The Gramm-Leach-Bliley Act (GLBA) is a federal law that requires financial institutions to protect the privacy and security of customer financial information. At CMIT Solutions, we help financial institutions build the security programs GLBA demands, from risk assessments and access controls to continuous monitoring and incident response planning.
Security is built into everything we do by design, not as an afterthought, so your business stays protected and focused on growth.
Explore our business data compliance solutions to see how we can help your organization meet its GLBA obligations.
What is the Gramm-Leach-Bliley Act?
The Gramm-Leach-Bliley Act is a federal law enacted in 1999 that requires financial institutions to protect the privacy and security of customer financial information. It sets enforceable standards for how that data is collected, shared, and secured, and it applies to a broader range of businesses than most organizations expect. For many, that uncertainty about scope and requirements is where compliance risk begins.
Many businesses are surprised to discover they fall under GLBA’s scope. The law defines “financial institution” broadly to include mortgage lenders, payday lenders, auto dealerships that offer financing, tax preparers, real estate settlement services, and many accounting and financial advisory firms. If your business is “significantly engaged” in financial activities, GLBA very likely applies to you.
GLBA is enforced primarily by the Federal Trade Commission (FTC), with additional oversight from federal banking regulators, including the Office of the Comptroller of the Currency (OCC) and the Federal Reserve. The FTC’s GLBA guidance outlines how covered businesses are expected to comply. CMIT Solutions acts as a trusted technology advisor to financial institutions, helping translate complex regulatory obligations into practical, maintained security programs aligned with your operational goals.
💡 Additional reading: Data compliance regulations
Who Does GLBA Apply To?
GLBA applies to any business that qualifies as a “financial institution” under the law, a category far broader than chartered banks. As businesses grow and their technology environments become more complex, adding new vendors, platforms, and systems, determining where GLBA obligations begin and end becomes increasingly difficult. The FTC’s Safeguards Rule governs non-bank financial institutions, while banking regulators oversee depository institutions under their respective jurisdictions.
Organizations that commonly fall under GLBA include:
- Banks, credit unions, and savings institutions operating under federal or state charters
- Mortgage brokers, lenders, and servicers involved in residential or commercial lending
- Auto dealerships that arrange or facilitate financing for vehicle purchases
- Payday lenders and consumer finance companies that extend credit directly to individuals
- Tax preparation firms that handle financial data on behalf of individual clients
- Accountants and financial advisors who collect nonpublic personal information in the course of their services
- Check cashing and wire transfer businesses that process financial transactions on behalf of consumers
- Collection agencies and credit counselors that work directly with consumer financial information
- Real estate settlement companies and escrow firms involved in property transactions
The FTC’s Safeguards Rule guidance lists 13 specific examples of covered entity types to help businesses determine whether they fall within scope. If you are not certain whether GLBA applies to your organization, CMIT Solutions provides cybersecurity-informed recommendations to help you assess your obligations and build a clear compliance plan.
The Three Core Rules of GLBA
GLBA compliance is built on three distinct regulatory rules, each addressing a different aspect of how financial data must be handled. Without trusted guidance on what each rule actually requires in practice, many businesses treat compliance as a one-time exercise rather than the ongoing program the law demands. Together, the three rules form the full framework businesses are expected to follow.
The Financial Privacy Rule
The Financial Privacy Rule requires financial institutions to provide customers with clear, plain-language privacy notices explaining what personal financial information is collected, how it is used, and with whom it is shared. Customers must also be given the opportunity to opt out of having their information shared with non-affiliated third parties, with limited exceptions.
Privacy notices must be provided when a customer relationship begins and annually thereafter. Businesses that share data only with service providers under written agreements, and do not share data with unaffiliated third parties for marketing purposes, may qualify for an exception to the annual notice requirement under certain conditions.
The Safeguards Rule
The Safeguards Rule is the most operationally demanding component of GLBA for most businesses. It requires covered financial institutions to develop, implement, and maintain a comprehensive written information security program designed to protect customer information across systems, devices, networks, and users.
The FTC significantly updated the Safeguards Rule in 2021, with most provisions taking effect on June 9, 2023. These updates introduced specific technical and administrative requirements that moved GLBA far closer in scope to frameworks like NIST and SOC 2.
