Financial services organizations operate under a more demanding regulatory environment for cybersecurity than most industries. The Gramm-Leach-Bliley Act (GLBA), SEC cybersecurity rules, and a growing collection of state-level financial regulation create specific, enforced requirements that go well beyond general security best practice advice.
Understanding what these frameworks require — and where they overlap and diverge — is foundational for any security leader in the financial sector.
GLBA: The Safeguards Rule
The Gramm-Leach-Bliley Act requires financial institutions to protect the security and confidentiality of customer financial information. The FTC's Safeguards Rule (16 CFR Part 314), which implements GLBA for entities under FTC jurisdiction, was significantly updated in 2023.
Who it covers: Financial institutions not under federal banking regulator jurisdiction — meaning many non-bank financial services companies: mortgage brokers, auto dealers who extend credit, tax preparation firms, credit counselors, certain fintech companies, and others.
What the updated Safeguards Rule requires:
The 2023 update moved from a flexible, principles-based standard to more specific requirements:
- Written information security program with specific elements
- Qualified individual responsible for the security program (CISO or equivalent)
- Risk assessment that identifies reasonably foreseeable internal and external risks
- Safeguards proportional to identified risks across eight specific areas: access controls, data inventory, encryption, secure development, authentication, change management, monitoring, and incident response
- Service provider management with contracts requiring appropriate safeguards
- Periodic penetration testing and vulnerability assessments
- Multi-factor authentication for information systems
- Employee training program
- Incident response plan
- Board reporting annually on the security program
- Notification to the FTC within 30 days of discovering a security breach affecting 500 or more customers
The specific requirements around MFA, penetration testing, board reporting, and FTC notification are significantly more prescriptive than the original rule.
SEC Cybersecurity Rules for Public Companies
The SEC's cybersecurity disclosure rules, effective December 2023 for large accelerated filers and June 2024 for others, created new obligations for public companies.
Material incident disclosure. Public companies must disclose material cybersecurity incidents on Form 8-K within four business days of determining that the incident is material. "Material" means information that a reasonable investor would consider important — which has been interpreted to include incidents affecting operations, financial condition, or customer data at meaningful scale.
This requirement has fundamentally changed how public companies respond to incidents. The four-day clock starts when materiality is determined, not when the incident is discovered — which creates pressure to delay or avoid materiality determinations that create disclosure obligations.
Annual disclosure. Annual Form 10-K filings must include disclosure of the company's cybersecurity risk management processes, the role of the board and management in cybersecurity oversight, and any material risks from cybersecurity threats.
This means board-level cybersecurity governance is now a public disclosure requirement for public companies. Boards that can't demonstrate meaningful cybersecurity oversight are in a difficult position.
Banking Regulators: OCC, Federal Reserve, FDIC
Banks and bank holding companies are subject to cybersecurity requirements from their federal banking regulators. These requirements are codified in safety and soundness expectations and enforcement guidance that is regularly updated.
The 2021 Computer-Security Incident Notification Final Rule requires banking organizations to notify their primary federal regulator within 36 hours of a "computer-security incident" that disrupts, degrades, or impairs the institution's ability to carry out banking operations at a significant scale.
FFIEC guidance (the FFIEC Cybersecurity Assessment Tool) provides a maturity model framework that federal banking regulators use as a reference in examinations.
Building a Compliance-Integrated Security Program
Financial services security programs that work are built around risk management, with compliance requirements mapped to controls rather than the reverse.
Start with your actual risk profile: what are the realistic threats, where is the sensitive data, what's the impact of a significant incident? Build controls that address those risks. Then verify that the controls you've built satisfy your regulatory requirements.
The alternative — building a security program backwards from a compliance checklist — produces programs that satisfy examiners but don't necessarily address real risks. In a sector as targeted as financial services, the distinction matters.
The Regulatory Coordination Challenge
Financial services organizations often have multiple regulators with overlapping and sometimes diverging requirements. A bank holding company might have requirements from the OCC, the Federal Reserve, state banking regulators, CFPB, SEC, and CFTC depending on their activities.
Managing regulatory compliance across this landscape requires deliberate coordination — typically involving both a qualified security leadership function and legal counsel with regulatory expertise. Getting this right is an investment, but the cost of getting it wrong — enforcement action, reputational damage, operational restrictions — is substantially higher.