GLBA Safeguards Compliance Deadline and 2026 Updates
GLBA Compliance Deadline: What You Need to Know in 2026
GLBA Safeguards Compliance Deadline Overview
This is a reminder to higher education and financial institutions subject to the Gramm-Leach-Bliley Act (GLBA): the deadline to comply with the Federal Trade Commission’s (FTC) revised Standards for Safeguarding Customer Information—commonly known as the Safeguards Rule—arrived on June 9, 2023. Covered institutions must meet the requirements of the Safeguards Rule by that date if they handle customer financial information.
The revised Rule broadened the definition of a “financial institution” to include entities engaged in activities that are incidental to financial services, including companies that bring together buyers and sellers of financial products and services.
The Safeguards Rule requires businesses subject to it to maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information.
What the Safeguards Rule Requires
In December 2021, the FTC amended the Safeguards Rule to provide more detailed requirements for institutions to protect customer information. These enhancements include:
Qualified individual responsible for the institution’s information security program and reporting to leadership
Written cyber risk assessment and incident response plan
Encryption of customer information in transit and at rest (or equivalent alternative controls)
Multi-factor authentication (MFA) for systems that access customer information
Secure software development practices and application security reviews
Periodic testing and monitoring, including penetration testing and vulnerability assessments
Oversight of service providers and their security practices
Although the enhanced security provisions took effect earlier, the GLBA Safeguards compliance deadline was extended to June 9, 2023 to give organizations time to implement the new safeguards.
Complying with the Safeguards Rule: High-Priority Actions
Many covered financial institutions require planning, stakeholder engagement, implementation, documentation, and change management. Here are priority actions most institutions should take:
1. Appoint a Qualified Individual
The Safeguards Rule mandates designating a “qualified individual” to oversee and implement the information security program, and to report in writing to the board or governing body on its status and compliance. This role can be filled by a qualified internal employee or an experienced external provider.
2. Conduct a Cyber Risk Assessment
Institutions must conduct periodic, written risk assessments to identify and evaluate risks to customer information. The rule requires using the results of these assessments to guide the information security program and select appropriate security safeguards.
3. Deploy Security Safeguards
Once risks are understood, institutions should implement appropriate controls, including:
Access controls and password management
Encryption for data in transit and at rest
Multi-factor authentication (MFA)
Backup and secure storage strategies
Monitoring and logging of system activity
4. Manage Third-Party Risks
The Safeguards Rule emphasizes oversight of service providers. Covered institutions must vet, contractually bind, and periodically reassess service providers’ security practices to ensure they meet safeguards requirements.
5. Monitor Effectiveness
Institutions must “regularly test or otherwise monitor the effectiveness of” their safeguards. This can be achieved through continuous monitoring or annual penetration testing and ongoing vulnerability assessments.
2026 Status: What’s New and What’s in Effect
As of 2026, the Safeguards Rule continues to evolve:
Breach Reporting Now in Effect
A key amendment to the Safeguards Rule now requires covered financial institutions to report certain data breaches to the FTC. If unauthorized acquisition of unencrypted customer information affects 500 or more consumers, institutions must notify the FTC as soon as possible, and no later than 30 days after discovery of the event. This reporting requirement went into effect in May 2024 and remains in place.
Ongoing FTC Guidance
The FTC continues to issue guidance and Frequently Asked Questions to help institutions and their service providers understand and satisfy the Safeguards Rule requirements, keeping pace with technological changes and cybersecurity expectations.
Broader Enforcement Implications
The FTC’s focus on compliance and reporting reflects an increased regulatory emphasis on transparency and accountability around customer data protection. Institutions subject to the rule should keep compliance programs current and aligned with the latest expectations from regulators and auditors.
What Happens if You Don’t Comply?
Non-compliance with the Safeguards Rule can lead to regulatory action by the FTC, including enforcement proceedings and potential penalties. Even beyond regulation, failure to secure customer information can lead to reputational harm and increased cyber risk.
An effective compliance program, including a documented cyber risk assessment and implementation of safeguards, not only helps satisfy GLBA requirements but also strengthens the overall cybersecurity posture of an organization.
Take Action Now
To meet GLBA compliance requirements and satisfy the Safeguards Rule:
Designate a qualified individual
Conduct documented cyber risk assessments
Implement appropriate cybersecurity controls
Ensure MFA, encryption, and monitoring tools are deployed
Test and monitor the effectiveness of safeguards
Oversee and manage third-party risks
Completing these actions helps protect your customers and demonstrates compliance to regulators and insurers alike.
How tekrisq Can Help
tekrisq helps small and mid-sized businesses understand application security as part of a broader, risk-based cybersecurity strategy.
Rather than focusing only on tools, tekrisq evaluates how applications are built, deployed, and maintained. Application security risks are often uncovered during a vulnerability assessment, helping organizations prioritize remediation based on real-world impact.
Learn more about tekrisq and how we support organizations:
To discuss your information security posture or schedule a consultation.