Key requirements introduced or clarified in the updated rule include:
- Designation of a qualified individual to oversee the information security program
- A written risk assessment identifying threats to customer data
- Access controls limiting who can reach sensitive systems and data
- Multi-factor authentication (MFA) for anyone accessing customer information
- Encryption of customer data in transit and at rest
- A current inventory of all systems, devices, and applications that store or process customer data
- Continuous monitoring and periodic testing of security controls
- A written incident response plan
- Security awareness training for all relevant staff
- Oversight of third-party service providers through written contracts
- Annual written reporting to the board of directors or equivalent governing body
Financial institutions that maintain customer information concerning fewer than 5,000 consumers are exempt from certain specific requirements under the Safeguards Rule, including the written risk assessment, incident response plan, and annual reporting obligations, but they remain subject to the overall program requirements.
The Pretexting Protection Rule
The Pretexting Protection Rule prohibits using false pretenses to obtain customer financial information. This rule directly targets social engineering and impersonation tactics, for example, an attacker contacting a financial institution while posing as a customer to extract account details.
While the rule places direct prohibitions on those attempting to obtain information fraudulently, it also creates an implicit obligation for financial institutions to make those attempts harder to succeed.
CMIT Solutions helps financial institutions put the right staff training, verification protocols, and documented procedures in place, supported by continuous monitoring and threat response capabilities that keep your defenses ahead of evolving tactics.
GLBA Compliance Requirements: What Your Program Must Include
A GLBA-compliant information security program is not a single document or a one-time project. It is an ongoing operational commitment, and businesses that treat it as a maintenance task rather than a strategic priority tend to fall behind as requirements evolve and threats change. The FTC’s updated Safeguards Rule specifies the components a written security program must address.
| Requirement | What It Means in Practice |
| Qualified individual | A designated person, internal or outsourced, responsible for the information security program |
| Written risk assessment | A documented evaluation of threats to customer data, updated as material changes occur |
| Access controls | Role-based permissions limiting access to systems containing customer information |
| Multi-factor authentication | MFA required for all access to customer data systems |
| Encryption | Customer data encrypted in storage and in transit |
| Asset inventory | A current list of all systems, devices, and software that handle customer information |
| Security monitoring | Continuous or periodic monitoring to detect unauthorized access or anomalous activity |
| Incident response plan | A written plan covering detection, containment, notification, and recovery procedures |
| Staff training | Ongoing security awareness training for all relevant job functions |
| Vendor oversight | Written contracts requiring service providers to maintain appropriate safeguards |
| Annual board reporting | A written report to the board of directors or equivalent at least once per year |
Vendor gaps are one of the most common sources of compliance exposure for financial institutions of all sizes. CMIT Solutions helps businesses identify those gaps and put security standards in place that meet and exceed what regulators require, giving you a stronger foundation than the compliance baseline alone.
GLBA Compliance Checklist
Working through GLBA compliance is easier with a structured checklist. The steps below are organized around the Safeguards Rule’s core requirements and reflect the FTC’s 2021 amendments, which took effect in 2023. A proactive approach to each category means you are building protection by design rather than responding to problems after the fact.
Administrative Controls
- Designate a qualified individual to own the information security program
- Conduct and document a written risk assessment covering all areas where customer information is stored, processed, or transmitted
- Develop a written information security program that addresses each identified risk
- Establish a written incident response plan with defined roles and escalation procedures
- Schedule annual reporting on the security program to senior leadership or the board
- Review and update the security program whenever significant operational or technology changes occur
Technical Controls
- Implement multi-factor authentication for all systems that access or store customer information
- Encrypt customer data in transit using TLS or equivalent protocols
- Encrypt customer data at rest using AES-256 or equivalent standards
- Maintain an up-to-date inventory of all hardware, software, and data assets
- Deploy access controls based on the principle of least privilege
- Implement continuous or scheduled monitoring for unauthorized access and anomalous behavior
- Conduct penetration testing and vulnerability assessments on a regular schedule
- Establish secure disposal procedures for physical and digital records containing customer data
Physical Controls
- Restrict physical access to areas where customer data is stored or processed
- Implement visitor logging and access management for server rooms and data storage areas
- Establish procedures for the secure disposal of hardware containing customer data
Training and Culture
- Provide security awareness training to all staff who handle customer information at onboarding and annually
- Train staff specifically on social engineering and pretexting risks
- Document training completion and maintain records for audit purposes
Third-Party Oversight
- Identify all third-party vendors and service providers with access to customer information
- Execute written contracts requiring vendors to maintain appropriate safeguards
- Conduct due diligence reviews of vendor security practices before onboarding
- Monitor vendor compliance on an ongoing basis
Privacy Compliance
- Develop and maintain a clear, plain-language privacy notice
- Deliver privacy notices at the start of each customer relationship and annually thereafter
- Establish and honor opt-out rights for data sharing with non-affiliated third parties
- Document opt-out requests and responses
GLBA Penalties for Non-Compliance
Failing to meet GLBA requirements carries meaningful financial and legal consequences. For many small and mid-size financial institutions, the risk extends well beyond fines: a compliance failure often means operational disruption, data loss, and reputational damage that can take years to recover from. A single enforcement action tied to non-compliance can cause serious damage.
