Startup office

Financial institutions are subject to very strict compliance standards, particularly when it comes to protecting customer data. 

As of the 2023 update, the Federal Trade Commission now requires 13 additional non-banking institutions to adhere to its standards. 

Today, whether you are an online retailer or an auto dealership, so many financial operations happen online. Because of this, a strong cybersecurity strategy is key for protecting customer privacy. 

With more industries falling under the oversight of the FTC, it is important to stay up to date with cybersecurity compliance. Below, we explain which industries should be paying attention to the recent Safeguards Rule update and what steps can be taken to remain compliant.  


Key Takeaways

  • The Gramm-Leach-Bliley Act specifies how financial institutions and other non-banking institutions should protect sensitive consumer data, and how they should communicate with customers about those data-sharing practices. 
  • This legislation is enforced by the FTC, and failing to adhere could result in fines and other legal consequences. 
  • Recently, the GLBA was updated with more stringent system testing requirements, which include annual penetration testing. 
  • Penetration testing is the process of simulating a cyberattack to identify weaknesses in your system. This process is typically conducted by third-party contractors or cybersecurity experts to mimic real-world conditions. 


The Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act, or GLBA, is a piece of legislation that outlines security and compliance requirements for financial institutions. 

This law specifies how financial institutions should protect customer data, as well as how these institutions should communicate about personal data use. 

This law was passed in 1999 and applies to financial institutions and other organizations that collect “nonpublic personal information” from their clients. The GLBA has three key components: The Financial Privacy rule, the Safeguards rule, and the Pretexting Provisions. 


The Financial Privacy Rule

The Financial Privacy rule requires financial institutions to protect customers’ sensitive and personal information, and to communicate with customers about these privacy protections. 


The Safeguards Rule

The Safeguards rule requires financial institutions to implement sufficient safeguards to protect this information. 


The Pretexting Provisions 

The Pretexting Provisions specify that financial institutions must take steps to prevent unauthorized access to their systems. 

In particular, these institutions should have measures in place to prevent phishing and other social engineering attacks, which can accidentally expose personal information. 


The GLBA Safeguards Rule

The Safeguards rule is the component of the GLBA that requires financial institutions to take appropriate cybersecurity protections. It is extensive and specifies which cybersecurity protections to implement. 

There are many different types of organizations that qualify as financial institutions and need to adhere to these rules. 

This goes beyond just banks and credit unions — for example, a real estate appraiser, accountant, or car dealership could all qualify as financial institutions, depending on their operations. 

Institutions that are required to comply to the GLBA Safeguards rule include: 

  • Retailers issuing credit cards directly to consumers
  • Automobile dealerships that lease automobiles
  • Personal property or real estate appraisers 
  • Career counselors specializing in services for financial sector employees or job seekers
  • Businesses that print and sell checks 
  • Businesses that regularly engage in wire transfers 
  • Check cashing businesses
  • Accountants and tax preparation services
  • Travel agencies operating in connection with financial services
  • Entities providing real estate settlement services
  • Mortgage brokers
  • Investment advisory and credit counseling services
  • Companies acting as finders in negotiations


GLBA Safeguards Rule Exemptions

There are some exemptions to the GLBA Safeguards rule. If your business has fewer than 5,000 records of personally identifiable information stored, you could be exempt from these guidelines. 

However, if you have a Preparer Tax Identification Number, or PTIN, it’s best to adhere to the GLBA, regardless of how many records you have stored. 

In general, it helps to err on the side of caution when it comes to cybersecurity and privacy requirements. 

In addition to keeping your business compliant, it also helps you avoid costly data breaches that could damage your reputation. 

Over the past 20 years, the financial industry has lost a total of $12 billion, illustrating just how devastating cyberattacks can be. 


