Get Demo

What Is the FTC Safeguards Rule? 2025 Requirements

the FTC Safeguards Rule explained for US organizations — clear, practical guidance to satisfy regulators and examiners. Learn the essentials with CyberSilo.

📅 Published: June 2026 🔐 Cybersecurity • Financial • USA ⏱️ 2,200 words

The FTC Safeguards Rule, enforced by the Federal Trade Commission, mandates that financial institutions under the Gramm-Leach-Bliley Act (GLBA) must develop, implement, and maintain a comprehensive written information security program to protect the security, confidentiality, and integrity of customer financial information. This rule, updated in 2021 with a compliance deadline of June 9, 2023, and further refined by amendments effective June 23, 2023, requires covered entities to take specific, documented actions ranging from designating a qualified individual to oversee the program to performing periodic risk assessments and ensuring oversight of service providers.

Key Takeaways: The FTC Safeguards Rule requires a written information security program, a designated qualified individual (with reporting to a board or governing body), annual risk assessments, multi-factor authentication or equivalent controls, encryption of customer data both in transit and at rest, disposal procedures, and oversight of service providers. Non-compliance can result in fines up to $46,517 per violation under the FTC Act, plus potential injunctive relief and mandatory corrective action plans.

What Is the FTC Safeguards Rule? Definition and Scope

The FTC Safeguards Rule, formally codified as 16 CFR Part 314, implements the security requirements of the Gramm-Leach-Bliley Act (GLBA) of 1999. The rule applies to any "financial institution" as defined by the FTC, which is a significantly broader category than banks and investment firms. It includes mortgage lenders, check-cashing businesses, credit unions, payday lenders, real estate appraisers, insurance companies, securities dealers, and businesses that offer financial services or advice.

The primary goal of the FTC Safeguards Rule is to ensure that customer financial information is protected from unauthorized access, use, destruction, modification, or disclosure. This applies whether the data is stored in electronic or physical formats. The 2025 landscape sees the FTC continuing to enforce this rule aggressively, with a focus on qualitative compliance rather than simple policy documentation.

Who Must Comply with the FTC Safeguards Rule?

Financial institutions under the FTC’s jurisdiction must comply. According to the FTC Act and the GLBA, a "financial institution" is any entity that engages in activities that are financial in nature, as defined in the Bank Holding Company Act of 1956. This includes:

Notably, entities already subject to oversight by other federal regulators with their own safeguarding programs (e.g., banking regulators under the FFIEC) may have overlapping but separate obligations. The FTC Safeguards Rule specifically applies to financial institutions not already regulated by the SEC, CFTC, or state banking regulators under the same standards.

What Are the Nine Core Elements of the 2025 FTC Safeguards Rule?

The 2021 revision codified nine distinct program elements that any information security program must include. For 2025, these remain the foundational requirements. Each element must be documented, implemented, and subject to continuous monitoring.

1. Designation of a Qualified Individual

The covered financial institution must designate an individual to oversee and implement the information security program. This person must be "qualified," meaning they possess sufficient knowledge and experience to manage the program. The qualified individual must report to the board of directors or an equivalent governing body at least annually on the program's status.

2. Risk Assessment

Organizations must conduct a written risk assessment that identifies reasonably foreseeable internal and external risks to the security of customer information. This assessment must evaluate the risks in each relevant area of company operations, including employee training, management, information systems, network design, and processing of customer information.

3. Safeguards to Manage Identified Risks

Based on the risk assessment, the entity must design and implement safeguards to control the identified risks. This includes access controls, encryption of customer information both in transit and at rest, multi-factor authentication (or equivalent), secure development practices for custom software, and intrusion detection and monitoring systems.

4. Policy and Procedure Oversight

There must be clear policies and procedures covering all aspects of the security program. This includes incident response plans, data retention and disposal practices, and change management protocols.

5. Regular Monitoring and Testing

The program must include systems to monitor, detect, and respond to security events. This includes continuous monitoring of networks and systems, penetration testing at least annually, and vulnerability scans at least every six months.

