Update to GLBA safeguards rule: What you need to know

Financial institutions are at the forefront of cybersecurity challenges due to the sensitive nature of the data they handle. As the frequency and sophistication of cyberattacks increase, so does the need for robust regulatory safeguards, requiring organizations to bolster their information security program. One critical regulation that has been the focus of recent attention is the Gramm-Leach-Bliley Act (GLBA), a law designed to protect consumer financial information held by financial institutions.

We’ll cover why GLBA matters and walk through what recent amendments to the Safeguards Rule could mean for your organization in 2025.

The Gramm-Leach-Bliley Act (GLBA): A brief overview

Enacted in 1999, the Gramm-Leach-Bliley Act, also known as the Financial Services Modernization Act, is a U.S. federal law that imposes several requirements on financial institutions, including information systems.

At its core, the GLBA requires these institutions to communicate their information-sharing practices to their customers clearly and implement measures to protect sensitive data.

This law applies to banks and all companies that offer consumer financial products or services like loans, financial or investment advice, or insurance.

It helps to enforce the need for financial institutions to have a comprehensive information security program, including security awareness training and other GLBA Safeguards Rule enforcement.

Diving deeper into the GLBA’s three pillars

The GLBA is framed within three sections, each of which plays a vital role in the overall architecture of the Act:

1. The Financial Privacy Rule: Stipulates how financial institutions collect and disclose private financial information. It puts in place measures to ensure that consumers can opt-out if they do not want their information shared with certain third parties.
2. The Safeguards Rule: Mandates that a financial institution design and implement information security programs to protect customer information. It focuses on risk assessment, management, and control, ensuring customer information is kept secure throughout its lifecycle. Risk assessments are a critical component of a healthy cybersecurity strategy. Organizations need to have a written incident response plan detailing the response and recovery plan to a cybersecurity breach.
3. The Pretexting Provisions: These provisions make it illegal to access private information using false pretenses, a practice known as pretexting. This section of the GLBA is designed to deter and penalize those who attempt to defraud or deceive financial institutions to gain access to customer information.

What’s the latest for GLBA in 2025?

1. Enhanced Safeguards Rule breach-reporting: Effective May 13th, 2024, the FTC’s amended Safeguards Rule requires any covered financial institution to notify the FTC within 30 days of discovering a “notification event” affecting 500 or more consumers’ nonpublic information. “Notification events” are defined as unauthorized acquisition of unencrypted customer information. Institutions must update their incident-response plans accordingly and be prepared to submit prompt breach reports to the FTC’s secure portal.

2. CFPB’s 2025 Request for Information on the Privacy Rule (Reg P): In January 2025, the CFPB issued an RFI seeking public input on whether and how to modernize GLBA’s Privacy Rule (Reg P), including:

• Strengthening opt-out rights (e.g., a one-click or “global” opt-out that applies across all institutions)
• Clarifying or tightening exceptions (e.g., joint marketing, service-provider sharing)
• Extending protections to downstream recipients and “big tech” payment platforms
• Considering an affirmative opt-in model in lieu of opt-out for sensitive data

Comments were due by April 11th, 2025; next steps will depend on CFPB’s review and any ensuing rulemaking.

3. Digital-payments and Open-Banking Privacy Proposals: Alongside the Reg P RFI, the CFPB is exploring whether digital-wallet and fintech payment providers should be subject to GLBA’s privacy requirements or to analogous federal rules. A separate proposal would require those entities to limit data collection and use to what’s “reasonably necessary” for the service (e.g., payment processing or product improvement), and to prohibit data uses like targeted advertising or data sales unless consumers explicitly agreed. That comment period closed on March 31st, 2025; a final rule could follow later in 2025 or beyond.

4. Ongoing CFPB Guidance & State Coordination: In early 2025, the CFPB also published a compendium of GLBA-related guidance (circulars, bulletins, advisory opinions) to help state enforcers and regulated entities navigate both federal and state privacy rules. Meanwhile, states continue to enact their own consumer privacy laws, often carving out GLBA-covered data but in some cases requiring broader rights or smaller-institution exemptions. Institutions must track both federal and state developments.

What to watch regarding GLBA in 2025

• Final Privacy-Rule amendments under Reg P after the RFI; possible adoption of more consumer-friendly opt-out/opt-in regimes.
• FTC enforcement of the breach-reporting requirement and any additional Safeguards Rule clarifications.
• CFPB rulemakings extending GLBA-style privacy to fintech and data brokers.

Staying current means:

• Ensuring privacy notices and opt-out mechanisms meet both new federal guidance and evolving state standards.
• Reviewing and updating your written information security plan and breach-response playbook.
• Tracking CFPB registers for any proposed rules or final regulations on Reg P.