GLBA Safeguards Rule Requirements

The GLBA Safeguards rule is complex, and there are several key requirements financial institutions need to adhere to. These include: 

glba safeguards

  • Implementing a security program with appropriate safeguards: The primary requirement in the GLBA Safeguards rule is for financial institutions to create and implement a comprehensive cybersecurity program to keep protected data secure.
  • Vendor management: All third-party vendors and software programs should be appropriately vetted to ensure they adhere to cybersecurity best practices and compliance standards
  • Ongoing testing and monitoring: Your system should be consistently monitored and tested at regular intervals to identify potential vulnerabilities and ensure your safeguards are working as planned. This includes penetration testing. Your system also needs to be updated periodically based on your findings. 
  • Incident response plan: All qualifying organizations must have a documented incident response plan in place, which specifies what you will do to protect your customers in the event of a data breach. 
  • Employee training: Employees at all levels of your organization play an important role in preventing data breaches. The GLBA Safeguards rule requires regular security training sessions for your team to ensure they understand cybersecurity best practices. 
  • Management and oversight: Financial organizations must appoint a qualified individual to manage the security program. They also must submit a written report about information security and privacy measures to the board on an annual basis. 

If your organization is subject to GLBA regulations and fails to comply, you could face serious consequences. 

The FTC can impose fines for violations, with exact amounts correlated to the severity of the incident. Particularly serious violations could also result in more extensive legal consequences or even jail time for the individuals involved.  


Penetration Testing Requirements

Although the GLBA was initially passed in 1999, it has been updated over the years to account for new cybersecurity threats and best practices. The Safeguards rule was updated in 2023 with stricter testing requirements for financial institutions. 


In the past, organizations could meet testing requirements by conducting automated vulnerability scans on a regular basis. Now, the GLBA requires annual penetration testing in addition to biannual vulnerability scans and ongoing monitoring. 


What is Penetration Testing? 

Penetration testing is when your organization launches simulated cyberattacks to find vulnerabilities and test the efficacy of your cybersecurity measures. This is sometimes also called “pen testing” or “ethical hacking”. 

During the penetration testing process, the ethical hacker will identify the most vulnerable aspects of your systems. You can then use this information to improve your security practices moving forward.   


How Does Penetration Testing Work? 

Penetration testing is most effective when done by someone outside your organization, as it better mimics the conditions of a real-world cyberattack. 

Many financial organizations hire ethical hackers as contractors to conduct these tests. They can be done with virtually no information provided about the organization, or with some information provided to mimic an insider threat. 

These tests can be configured in a variety of ways to mimic real-world security threats. These include SQL injections, malware, man-in-the-middle attacks, and more. 

While the new GLBA penetration testing laws don’t necessarily require social engineering simulations, penetration testing can also include phishing strategies. 

In many cases, penetration testing will require several different types of cyberattacks and hacking strategies at once. Ideally, the hacker should not be able to access your systems at all. 


How to Conduct Penetration Testing

The best way to conduct a penetration test is to work with a professional ethical hacker or cybersecurity expert. Conducting your penetration tests internally may not be effective, as you’ll already be familiar with your own security measures. 

A professional penetration testing team will work with you to identify your goals for the test. They’ll also help you determine what type of penetration test you need, based on the cyber threats that are most relevant to your business. 


The Role of an IT Service Provider in Penetration Testing

For many financial organizations, working with a professional IT service provider is the most cost-effective and secure way to keep your systems safe. 

These organizations offer third-party managed IT services and can help you get tech and cybersecurity expertise that you don’t have in-house. 

An IT service provider can help your organization implement penetration testing. Many IT providers have ethical hackers and penetration testers available in-house, or can help you find the right contractors for the job. 

Depending on the situation, they may also recommend penetration testing as a service, or PTaaS. These programs automate many features of penetration testing and make results available in an online dashboard. 

Additionally, IT service providers are very familiar with cybersecurity compliance standards, including GBLA and other FTC regulations. They can help you ensure you’re remaining compliant and assist with documentation. 

On top of penetration testing, a managed IT service provider can help you develop a broader cybersecurity and privacy strategy that makes sense for your organization. 

This includes selecting and implementing new security measures, as well as ongoing system monitoring, employee training, and other essential security practices.