6. Service Provider Oversight

Entities must exercise due diligence in selecting and retaining service providers who handle customer information. Contracts must require these providers to implement appropriate safeguards and the entity must monitor the providers' compliance.

7. Employee Training

All employees must be trained on the company's information security program and its associated policies.

8. Incident Response Plan

A written incident response plan must be implemented that covers detection, response, containment, notification, and recovery from security breaches involving customer information.

9. Board Reporting and Oversight

The qualified individual must report to the board of directors or equivalent governing body at least annually. The report must include the overall status of the security program, risk assessment results, and recommendations for improvement.

Critical Compliance Warning: The "qualified individual" element is not a box-checking exercise. The FTC has indicated it will examine whether the designated person actually has the authority, budget, and organizational stature to implement and maintain the program. For mid-size and larger organizations, this often necessitates a dedicated CISO or equivalent function. The annual board report is a documented artifact that must evidence genuine oversight, not perfunctory review.

What Changed in the 2021 FTC Safeguards Rule Amendments?

The current version of the FTC Safeguards Rule became effective June 9, 2023, with additional amendments effective June 23, 2023. These amendments introduced several critical changes from the original 2003 rule:

How Does the FTC Safeguards Rule Relate to the Gramm-Leach-Bliley Act?

The Gramm-Leach-Bliley Act (GLBA) provides the statutory authority for the FTC Safeguards Rule. The GLBA, enacted in 1999, repealed parts of the Glass-Steagall Act to allow commercial banks, investment banks, and insurance companies to consolidate. In doing so, it included privacy and security provisions to protect consumer financial information. The GLBA has three key components:

For US organizations, compliance with the FTC Safeguards Rule is part of the broader GLBA compliance framework. Unlike the Privacy Rule which has notification requirements, the Safeguards Rule focuses purely on operational security controls. The relationship between the two is complementary: the Privacy Rule governs what you do with the data from a notification and consent perspective; the Safeguards Rule governs how you protect the data from a security perspective.

What Are the Exceptions and Common Exemptions?

Not all entities handling financial information are subject to the FTC Safeguards Rule. Key exemptions include:

However, the FTC interprets these exemptions narrowly. A business that stores even a small amount of customer financial information should carefully evaluate whether the exemption applies. The most common scenario for exemption is a retailer that accepts credit cards for transactions but does not store the information and uses a PCI DSS–compliant payment processor.

What Are the Penalties for Non-Compliance in 2025?

The FTC has the authority to enforce the Safeguards Rule through administrative proceedings and federal court actions. Penalties under the FTC Act include civil penalties of up to $46,517 per violation per day as of 2025. In addition, the FTC can seek injunctive relief, requiring the organization to implement a comprehensive corrective action plan, submit to independent audits and monitoring, and provide consumer redress.

The FTC also can exercise its authority under Section 5 of the FTC Act (unfair or deceptive practices) to pursue actions where a company has misrepresented its data security practices or where its security measures were so inadequate as to constitute an unfair practice. Noteworthy enforcement actions in the financial sector have resulted in multi-million dollar settlements and consent orders lasting 20 years.

How Does the FTC Safeguards Rule Compare to Other US Financial Regulations?

Regulation
Scope
Key Requirement
Enforcing Authority
FTC Safeguards Rule (16 CFR 314)
Financial institutions under FTC jurisdiction
Written information security program with 9 core elements
FTC
NYDFS 23 NYCRR 500
Financial institutions operating in New York State
Cybersecurity program with mandatory policies, CISO, annual certification
NYDFS
FFIEC IT Examination Handbook
FDIC-insured institutions
Cybersecurity maturity assessment (CAT)
FFIEC agencies (Federal Reserve, FDIC, OCC)
GLBA Privacy Rule (Regulation P)
All financial institutions
Privacy notices and opt-out rights
FTC and banking regulators

The table above illustrates the key differences. Notably, for companies that operate in New York or under state banking authority, the NYDFS regulation imposes stricter requirements such as annual certification of compliance to the regulator, which the FTC Safeguards Rule does not require (though the board reporting requirement serves a similar internal function). For community banks, the FFIEC examination process is more prescriptive in practice. Understanding these overlaps is critical: a company can be subject to both the FTC Safeguards Rule and NYDFS 500, requiring a unified security program that meets the highest standard of each.