Non-compliance with the Safeguards Rule exposes financial institutions to civil enforcement action by the FTC and, for depository institutions, by their federal banking regulator. Penalties vary in severity depending on the nature and scope of the violation, and regulators have broad authority to impose fines, require corrective action, and restrict business operations.
Separately, GLBA’s criminal provisions specifically target those who obtain customer financial information under false pretenses, with penalties including imprisonment of up to five years and substantial fines for individuals convicted under that provision. Banking regulators can impose additional escalating penalties in cases involving systemic compliance failures.
Beyond regulatory penalties, GLBA-regulated businesses face significant exposure from data breach litigation. While GLBA does not include an explicit private right of action, breach victims frequently bring claims under state consumer protection laws alongside regulatory proceedings, and breach notification obligations under state law can apply simultaneously with FTC enforcement.
CMIT Solutions helps financial institutions build layered protection across systems, networks, and users that reduces both regulatory and legal exposure before an incident has the chance to occur.
Use our IT downtime calculator to see what a compliance-related disruption could cost your business.
How the 2021 FTC Safeguards Rule Update Changed GLBA Compliance
The FTC’s 2021 amendments to the Safeguards Rule, with most provisions effective June 9, 2023, represent the most significant update to GLBA’s technical requirements since the rule was originally enacted. A separate amendment requiring breach notification to the FTC took effect on May 13, 2024.
Many financial institutions that relied on fragmented vendor relationships and loosely defined responsibilities found that the updated rule exposed accountability gaps they had not anticipated, and the obligations it introduced require real operational investment.
The most consequential changes include:
- Specific technical requirements: Earlier versions of the Safeguards Rule described outcomes without specifying the controls required to achieve them. The 2021 updates prescribe specific controls, including MFA, encryption, penetration testing, and continuous monitoring, rather than leaving implementation entirely to institutional discretion.
- The qualified individual requirement: Financial institutions must now designate a specific person responsible for the information security program. This individual must report to the board or equivalent governing body at least annually, creating a direct accountability chain between IT security and leadership.
- Incident notification: Under the 2024 amendment to the Safeguards Rule, financial institutions subject to FTC jurisdiction must notify the FTC no later than 30 days after discovery of a security event involving the unencrypted information of 500 or more consumers acquired without authorization.
- Small business clarifications: The amendments clarified the conditions under which institutions maintaining customer information concerning fewer than 5,000 consumers qualify for exemptions from certain specific Safeguards Rule requirements, providing more actionable guidance for smaller financial institutions.
The FTC’s full compliance guidance is available at ftc.gov. CMIT Solutions monitors regulatory developments like these continuously on behalf of the businesses we support, providing strategic technology guidance that keeps compliance programs aligned with current requirements so clients can focus on running their operations.
How GLBA Relates to Other Compliance Frameworks
GLBA does not exist in isolation. For most financial institutions, it is one of several overlapping compliance obligations, and when those obligations are managed in silos, disconnected from broader IT strategy and business goals, the result is duplicated effort, missed requirements, and a compliance program that never quite adds up to a coherent security posture. Mapping GLBA to other frameworks addresses that directly.
- GLBA and NIST: The NIST Cybersecurity Framework, published by the National Institute of Standards and Technology at csrc.nist.gov, is widely used as a reference for building GLBA-compliant security programs. NIST’s functions, Govern, Identify, Protect, Detect, Respond, and Recover, map closely to the Safeguards Rule’s core requirements. The FTC has noted that NIST’s process-based approach is consistent with its own expectations for reasonable data security, though alignment with a NIST framework is not, by itself, a guarantee of GLBA compliance.
- GLBA and PCI DSS: Businesses that process payment card data are subject to PCI DSS requirements in addition to GLBA. The two frameworks share common ground around access controls, encryption, and monitoring, and a well-designed security program can be structured to satisfy both simultaneously.
- GLBA and SOC 2: Many financial institutions pursue SOC 2 attestation to demonstrate security controls to enterprise customers and partners. SOC 2’s Trust Service Criteria, particularly the Security and Availability categories, overlap meaningfully with GLBA Safeguards Rule requirements, and organizations that have completed a SOC 2 audit will find that a significant portion of their GLBA technical controls are already documented.
