GLBA
GLBA Safeguards Rule (16 CFR Part 314)
The FTC rule requiring financial institutions to maintain an information security program. The 2021 amendments added prescriptive elements such as access controls, encryption, MFA and an incident response plan.
Who it applies to
Financial institutions under FTC jurisdiction — including non-bank lenders, mortgage brokers, auto dealers offering financing, tax preparers and fintechs — that handle customers' nonpublic personal information.
Elements of the information security program
- §314.4(a) Designate a qualified individual10 mapped
Designate a qualified individual responsible for overseeing, implementing and enforcing the information security program.
- §314.4(c)(1) Access controls16 mapped
Implement and periodically review access controls, limiting access to customer information to those who need it.
- §314.4(c)(3) Encryption of customer information15 mapped
Encrypt customer information at rest and in transit, or use an approved compensating control.
- §314.4(c)(8) Monitoring and logging of authorized user activity11 mapped
Implement monitoring and logging to detect unauthorized access to or use of customer information.
- §314.4(d) Regularly test or monitor safeguards10 mapped
Regularly test or otherwise monitor the effectiveness of safeguards, including continuous monitoring or periodic penetration testing and vulnerability assessments.
- §314.4(h) Incident response plan13 mapped
Establish a written incident response plan to respond to and recover from security events affecting customer information.