Home
Pricing
Talk to our team
Compliance Hub

What Is GLBA (Gramm-Leach-Bliley Act)

Espresso Labs Team
3 min read
What Is GLBA (Gramm-Leach-Bliley Act)

The Gramm-Leach-Bliley Act (GLBA), enacted in 1999, requires financial institutions to explain how they share and protect customers’ private financial information. For cybersecurity purposes, the most important part of GLBA is the Safeguards Rule, which the Federal Trade Commission (FTC) first issued in 2003 and substantially updated in 2023 with specific, prescriptive security requirements.

The Short Answer

GLBA requires financial institutions — banks, credit unions, mortgage brokers, financial advisors, insurance companies, and many other businesses that offer financial products or services — to implement a formal written information security program designed to protect customers’ nonpublic personal information (NPI).

The updated Safeguards Rule (effective June 2023) replaced the original vague guidance with specific, enumerated security controls including multi-factor authentication, encryption, penetration testing, and annual board reporting. It is now one of the most substantive cybersecurity compliance requirements facing the financial services sector.

Three Key Components of GLBA

GLBA is organized around three rules:

1. Financial Privacy Rule

Requires financial institutions to provide customers with privacy notices explaining what information is collected, with whom it is shared, and how it is protected. Customers must be given the opportunity to opt out of having their information shared with non-affiliated third parties.

2. Safeguards Rule

Requires financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards to protect customer information. This is the security-focused component of GLBA that most organizations focus on for cybersecurity compliance.

3. Pretexting Protection

Prohibits pretexting — the practice of using false pretenses to obtain customer financial information. Institutions must train employees and take steps to prevent unauthorized access to customer records.

What the 2023 Safeguards Rule Requires

The FTC’s revised Safeguards Rule (16 CFR Part 314), which became fully effective in June 2023, specifies 9 required elements for the information security program:

  1. Qualified individual: Designate a qualified individual (CISO or equivalent) to oversee the program
  2. Risk assessment: Conduct a written risk assessment of systems containing customer information
  3. Safeguards: Implement safeguards to control identified risks, including:
    • Access controls (least privilege, MFA for remote access and privileged accounts)
    • Data inventory and classification
    • Encryption of customer information in transit and at rest
    • Secure software development and change management
    • Multi-factor authentication
    • Secure disposal of customer information
    • Change management procedures
    • Monitoring and testing of safeguards
  4. Service provider oversight: Oversee service providers by contract and periodic assessments
  5. Annual reporting: Report to the board of directors (or equivalent) at least annually
  6. Incident response plan: Develop and maintain a written incident response plan
  7. Penetration testing: Annual penetration testing and biannual vulnerability assessments (for institutions with 5,000+ customers)

Who Enforces GLBA?

GLBA is enforced by multiple federal agencies depending on the type of financial institution:

  • FTC: Enforces for most financial institutions not regulated by bank regulators
  • Federal Reserve, OCC, FDIC: Enforce for banks and their affiliates
  • SEC and CFTC: Enforce for securities and commodities firms
  • State insurance regulators: For insurance companies (often through state-level rules modeled on GLBA)

How Espresso Labs Helps

Espresso Labs delivers GLBA Safeguards Rule compliance as a managed service — deploying and maintaining the required technical controls, performing continuous monitoring, supporting your qualified individual with documentation and reporting, and keeping your customer data protected without requiring a large internal security team. Contact us to learn how we can help you achieve and maintain GLBA compliance cost-effectively.

Ready to Get Started?

CMMC compliance does not have to require a large internal team or a 6-figure budget. Espresso Labs delivers it as an automated, managed service so you can focus on winning contracts, not managing controls.

Talk to our team