such as:
Multi-factor authentication (MFA)
Encryption of data at rest and in transit
Secure access controls
Secure development and configuration practices
Monitoring and logging
Secure disposal of customer information
These controls must be implemented unless a documented exception applies.
Organizations must:
Monitor system activity
Perform vulnerability assessments
Conduct penetration testing (or equivalent)
Adjust safeguards based on results
Security is expected to be ongoing, not annual.
Organizations must:
Have a written incident response plan
Detect and respond to security events
Contain and remediate incidents
Document actions taken
The Safeguards Rule requires organizations to:
Select service providers capable of maintaining appropriate safeguards
Require vendors to protect customer information
Periodically assess vendor security practices
Vendor risk is a major enforcement focus.
Organizations must regularly report on:
Security program status
Material risks
Control effectiveness
Security incidents
Cybersecurity is explicitly elevated to an executive responsibility.
The FTC Safeguards Rule is actively enforced. Violations can result in:
Regulatory investigations
Consent orders
Fines and penalties
Mandatory remediation programs
Long-term regulatory oversight
Most enforcement actions cite:
Missing or outdated risk assessments
Lack of MFA or encryption
Poor vendor oversight
Weak documentation
Gaps between policy and actual controls
The Safeguards Rule aligns closely with:
NIST Cybersecurity Framework (CSF)
NIST SP 800-53
ISO 27001
SOC 2
GLBA and FFIEC expectations
Organizations that follow these frameworks typically meet—or exceed—Safeguards Rule requirements.
Here’s the key takeaway:
The FTC Safeguards Rule doesn’t require cutting-edge security—it requires accountability and proof.
Most requirements are basic cybersecurity best practices that any organization handling sensitive data should already have in place.
The difference is that now, regulators expect evidence.
Our cyber risk and compliance assessments help organizations:
Evaluate Safeguards Rule readiness
Identify control and documentation gaps
Align GLBA, FTC Safeguards, and FFIEC expectations
Strengthen vendor risk management
Build defensible audit and enforcement evidence
We focus on practical, regulator-ready security programs, not theory.
Here is a practical, high-impact roadmap.
Document:
Assess:
At minimum:
Ensure:
Confirm:
Prepare:
If your organization handles customer financial information, FTC Safeguards compliance is not optional.
Know where you stand, fix the gaps that matter, and build confidence in your ability to manage cyber risk responsibly.
Talk to an Executive Advisor Today
