The FTC Safeguards Rule (GLBA) and FFIEC Cybersecurity Assessment Tool govern cybersecurity requirements for Ohio banks, credit unions, mortgage lenders, and financial services firms. Non-compliance means regulatory action, enforcement, and unlimited civil liability. Securafy specializes in financial sector compliance.
The Gramm-Leach-Bliley Act (GLBA) and its implementing FTC Safeguards Rule require financial institutions to develop, implement, and maintain a comprehensive information security program protecting customer financial information. The 2023 Safeguards Rule update significantly expanded technical requirements for non-bank financial institutions.
The FFIEC Cybersecurity Assessment Tool (CAT) is the framework used by federal examiners (OCC, FDIC, NCUA, Federal Reserve) to evaluate cybersecurity maturity at banks, credit unions, and depository institutions. Examiners use the CAT during safety and soundness examinations — weak scores directly impact your examination rating.
For Ohio community banks and credit unions, the stakes are high: examination findings related to cybersecurity can result in Matters Requiring Attention (MRAs), formal agreements, cease-and-desist orders, and civil money penalties. Securafy's financial sector practice helps you achieve and maintain examination-ready posture.
"Examiners don't want to see security tools — they want to see a documented, tested, risk-based information security program."
The 2023 FTC Safeguards Rule requires every financial institution to implement these nine elements in their information security program. Organizations with 5,000+ customers must also designate a CISO and report to the board annually.
Designate a qualified individual (CISO or equivalent) to oversee and implement the information security program. Must report to the board/senior officer at least annually.
Conduct a documented, periodic risk assessment of customer information in all relevant information systems. Must identify reasonably foreseeable threats and assess controls.
Implement safeguards to control identified risks. Must include: access controls, data inventory, encryption, MFA, secure development, penetration testing, and change management.
Select and retain service providers that maintain appropriate safeguards and require them by contract to implement and maintain those safeguards. Annual due diligence reviews required.
Regularly evaluate your information security program in light of new risks, threats, and changes in your operations. Must adjust the program accordingly — documented annual reviews minimum.
Implement a written incident response plan governing detection, classification, response, and notification. Must include criteria for determining when notification to regulators is required.
Encrypt customer information in transit and at rest. The 2023 rule makes encryption explicitly required — not just "reasonable." Exceptions require documented compensating controls.
Implement MFA for all individuals accessing customer information systems. Single-factor authentication is no longer acceptable under the 2023 Safeguards Rule for any information system containing customer financial data.
Train all personnel on information security risks and controls at least annually. Training must be tailored to staff roles and documented for examiner review.
The FFIEC CAT evaluates banks and credit unions across five cybersecurity maturity domains, each scored from Baseline to Innovative. Examiners expect most institutions to be at Evolving or above across all domains.
Board and management oversight, policies and procedures, IT asset management, risk management integration, and the IT risk appetite framework. Examiners look for board engagement and accountability structures.
Participation in FS-ISAC threat sharing, threat intelligence consumption, monitoring of emerging threats, and integration of threat intelligence into risk management decisions.
The largest domain — covers infrastructure management, access management, device/end-point security, secure coding, network segmentation, incident detection, and response capabilities.
Third-party risk program, vendor due diligence, contract requirements, ongoing monitoring of critical service providers, and business continuity requirements for vendor relationships.
Incident response planning, testing and exercises, business continuity and disaster recovery, resilience planning, and regulatory notification procedures.
We build, document, and maintain a complete Safeguards Rule-compliant information security program — including risk assessment, policies, controls inventory, and annual board reporting.
We conduct a formal FFIEC CAT assessment across all five domains, score your current maturity, identify examination risk areas, and produce a roadmap to achieve target maturity levels before your exam.
We prepare your team for OCC, FDIC, or NCUA examination — organizing documentation, preparing staff for examiner interviews, and ensuring every required policy and procedure is current and accessible.
We implement MFA across all systems accessing customer information and configure encryption for data at rest and in transit — both explicitly required by the 2023 Safeguards Rule.
We build and manage your vendor due diligence program — vendor questionnaires, contract reviews, annual reassessments, and a vendor risk registry that satisfies FFIEC examiner expectations.
Our vCISO service fulfills the GLBA requirement for a designated Qualified Individual — providing executive-level oversight, annual board reporting, and documented program governance.
Securafy builds and maintains compliance programs for Columbus and Cleveland, Ohio businesses. Prevention-First. Compliance-Ready. Award-Winning.
Official Regulatory Resources