FTC Safeguards Rule Explained: 2023 Updates and What Changed
The FTC’s revised Safeguards Rule (16 CFR Part 314), which became fully effective in June 2023, represents a fundamental shift in how GLBA compliance is implemented. The original 2003 Safeguards Rule was largely principles-based — it told companies to protect customer information but left implementation details to their discretion. The 2023 rule is specific, prescriptive, and far more demanding.
What the Original Safeguards Rule Said (2003)
The original Safeguards Rule required financial institutions to:
- Develop a written information security program
- Designate an employee to coordinate the program
- Identify and assess risks to customer information
- Design and implement safeguards to control identified risks
- Oversee service providers
- Evaluate and adjust the program regularly
While these were sensible requirements in principle, the rule offered almost no specifics on what safeguards were required. Organizations could (and many did) maintain minimal security programs with vague policies and claim compliance.
What Changed in 2023
The revised rule added concrete, measurable requirements across several areas:
New: Specific Technical Controls
The 2023 rule introduced mandatory technical controls that were not in the original:
| Control | 2003 Rule | 2023 Rule |
|---|---|---|
| Multi-factor authentication | Not required | Required for remote access and privileged accounts |
| Encryption at rest | Not specified | Required for customer NPI |
| Encryption in transit | Not specified | Required for customer NPI |
| Penetration testing | Not required | Annual (for 5,000+ customers) |
| Vulnerability scanning | Not required | Biannual (for 5,000+ customers) |
| Audit logging | Not specified | Required for detecting unauthorized access |
New: Qualified Individual Requirement
The 2023 rule requires designation of a “qualified individual” — someone with knowledge, skills, and experience appropriate to run an information security program. This is more specific than the original “designate an employee” language. The qualified individual can be internal or a third party (such as a vCISO), but the financial institution must actively oversee them.
New: Annual Board Reporting
Organizations with 5,000+ customer records must now have the qualified individual report to the board of directors (or equivalent senior management) at least annually on the information security program. This elevates cybersecurity from a back-office IT function to a board-level governance item.
New: Written Incident Response Plan
The 2023 rule requires a formal, written incident response plan addressing goals, processes, roles, communications, and post-incident review. The original rule referenced incident response only in passing.
New: FTC Breach Notification
Financial institutions must now notify the FTC within 30 days of discovering a breach affecting 500 or more customers involving unencrypted customer information. The FTC publishes these reports publicly — creating reputational consequences in addition to regulatory ones.
New: Service Provider Contractual Requirements
Contracts with service providers must now include requirements for the provider to implement appropriate safeguards and notify the institution if they experience a breach affecting the institution’s customer information.
Small Business Exemption
The 2023 rule created a limited exemption for institutions with fewer than 5,000 customer records from the following requirements:
- Annual penetration testing
- Biannual vulnerability scanning
- Written incident response plan (still recommended but not required)
- Annual board reporting
These smaller institutions still must maintain a written information security program, designate a qualified individual, conduct risk assessments, implement access controls and encryption, and oversee service providers.
Key Implementation Deadlines (Now Past)
- June 2023: Revised Safeguards Rule fully effective
- January 2024: FTC breach notification requirement effective
All covered financial institutions should now be in full compliance with the 2023 requirements. Organizations that haven’t yet updated their programs face potential FTC enforcement if they experience an incident.
How Espresso Labs Helps
Espresso Labs builds and runs GLBA Safeguards Rule compliance programs as a managed service — giving financial institutions the technical controls, monitoring, board reporting support, and vendor oversight they need to stay compliant without building a large internal security team. Contact us to assess your current Safeguards Rule gaps and see how quickly we can close them.