GLBA Compliance

  • Speak with a Trustwave sales specialist to learn more.

    Looking for support? Use our global network of support specialists to get help. Get support now
  • The Gramm-Leach-Bliley Act of 1999, or GLBA, is a deregulation bill meant to enhance competition in the financial services industry. But it is best known by IT and security professionals for requiring the protection of personal information and the disclosure of privacy policies. The Federal Financial Institutions Examination Council (FFIEC) has established guidelines for meeting and maintaining GLBA compliance.

  • 34%

    of financial firms say they've 
    experienced some kind of economic
    crime in the past year (PwC study)


    of financial services 
    employees didn't undergo 
    any security awareness training


    financial firms believe the threat of cybercrime is rising year over year


  • GLBA applies to companies that provide financial products or services to consumers. This includes: banks, mortgage brokers, insurance firms, real estate appraisers, tax preparation businesses, check-cashing businesses, accountants, ATM op erators and others.

    There are two main security- and privacy-related provisions under GLBA:

  • Safegard Rule

    Introduced under Section 501(b) of GLBA and issued by the Federal Trade Commission (FTC), the rule aims to:

    • Ensure the security and confidentiality of customer records and information.
    • Protect against any anticipated threats or hazards to the security or integrity of such records.
    • Protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer.
  • Privacy Rule

    Required by Section 504(a) of GLBA and also issued by the FTC, this rule:

    • Requires financial institutions to provide its customers with a notice of privacy policies and practices.
    • Prohibits financial institutions from disclosing nonpublic personal information about a consumer to "nonaffiliated" third parties, unless the consumer has agreed to share the information.
  • In particular, financial companies must have a written information security plan in place. As part of this plan, entities must, among other things: Identify and assess their risks to customer information, implement a "safeguards program" and regularly monitor and test it; and manage the selection of appropriate service providers.

  • Through its Information Security Examination Handbook, the FFIEC, in conjunction with its member agencies, has defined a process-based approach for complying with GLBA.

    Among the guidance: financial institutions should test for vulnerabilities, monitor their network for anomalies, implement an incident response program, train staff on security awareness and ensure third-parties have adequate security controls in place.

    In addition, the FFIEC has released “Authentication in an Internet Banking Environment (PDF) (PDF Supplement), which prescribes a risk management framework for financial institutions offering online banking. The guidance states that these entities should use adequate methods to authenticate the identity of customers as a way to protect against threats like phishing and account takeover.

  • While financial services companies traditionally are leaders compared to other industries when it comes to the effectiveness of their information security controls, they also remain a significant target of attackers due to the wealth of personal information under their control. Attackers constantly are developing new schemes to perpetrate fraud against these institutions. As Willie Sutton once said, when asked why he robs banks: “Because that’s where the money is.” The mindset is no different for cybercriminals.


  • A number of federal and state agencies are responsible for enforcement of GLBA, depending on whom the potential violator is. They are: the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corp. (FDIC), the Office of Thrift Supervision, the National Credit Union Administration, the Securities and Exchange Commission, state insurance authorities, the Commodity Futures Trading Commission and the FTC.

  • Enforcement Agency Financial Institution
    Office of the Comptroller of the Currency Federal branches and federal agencies of foreign banks
    Board of Governors of the Federal Reserve System Member banks of the Federal Reserve System
    FDIC Banks insured by the FDIC other than members of the Federal Reserve System
    Office of Thrift Supervision Savings associations whose deposits are insured by the FDIC
    National Credit Union Administration Federally insured credit unions
    Securities and Exchange Commission Brokers and investment companies
    State insurance authorities Insurers
    Commodity Futures Trading Commision Commodities brokers
    FTC Federal institutions not subject to jurisdiction of another agency

    • A financial institution can be fined up to $100,000 per violation.
    • The officers and directors face civil penalties of $10,000 per violation.
    • Criminal penalties of five years in prison, a fine, or both can be imposed.


  • Trustwave provides a comprehensive portfolio that can help organizations of any size respond to GLBA regulations.

    Plan and Prepare

    Conducting a Risk Assessment is the first step to identifying and implementing safeguards necessary to meet compliance. The customizable assessments, scaled individually for your financial institution, include identification of key assets and IT systems, assessment of controls and frameworks and a review of third-party providers and incident response programs.

    Address Gaps and Vulnerabilities

    GLBA requires companies to protect customer records and information, whether it’s being collected, stored or transmitted. Here are some of the ways we can help:

  • Data Loss Prevention 

    Allows you to discover and classify sensitive data and prevent it from leaving the network.

    Network Access Control 

    Ensures managed and unmanaged devices connecting to the network comply with policies and do not introduce malware.

    Two Factor Authentication 

    Offers a token-less, cloud-based mechanism to prevent password interception and ensure the identities of customers.

    Web Application Firewall 

    Protects sensitive data against external attackers who may use vulnerabilities, such as SQL injection, to steal patient information.


    Helps you gain broad visibility of threats to your network and improve your compliance process through logging, monitoring, and analysis of events.

    Incident Readiness and Response 

    Prepares your staff to proactively identify the indications of a breach and contain it quickly and effectively.

    Security Awareness Education 

    Instructs your employees and contractors to understand the threat of social engineering and follow best practices for security, including the safe use of web and social media tools and password management.

    Penetration Testing 

    Identifies and manages potential vulnerabilities in your networks, applications or databases.


  • Documents