Safeguards Rule updates

• Access controls: The amended rule calls for a periodic review of both technical and physical safeguards protecting physical access controls to limit access to authorized users and restrict access to necessary customer information.
• Multi-factor authentication (MFA): The updated Safeguards Rule necessitates the implementation of MFA to access any information system or the introduction of other equivalent or stronger controls to address relevant security risks.
• Data and systems inventory: Financial institutions are now required to maintain an up-to-date inventory of data, the systems where it is collected, stored, or transmitted, and an understanding of the relevant portions of applicable systems and their importance.
• Encryption: The revised rule mandates the encryption of all customer information, both in transit and at rest, to ensure that data remains secure throughout its lifecycle.
• Secure applications: The updated rule also requires the adoption of secure development practices for applications developed in-house and mandates the assessment of externally developed applications to ensure they meet security standards.

Risk assessment

The revised rule introduces a more stringent definition of a risk assessment, including standards for evaluating and categorizing security threats and risks, plus assessing the adequacy of security safeguards. The risk assessment needs to elaborate on how the identified risks will be mitigated or accepted and must be documented in writing.

Incident response plan

Financial institutions must now establish a documented plan for responding to any security event affecting customer data’s confidentiality, integrity, or availability.

Workforce and personnel

The updated rule requires the designation of a qualified individual to be responsible for the security program, which can include third-party service providers. Institutions must now provide security awareness training and updates to staff. The rule also mandates periodic reports to a Board of Directors or governing body regarding all material matters related to the information security program.

Testing and evaluation

Regular safeguards testing must now be continuously monitored or include annual penetration testing and semi-annual vulnerability assessments.

The real-world risks of non-compliance

Non-compliance with GLBA can lead to substantial fines and reputational damage. Regulatory bodies have been known to impose hefty penalties on institutions that fail to comply with the GLBA’s requirements. Beyond the financial loss, non-compliance can also lead to a loss of trust among customers, which can be even more detrimental in the long run.

The GLBA can impose significant penalties:

• Financial institutions can be fined up to $100,000 for each violation.
• Officers and directors of financial institutions can be fined up to $10,000 for each violation.
• The institution and individuals may also face imprisonment for up to five years.
• Additional penalties may be imposed by states, with financial institutions liable for up to $5,000 per violation, and individuals liable for up to $5,000 per violation and imprisonment for up to one year.

The crucial role of passwords in GLBA compliance

While the GLBA does not specify specific technologies a business has to use, it does state that financial institutions must take steps to safeguard their customer’s data. Securing the traditional username and password combination is a key part of this – institutions covered by the Act need to adhere to contemporary best practices for authenticating access to personal data.

A key player offering guidance around passwords and information security is the National Institute of Standards and Technology (NIST). The NIST’s Special Publication 800-63-3B includes several important recommendations for password security:

• It advises against character composition rules, as they are deemed an unnecessary burden for end-users.
• It recommends changing passwords only if there is evidence of compromise.
• It suggests password screening of new passwords against a list of known compromised passwords.

Following these guidelines can help financial institutions create stronger password policies and meet the spirit of GLBA compliance.

GLBA Safeguards Rule update: Key points to keep in mind

1. What implications do the changes in the Safeguards Rule have for data security in financial institutions?

The updated Safeguards Rule has a profound impact on the data security practices of financial institutions. It introduces stringent security frameworks such as multi-factor authentication, encryption of customer information, and maintaining an up-to-date data inventory. These changes heighten the focus on safeguarding customer information and adapting to evolving cyber threats.

2. How does the GLBA’s amended Safeguards Rule affect ‘finders’ in financial markets?

The updated rule expands the definition of ‘financial institution’ to include ‘finders,’ which are companies that connect buyers and sellers in financial markets. This means that ‘finders’ are now required to adhere to the Safeguards Rule, significantly impacting their handling of customer data and their overall operational processes.

3. How can a strong password policy assist financial institutions in achieving compliance with the updated GLBA requirements?

Organizations can use software with password management and compliance features that align with the GLBA requirements and the recommended best practices from bodies like the National Institute of Standards and Technology (NIST). These features include real-time breached password checks and proactive password security measures that can significantly enhance a financial institution’s data security strategy and contribute to GLBA compliance.

Comply with GLBA with Specops Password Policy

As an organization, adhering to best practices and regulatory requirements can be challenging, especially when using tools that lack the necessary functionality. For instance, many organizations today use Microsoft’s Active Directory as their identity and access management solution.

However, Active Directory does not have native functionality to provide robust features such as breached password protection. The below example shows a Windows Server 2022 domain controller and the still archaic password policies contained by default.

This is where Specops Password Policy steps in. This solution enhances Active Directory with robust controls over password settings. It includes a real-time breached password check that prevents users from selecting compromised passwords.

Financial institutions must take all necessary steps to protect customer information and robust password policies are a critical aspect of this protection. Strengthening password security is an essential step towards enhancing your overall security posture and protecting the sensitive financial data of your customers. Using Specops Password Policy, organizations can significantly increase their password security and proactively protect sensitive customer information.

Try Specops Password Policy for free to strengthen your organization’s password security and help meet GLBA compliance.