Revised GLBA Safeguards Rule Has Teeth: Better Be Ready

April 14, 2022

  • The FTC’s Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, announced in 2002, has been substantially updated and became effective January 10, 2022.
  • The new requirements, including a written risk assessment, are much more prescriptive and have more “teeth.”
  • The compliance deadline is December 9, 2022.



GLBA was designed and written to protect financial customers’ privacy but abjectly failed to recognize that there's no privacy without an adequate security foundation. The GLBA Safeguards Rule was so vague and subject to interpretation that many companies could convince themselves, their customers and federal auditors they were complying with the rule when their security programs barely existed. When GLBA was written in 1999, cybersecurity risk was much lower because we lived in a world where companies’ data resided behind closed network perimeters. This was before companies interacted almost seamlessly across the wild internet and before hackers ruled.


It’s 2022 now and the GLBA Safeguards Rule has finally grown teeth – long, sharp teeth. While most large financial institutions have invested heavily in building out their cybersecurity programs over time due to industry regulations and business risk alignment, many mid-size or smaller non-bank financial institutions may going find themselves woefully short of complying with the new, and much more prescriptive, Safeguards Rule. Companies should begin now to review the state of their cybersecurity program in order to be compliant by the end of 2022.


The FTC released their final rule in late October 2021, detailing changes that will enforce and better define customer protections in the GLBA. The changes have a large impact on non-bank financial institutions, such as mortgage and finance companies, brokerages, lenders and motor vehicle dealers. The final rule is effective 30 days after it’s published in the Federal Register and is expected to be enforced by the end of 2022. Some financial entities that were previously considered outside the banking industry were able to escape the requirements, but these new changes place them in scope.


The most significant requirement is the risk assessment parameters. The existing rule requires that information security programs be based on a financial institution’s identification and assessment of reasonably foreseeable internal and external risks to customer information. The new rule continues to require risk assessments, but now specifically requires that they be in writing. They must include: criteria to evaluate and categorize identified security risks; criteria to assess the “confidentiality, integrity, and availability” of customer information and information systems (including whether existing controls are adequate in the context of the identified risks); and requirements that describe how identified risks will be accepted or mitigated based on the assessment and how the information security program will address them. While risk assessments must include these topics, each financial institution can tailor them to its own structures and needs.


Specific Measures. To control the risks identified through risk assessments, financial institutions must implement a number of specific safeguards, save where an exception or qualification applies, such as:


  • Multi-factor authentication (MFA) for both consumer and internal users accessing an information system (unless the financial institution’s Qualified Individual is “approved in writing for the use of reasonably equivalent or more secure access controls”)
  • Access controls for all customer information, including that stored in physical (non- electronic) systems and physical restrictions on access to hardware containing electronically stored customer information

    • The principle of least privilege (“The Commission does not believe it is appropriate, for example, for larger companies to give all employees and service providers access to all customer information.”)
    • Encryption of customer information in transit on external networks and at rest (unless the financial institution determines that such encryption is infeasible and instead secures customer information using an effective alternative that’s approved by the institution’s Qualified Individual and compensates for the controls reviewed)

  • Data inventory and classification practices
  • Secure development practices
  • Change management
  • Logging and system monitoring
  • Penetration testing and vulnerability assessment
  • A written incident response plan
  • Procedures for the secure disposal of customer information within two years of when the data was last used
  • Mechanisms to ensure employee training is effective


Meeting the requirements of the updated Safeguards Rule doesn’t have to be overwhelming, but the deadline for compliance is just a few short months away, so you’re encouraged to begin assessing your organization’s footing as soon as possible.


If you have questions about this new Safeguard Rule and how it might affect your organization, please drop us a line.

Technical Manager, Advisory Solutions | Optiv
Crawford has over 40 years of experience in both consulting and enterprise environments. Her experience ranges from small businesses to Fortune 500 corporations in a multitude of industries. She has extensive enterprise information protection program development and management expertise that spans policy and technology, architecture design, security risk assessment and management and information technology governance strategy and implementation in IT and OT environments.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit

Related Insights



Cybersecurity Compliance Services


Optiv's Cybersecurity compliance services including, PCI DSS, HITRUST, NIST CSF and ISO 27001, can help you navigate the complex, ever-changing security compliance arena. Learn more today!



PCI DSS 4.0 Is Here: When Does My Company Need To Be Ready?


Some companies should update to PCI DSS v4.0 now, while others should wait. This post features helpful details and advice on how to begin preparing.



Cyber Risk Management and Transformation


Our Cyber Risk Management and Transformation services help organizations modernize and automate their approach to risk management. Learn more today!