- GLBA and state privacy laws: Several states have enacted financial data privacy laws that operate alongside GLBA. Financial institutions operating across multiple states should assess where state law creates obligations beyond the federal minimum.
CMIT Solutions provides the strategic guidance to help financial institutions map existing controls across these frameworks, turning overlapping obligations into a cohesive, efficient security program built on shared tools, consistent standards, and best practices applied across every engagement.
💡 Additional reading: What is NIST compliance
For businesses with government contracts or defense sector requirements, learn how our CMMC compliance services can help you meet those obligations alongside your GLBA program.
GLBA Compliance and Cyber Insurance
Many financial institutions carry cyber liability insurance as protection against the costs of a data breach or ransomware incident. Insurers are scrutinizing security controls more closely than ever, and organizations that cannot demonstrate GLBA compliance are finding it harder to obtain coverage or are facing higher premiums at renewal.
Many businesses assume their cyber insurance will cover them after an attack, but insurers increasingly require specific security controls before issuing or renewing coverage. Insurers commonly require documented evidence of the same controls GLBA mandates: multi-factor authentication, encryption, incident response planning, and regular security testing.
Through security-first managed IT services, CMIT Solutions helps financial institutions build a security posture that exceeds the baseline, giving insurers the confidence they need and giving your business the protection it deserves.
Use our insurance readiness assessment to see whether your current security environment aligns with modern insurer expectations.
How CMIT Solutions Helps Financial Institutions Stay GLBA-Compliant
GLBA compliance is an ongoing operational commitment, and for many financial institutions, internal IT resources simply cannot scale fast enough to keep pace with growing regulatory demands alongside day-to-day business pressures. CMIT Solutions provides security-first managed IT services designed to close that gap, acting as a strategic technology partner that keeps your compliance program strong while your team stays focused on running the business.
With more than 30 years of experience supporting small and mid-size businesses across the financial services sector and beyond, CMIT Solutions delivers responsive, locally trusted IT support backed by a nationwide network of 900+ technology and cybersecurity professionals. You get the personalized service of a local relationship, the shared expertise and best practices of a national organization, and enterprise-level capabilities that grow with your business.
We take on the ongoing work that GLBA requires: continuous monitoring and threat response, layered technical controls, vendor oversight, risk assessments, backup and recovery planning for business continuity, and keeping documentation current. The result is stronger cybersecurity protection, more reliable IT operations, and the strategic guidance your leadership team needs to make technology decisions that support long-term resilience. On-site support is available whenever in-person assistance is needed.
See how we helped Optyx, a multi-location optical retailer, build consistent and secure IT infrastructure across all of their locations with the support of a nationwide network of IT professionals. Read the Optyx case study to see what that looks like in practice.
To speak with a CMIT Solutions advisor about your GLBA compliance program, call us at (800) 399-2648 or contact our team today.
FAQs
How long does GLBA compliance take to implement?
For most small and mid-size financial institutions, building a foundational GLBA-compliant information security program takes several months. That window covers the written risk assessment, policy documentation, technical controls such as MFA and encryption, and initial staff training. Ongoing maintenance, including monitoring, testing, and annual reporting, then continues as a permanent operational commitment.
Does GLBA require a third-party security audit?
GLBA does not mandate an external audit for most covered businesses, but regulators expect documented evidence that your security controls are operating effectively. Internal testing and monitoring satisfy the Safeguards Rule’s baseline requirements. That said, cyber insurers and some regulatory examiners routinely request third-party attestations, making periodic external reviews a practical part of a mature compliance program.
Does having a documented security program reduce GLBA penalties after a breach?
A documented, well-maintained security program is a material factor in how regulators assess your response, but it does not eliminate liability. The FTC considers whether your program was reasonable, whether you responded promptly, and whether you notified the agency within the required 30-day window. Documented evidence of each step measurably affects enforcement outcomes.
What GLBA training requirements apply to my employees?
The Safeguards Rule requires security awareness training for every employee who handles customer information, not just IT staff. Training must cover data handling procedures, social engineering recognition, and pretexting risks. It must be delivered at onboarding and repeated on an ongoing basis, with completion records maintained and available as documented evidence of an operational security program.
How does GLBA apply to businesses using cloud software or third-party platforms?
Using cloud-based tools or software-as-a-service platforms does not reduce your GLBA obligations, it extends them to your vendors. Any third party with access to customer information must be covered by a written contract requiring them to maintain appropriate safeguards. CMIT Solutions helps financial institutions structure vendor agreements, conduct due diligence, and monitor third-party compliance on an ongoing basis.
