The FTC Safeguards Rule requires non-bank financial institutions โ including auto dealers, tax preparers, mortgage brokers, financial advisors, and universities โ to implement a written information security program with nine specific elements, designate a qualified individual to oversee it, and report to their board annually. The 2023 update significantly expanded technical requirements and increased FTC enforcement authority. Securafy delivers managed FTC Safeguards Rule compliance programs for covered businesses nationwide.
The FTC Safeguards Rule (16 CFR Part 314) implements the data security requirements of the Gramm-Leach-Bliley Act (GLBA) for non-bank financial institutions. The rule was substantially updated in 2023 to add prescriptive technical requirements โ moving far beyond the original principle-based standard to mandate specific controls that many businesses are not yet implementing.
If your business engages in financial activities as defined by GLBA โ even if you are not a bank or credit union โ you are almost certainly a covered financial institution under the Safeguards Rule. The FTC has expanded enforcement significantly since the 2023 update, and the agency has made clear that Safeguards Rule compliance is an enforcement priority across all covered sectors.
Organizations with fewer than 5,000 customer records are exempt from some requirements (annual report to board, annual penetration testing, and vulnerability assessment every six months), but the core nine-element written information security program is required for all covered institutions regardless of size.
"The FTC Safeguards Rule is not just a bank problem. If you're a car dealer, tax preparer, mortgage broker, or financial advisor โ you are a covered financial institution and the FTC is watching."
The Safeguards Rule applies to any business that is significantly engaged in financial activities. If you process, store, or transmit customer financial data in any of these categories, you are almost certainly a covered institution.
The FTC can impose civil penalties of up to $51,744 per violation per day for Safeguards Rule violations. Following a data breach, organizations without a compliant security program face compounded exposure: FTC civil action, state attorney general enforcement, class action litigation from affected customers, and potential exclusion from participating in financial programs. The FTC has publicly stated that Safeguards Rule enforcement is an agency priority โ not a future concern.
Every covered financial institution must develop, implement, and maintain a written information security program that includes all nine of these elements. Securafy builds and maintains this program on your behalf โ continuously, not just at audit time.
Designate a qualified individual (CISO or equivalent) to oversee and implement the program. Must report to your board or senior officer annually. Organizations with fewer than 5,000 records may use a service provider for this role.
Conduct a written risk assessment identifying foreseeable threats to customer information, assessing the likelihood and impact, and evaluating existing controls. Must be documented, periodic, and outcome-driven.
Design, implement, and maintain safeguards to control risks identified in the assessment โ including access controls, encryption, multi-factor authentication, secure development practices, and change management.
Select and retain service providers that maintain appropriate safeguards. Your contracts must require providers to maintain a security program and you must monitor their compliance.
Conduct penetration testing at least annually and vulnerability assessments every six months (organizations with 5,000+ customers). Continuously monitor systems for unauthorized access and threats.
Implement a security awareness training program for all personnel with access to customer information. Training must be updated to reflect current threats and documented for compliance evidence.
Maintain a written incident response plan addressing goals, internal processes, roles, communications, remediation, documentation, and post-incident evaluation. Must be tested and updated regularly.
The qualified individual must report to the board or senior officer at least annually on the status of the information security program, risk assessment results, and material threats.
Maintain a Written Information Security Plan (WISP) documenting the entire program โ policies, procedures, controls, risk assessment results, testing outcomes, and training records โ in a form an FTC examiner can evaluate.
Securafy delivers a complete, continuously maintained FTC Safeguards Rule compliance program โ not a one-time assessment and a binder. Every required element is implemented, documented, and kept current as your business and the threat landscape evolve.
A complete, attorney-grade Written ISP documenting your program across all nine required elements โ written for your specific business, not a generic template.
Securafy's vCISO serves as your designated qualified individual โ overseeing the program, conducting board reporting, and owning compliance accountability on your behalf.
Documented, periodic risk assessment identifying foreseeable threats to customer financial information with control gap analysis and remediation prioritization.
MFA, encryption at rest and in transit, access controls, patch management, EDR, and all technical safeguards required by the updated rule โ implemented and maintained continuously.
Annual penetration testing and semi-annual vulnerability assessments for organizations with 5,000+ customers. Findings documented, remediated, and tracked in your compliance program.
Role-based security awareness training for all staff with access to customer information. Completion records maintained and reportable for FTC compliance evidence.
Written, tested incident response plan specific to your environment โ with defined roles, communication procedures, 30-day breach notification protocols, and documented post-incident review.
Vendor risk assessment framework and contract review ensuring your service providers maintain appropriate safeguards โ with documented monitoring and evidence for regulators.
Annual board-ready security program status report, risk assessment findings summary, and ongoing executive dashboard โ everything your board needs to exercise appropriate oversight.
Most non-bank financial institutions believe they are compliant โ but have never conducted a formal gap assessment against the nine required elements. A Securafy engineer will evaluate your current program and show you exactly where you stand, at no charge.
A Securafy engineer contacts you within 10 minutes.