Practical Steps for Achieving Compliance with the FTC Safeguards Rule

1

Designate Your Qualified Individual

Identify and formally appoint a qualified individual (typically a CISO, CTO, or security manager) who has the authority to implement the information security program. The individual should report directly to the CEO or board. Document their qualifications, responsibilities, and reporting lines in a formal charter.

2

Conduct a Written Risk Assessment

Perform a thorough risk assessment that covers internal and external threats to customer information. The assessment must be documented in writing and should identify specific risks to the confidentiality, integrity, and availability of customer data across all systems, networks, employees, and third-party providers.

3

Develop Your Written Information Security Program

Based on the risk assessment, create or update your written information security program. The program must address all nine core elements. Policies must be specific to your organization's size, complexity, and risk profile. Use the risk assessment as evidence for why certain controls are chosen.

4

Implement and Operationalize Controls

Deploy the technical, administrative, and physical safeguards. This includes encryption, MFA, access controls, logging and monitoring, firewalls, intrusion detection/prevention systems, and backup/disaster recovery solutions. Document the implementation thoroughly.

5

Test and Monitor Controls

Schedule penetration tests annually and vulnerability scans every six months. Implement continuous monitoring of network traffic and system logs. Document all testing results and remediation activities.

6

Manage Vendor and Service Provider Risks

Identify all service providers who access, store, process, or transmit customer information. Conduct due diligence before contracting. Ensure every contract includes specific data security requirements and the right to assess the provider's security program.

Simplify Your FTC Safeguards Rule Compliance

Are you certain your information security program meets the FTC’s nine core elements? With ThreatHawk SIEM + SOAR, you can centralize log monitoring, automate vulnerability scanning, and streamline incident response. Our Compliance Standards Automation platform helps you map controls to the Safeguards Rule, creating audit-ready evidence in real time.

Frequently Asked Questions About the FTC Safeguards Rule

Which US businesses are covered by the FTC Safeguards Rule?

Any financial institution under the FTC's jurisdiction is covered. This includes not just banks but also mortgage lenders, check-cashers, payday lenders, real estate appraisers, tax preparation services, collection agencies handling consumer financial data, and retailers that issue store credit cards. The FTC has a broad interpretation of "financial institution."

Do we need a dedicated CISO to meet the FTC Safeguards Rule?

The FTC Safeguards Rule requires a "qualified individual" to implement and oversee the information security program. While the rule does not mandate a specific title like "CISO," the individual must be qualified, which implies sufficient authority, budget, and security expertise. For larger organizations, a CISO is the standard. The qualified individual must also report to the board of directors annually.

What is the maximum penalty for non-compliance in 2025?

As of 2025, the FTC can seek civil penalties of up to $46,517 per violation per day under the FTC Act. Additionally, the FTC may seek injunctive relief, which can include mandatory 20-year consent orders requiring independent audits, comprehensive corrective action plans, and consumer notification or redress.

Does the FTC Safeguards Rule require an incident response plan?

Yes. The 2021 amendments explicitly require a written incident response plan that covers detection, response, containment, notification, and recovery from security breaches involving customer information. The plan must be tested and updated regularly.

Is multi-factor authentication required under the FTC Safeguards Rule?

Yes. The rule explicitly requires either multi-factor authentication or an equivalent control to protect against unauthorized access to customer information systems. MFA is the most straightforward path to compliance.

Is encryption of customer data required?

Yes. The FTC Safeguards Rule requires encryption of customer information both in transit and at rest over external networks. This is a mandatory control, not a recommendation.

Do I need annual penetration tests and twice-yearly vulnerability scans?

Yes. The rule explicitly requires penetration testing at least annually and vulnerability scans at least every six months. Both must be documented with results and remediation plans.

What must be included in service provider contracts for FTC Safeguards compliance?

Contracts with service providers who handle customer information must include requirements for the provider to implement and maintain appropriate safeguards. The entity must also monitor the provider's compliance, typically through assessments, audits, or questionnaires.

Are there specific data retention and disposal requirements under the FTC Safeguards Rule?

