Assessment

GLBA Safeguards Rule Compliance Scorecard

Published May 10, 2026

The 2021 amendment to the FTC Safeguards Rule turned what used to be a flexible standard into a prescriptive set of obligations. Every covered financial institution must designate a Qualified Individual, conduct a written risk assessment, implement specific technical safeguards, and report material incidents to the FTC. This scorecard reads the firm's posture against each obligation.

What you walk away with

~10 min · 5 categories · 16 items

A compliance index across the eight elements of 16 CFR 314.4 plus the new 314.4(j) incident reporting requirement.
A radar chart showing weakest elements.
A ranked remediation list mapped to the GLBA Safeguards Data Map checklist.
Calibration anchored against FTC consent orders 2022-2024.

0 / 16 answered0%· ~10 min

Score (live)

/ 100

Answer every item (0 of 16 so far) to lock in a banded score and unlock the remediation roadmap. Live category scores update as you go.

Category profile

Governance — Qualified Individual + program—

Risk assessment—

Technical safeguards (314.4(c))—

Personnel training and accountability—

Incident response + 30-day FTC notification (314.4(h)-(j))—

Governance — Qualified Individual + program

0 / 3 answered

16 CFR 314.4(a)-(b): a designated Qualified Individual who oversees a written information security program, with annual reporting to the board.

A Qualified Individual is designated and credentialed
One named individual is responsible for overseeing and implementing the information security program. Their qualifications are documented.
A written information security program exists and is current
The program is written, version-controlled, reviewed annually, and addresses each Safeguards element. Updates flow from the risk assessment.
The Qualified Individual reports annually to the board
An annual written report covers the program's overall status, material risks, control effectiveness, and any material incidents.

Risk assessment

0 / 3 answered

16 CFR 314.4(b): a written risk assessment that identifies internal and external threats to the security, confidentiality, and integrity of customer information.

Customer information is inventoried
Every system, vendor, and process that touches NPI is inventoried with classification, retention, and disposal requirements.
Threats are mapped to safeguards
For each system in the inventory, threats are documented and the technical, administrative, and physical safeguards mitigating them are identified.
Risk assessment is updated annually and on material change
Annual update is documented. Material changes (new system, new vendor, breach event) trigger an interim update.

Technical safeguards (314.4(c))

0 / 5 answered

Access controls, encryption, MFA, secure development, monitoring, and disposal — the eight enumerated technical safeguards.

Access to customer information is least-privilege
Access is granted role-based and reviewed periodically. Standing access to NPI is the exception, not the default.
MFA covers every system handling NPI
Multi-factor authentication is enforced on every internal and customer-facing system that processes NPI. Exceptions are documented and approved.
Encryption at rest and in transit is in place
All NPI is encrypted at rest and in transit. Approved alternative protections are documented for any exception.
Secure development practices are documented
SDLC includes code review, security testing, and dependency-vulnerability scanning. Test environments use synthetic data, not raw NPI.
Continuous monitoring detects unauthorized access
Logs are collected, retained, and reviewed for unauthorized access. Detection has documented SLAs.

Personnel training and accountability

0 / 2 answered

314.4(d)-(e): training, qualified personnel, and accountability structures.

All personnel receive role-appropriate security training
Annual training is mandatory. Privileged personnel (engineers, sysadmins) receive additional role-specific training.
Service-provider oversight is structured
Service providers are selected based on documented capacity to safeguard customer information; contracts include security requirements; oversight is periodic.

Incident response + 30-day FTC notification (314.4(h)-(j))

0 / 3 answered

Written incident response plan plus the post-2024 FTC notification requirement for events affecting 500+ customers.

Written incident response plan exists and is rehearsed
The IRP names roles, defines severity bands, identifies notification triggers, and was rehearsed within the last 12 months.
FTC notification process is wired for events affecting 500+ customers
The 30-day FTC notification requirement is documented. The trigger is identifiable from incident severity classification.
Post-incident reviews update the program
After each material incident, the risk assessment, controls, and training are reviewed and updated as needed.

Calibration source: FTC Safeguards Rule (16 CFR 314, 2021 amendment) + FTC consent orders 2022-2024Bands calibrated against the eight elements of 16 CFR 314.4 (as amended 2021, effective 2023) and observed FTC consent-order patterns 2022-2024 (financial-institution data security cases). 'Audit-Ready' aligns with firms that closed FTC inquiries without a consent-order finding.

Banded score reference

Consent-Order Risk

0–30%

Multiple elements of 314.4 have structural gaps. The firm is exposed to FTC enforcement, and a security incident would materially worsen the posture.

Next step: Designate a Qualified Individual, stand up the written program, and conduct the risk assessment before anything else.

Findings Likely

30–55%

Foundational elements exist but technical safeguards or training are uneven.

Next step: Close the technical-safeguards gaps first; they're the most often-cited in consent orders.

Defensible

55–80%

All elements have structured implementations. Most FTC questions can be answered from documentation alone.

Next step: Tighten incident response rehearsal and FTC notification process.

Audit-Ready

80–100%

Safeguards Rule compliance is operationalized end-to-end with audit-grade documentation.

Next step: Operate steady-state; re-run after each annual board report.

Key takeaways

Technical safeguards (314.4(c)) are the most-cited element in consent orders. MFA gaps, weak encryption, and unsegmented test environments dominate.
The 30-day FTC notification requirement (effective May 2024) is a new failure mode — many firms have the IRP but not the notification trigger wired in.
Synthetic data in test environments structurally closes one of the most common technical-safeguards findings.
Annual board reporting is mechanical to audit. If it's missing, the auditor knows immediately.

FAQ

Does this apply to RIAs and broker-dealers?

GLBA covers a broad swath of financial institutions, including BDs and RIAs. The FTC Safeguards Rule specifically applies to non-banking financial institutions; the SEC and FINRA enforce parallel obligations on registrants. The structural gaps the scorecard identifies apply across both.

What changed in the 2024 update?

Effective May 13, 2024, the Safeguards Rule requires the FTC to be notified within 30 days of any security event affecting 500+ customers' unencrypted information. This is the 314.4(j) requirement scored in the Incident Response category.

How does synthetic data help with Safeguards compliance?

Synthetic data closes the technical-safeguards gap of using production NPI in test environments. It also reduces the blast radius if a non-production system is breached — there's no NPI to lose.