FTC Safeguards Rule
Compliance
The FTC Safeguards Rule requires non-bank financial institutions — including auto dealers, tax preparers, mortgage brokers, financial advisors, and universities — to implement a written information security program with nine specific elements, designate a qualified individual to oversee it, and report to their board annually. The 2023 update significantly expanded technical requirements and increased FTC enforcement authority. Securafy delivers managed FTC Safeguards Rule compliance programs for covered businesses nationwide.
The FTC Safeguards Rule is actively enforced for non-banking financial companies. Securafy documents the 9 required elements of your information security program.
FTC Safeguards Rule — What It Requires
The FTC Safeguards Rule (16 CFR Part 314) implements the data security requirements of the Gramm-Leach-Bliley Act (GLBA) for non-bank financial institutions. The rule was substantially updated in 2023 to add prescriptive technical requirements — moving far beyond the original principle-based standard to mandate specific controls that many businesses are not yet implementing.
If your business engages in financial activities as defined by GLBA — even if you are not a bank or credit union — you are almost certainly a covered financial institution under the Safeguards Rule. The FTC has expanded enforcement significantly since the 2023 update, and the agency has made clear that Safeguards Rule compliance is an enforcement priority across all covered sectors.
Organizations with fewer than 5,000 customer records are exempt from some requirements (annual report to board, annual penetration testing, and vulnerability assessment every six months), but the core nine-element written information security program is required for all covered institutions regardless of size.
"The FTC Safeguards Rule is not just a bank problem. If you're a car dealer, tax preparer, mortgage broker, or financial advisor — you are a covered financial institution and the FTC is watching."
FTC Safeguards Rule — Covered Financial Institutions
The Safeguards Rule applies to any business that is significantly engaged in financial activities. If you process, store, or transmit customer financial data in any of these categories, you are almost certainly a covered institution.
⚠️ FTC Enforcement — What Non-Compliance Costs
The FTC can impose civil penalties of up to $51,744 per violation per day for Safeguards Rule violations. Following a data breach, organizations without a compliant security program face compounded exposure: FTC civil action, state attorney general enforcement, class action litigation from affected customers, and potential exclusion from participating in financial programs. The FTC has publicly stated that Safeguards Rule enforcement is an agency priority — not a future concern.
What Your Written Security Program Must Include
Every covered financial institution must develop, implement, and maintain a written information security program that includes all nine of these elements. Securafy builds and maintains this program on your behalf — continuously, not just at audit time.
1. Qualified Individual
Designate a qualified individual (CISO or equivalent) to oversee and implement the program. Must report to your board or senior officer annually. Organizations with fewer than 5,000 records may use a service provider for this role.
2. Risk Assessment
Conduct a written risk assessment identifying foreseeable threats to customer information, assessing the likelihood and impact, and evaluating existing controls. Must be documented, periodic, and outcome-driven.
3. Safeguard Implementation
Design, implement, and maintain safeguards to control risks identified in the assessment — including access controls, encryption, multi-factor authentication, secure development practices, and change management.
4. Service Provider Oversight
Select and retain service providers that maintain appropriate safeguards. Your contracts must require providers to maintain a security program and you must monitor their compliance.
5. Regular Testing
Conduct penetration testing at least annually and vulnerability assessments every six months (organizations with 5,000+ customers). Continuously monitor systems for unauthorized access and threats.
6. Employee Training
Implement a security awareness training program for all personnel with access to customer information. Training must be updated to reflect current threats and documented for compliance evidence.
7. Incident Response Plan
Maintain a written incident response plan addressing goals, internal processes, roles, communications, remediation, documentation, and post-incident evaluation. Must be tested and updated regularly.
8. Board Reporting
The qualified individual must report to the board or senior officer at least annually on the status of the information security program, risk assessment results, and material threats.
9. Written ISP
Maintain a Written Information Security Plan (WISP) documenting the entire program — policies, procedures, controls, risk assessment results, testing outcomes, and training records — in a form an FTC examiner can evaluate.
Your FTC Safeguards Program — Fully Managed
Securafy delivers a complete, continuously maintained FTC Safeguards Rule compliance program — not a one-time assessment and a binder. Every required element is implemented, documented, and kept current as your business and the threat landscape evolve.
Written Information Security Plan (WISP)
A complete, attorney-grade Written ISP documenting your program across all nine required elements — written for your specific business, not a generic template.
Qualified Individual (vCISO)
Securafy's vCISO serves as your designated qualified individual — overseeing the program, conducting board reporting, and owning compliance accountability on your behalf.
Annual Risk Assessment
Documented, periodic risk assessment identifying foreseeable threats to customer financial information with control gap analysis and remediation prioritization.
Technical Safeguards Implementation
MFA, encryption at rest and in transit, access controls, patch management, EDR, and all technical safeguards required by the updated rule — implemented and maintained continuously.
Penetration Testing & Vulnerability Assessments
Annual penetration testing and semi-annual vulnerability assessments for organizations with 5,000+ customers. Findings documented, remediated, and tracked in your compliance program.
Employee Security Awareness Training
Role-based security awareness training for all staff with access to customer information. Completion records maintained and reportable for FTC compliance evidence.
Incident Response Plan (IRP)
Written, tested incident response plan specific to your environment — with defined roles, communication procedures, 30-day breach notification protocols, and documented post-incident review.
Service Provider Oversight Program
Vendor risk assessment framework and contract review ensuring your service providers maintain appropriate safeguards — with documented monitoring and evidence for regulators.
Board & Leadership Reporting
Annual board-ready security program status report, risk assessment findings summary, and ongoing executive dashboard — everything your board needs to exercise appropriate oversight.
Are You FTC Safeguards Ready?
Most non-bank financial institutions believe they are compliant — but have never conducted a formal gap assessment against the nine required elements. A Securafy engineer will evaluate your current program and show you exactly where you stand, at no charge.
- ✓Nine-element written ISP gap assessment
- ✓Qualified individual designation review
- ✓Technical safeguards evaluation
- ✓Incident response plan readiness check
Book Your Free Assessment
A Securafy engineer contacts you within 10 minutes.
FREE · 30 MINUTES · NO SALES PITCH
See Exactly Where You're Exposed.
Before an Attacker Does.
Our free 47-point network and security assessment gives you a prioritised remediation report in plain language — no obligation, no upsell.
★ Soteria Award — Most Trusted MSP in North America 2024 · 30-Day Risk-Free Trial · 10-Minute Response Guarantee
Frequently Asked Questions