Yes. The rule requires policies and procedures for the secure disposal of customer information. Disposal must render the information unreadable and unreconstructable. While the rule does not mandate specific retention periods, the FTC expects that data is retained only as long as necessary for business purposes or legal requirements.

Does the FTC Safeguards Rule apply to small businesses?

Yes. The rule does not have a small business exemption. However, the safeguards can be scaled based on the entity's size, complexity, and the nature of its operations. A small business with a limited number of customer records may implement a simpler program, but the same nine core elements still apply.

Ready to Move from Compliance Checklist to Operational Security?

Most organizations underestimate the depth of evidence required for the FTC's qualitative review. Our GLBA and FTC Safeguards compliance solution at CyberSilo maps your existing controls to 16 CFR Part 314 and produces board-ready reports. Let our team align your program to avoid the costly pitfalls of non-compliance.

Our Conclusion & Recommendation

The FTC Safeguards Rule is a foundational compliance obligation for any US organization that handles customer financial information. Its scope is broader than most realize, covering not just banks but a wide range of financial service providers. The 2021 amendments elevated the rule from a policy framework to a set of specific operational control requirements with board-level oversight. For 2025 and beyond, enforcement is intensifying, and the FTC is increasingly focused on program quality rather than mere policy existence. For organizations that fail to demonstrate genuine program maturity, the consequences extend beyond fines to lengthy consent orders and long-term regulatory oversight that can alter business operations.

Given the complexity of the nine core elements, particularly around risk assessment, vendor management, penetration testing, and continuous monitoring, we recommend leveraging a unified security platform that centralizes log management, vulnerability scanning, and incident response. CyberSilo's ThreatHawk SIEM + SOAR and Compliance Standards Automation solutions are designed to provide the continuous monitoring and evidence generation that the FTC will scrutinize. Begin with a comprehensive risk assessment to baseline your current posture, and use that to build your written information security program — not as a one-time document, but as a living framework that evolves with your risk landscape.

Schedule Your Compliance Assessment Today

Our senior cybersecurity team can perform a gap analysis mapping your current controls to the FTC Safeguards Rule, NYDFS 500, or any other financial compliance framework. No generic checklists — we provide actionable findings and a prioritized remediation plan.

📰 More from CyberSilo

Latest Articles

Stay ahead of evolving cyber threats with our expert insights

Privacy Compliance for US Online Retailers (CCPA & State Laws)
SIEM
Jun 23, 2026 ⏱ 17 min

Privacy Compliance for US Online Retailers (CCPA & State Laws)

See how CyberSilo helps you strengthen your security posture for US organizations. Practical guidance on privacy compliance for us online retailers (ccpa & s

Read Article
Holiday Season Cyber Threats for Retailers
SIEM
Jun 23, 2026 ⏱ 10 min

Holiday Season Cyber Threats for Retailers

Holiday Season Cyber Threats for Retailers explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentia

Read Article
eCommerce Privacy in Canada: PIPEDA & Law 25
SIEM
Jun 23, 2026 ⏱ 10 min

eCommerce Privacy in Canada: PIPEDA & Law 25

See how CyberSilo helps you strengthen your security posture for Canadian organizations. Practical guidance on ecommerce privacy in canada with expert support.

Read Article
Cybersecurity Compliance for US Schools and Universities
SIEM
Jun 23, 2026 ⏱ 15 min

Cybersecurity Compliance for US Schools and Universities

See how CyberSilo helps you strengthen your security posture for US organizations. Practical guidance on cybersecurity compliance for us schools and universi

Read Article
Protecting Student Data: FERPA and COPPA for EdTech
SIEM
Jun 23, 2026 ⏱ 14 min

Protecting Student Data: FERPA and COPPA for EdTech

Protecting Student Data explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentials with CyberSilo.

Read Article
Ransomware in K-12 and Higher Ed: Defense Strategies
SIEM
Jun 23, 2026 ⏱ 11 min

Ransomware in K-12 and Higher Ed: Defense Strategies

Ransomware in K-12 and Higher Ed explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentials with Cy

Read Article
✅ Link copied!