The FTC Safeguards Rule: What Financial Advisors Must Do to Protect Client Data

Many financial advisors assume that data security regulation is something that applies to banks and large brokerages, not to their own practice. That assumption is increasingly dangerous. Under the Gramm-Leach-Bliley Act, a wide range of smaller financial businesses count as financial institutions, and the rule that governs how they protect client data has teeth. FTC Safeguards Rule compliance is now a specific, technical obligation rather than a vague expectation, and the Federal Trade Commission has the authority to enforce it. This guide explains who the rule actually covers, what it requires from your technology in concrete terms, and how a smaller advisory practice can meet the standard without a large in-house security team. One note before we begin: this explains the IT and security requirements of the rule, not legal interpretation, which belongs with your compliance counsel.

What the FTC Safeguards Rule is

The Safeguards Rule sits under the Gramm-Leach-Bliley Act, the 1999 law that governs how financial institutions handle nonpublic personal information about their customers. The rule requires covered businesses to develop, implement, and maintain a written information security program with administrative, technical, and physical safeguards designed to protect customer information.

For years the rule was relatively loose, written in broad principles. That changed with major amendments the FTC finalized in 2021, whose core technical requirements took effect in June 2023. Those amendments transformed the rule from a general expectation of reasonable security into a set of specific, prescriptive controls. A practice that was technically compliant a few years ago under the old principles-based version may be clearly out of compliance today without having changed anything, simply because the standard moved.

Does the Safeguards Rule actually apply to you?

This is the question to settle before anything else, because the answer determines whether the rest of this guide is mandatory reading or merely good practice. The term financial institution under GLBA is far broader than most people expect. It covers not only lenders and banks but mortgage brokers, tax preparation firms, collection agencies, and financial advisors.

For advisors specifically, there is an important distinction that decides which regulator you answer to. Investment advisors registered with the Securities and Exchange Commission generally fall under the SEC's own privacy rule, Regulation S-P, rather than the FTC Safeguards Rule. The Safeguards Rule applies to financial institutions under the FTC's jurisdiction that are not regulated by another authority. In practice, this means the FTC Safeguards Rule most directly covers state-registered investment advisors that are not required to register with the SEC, along with many other non-bank financial businesses. The two rules are close cousins from the same parent law, but you are generally subject to one or the other depending on how you are registered, not both. If you are unsure which applies to your practice, that is a question to confirm with your compliance counsel, because the entire compliance path follows from it.

The information security program: what the rule requires

At the heart of the Safeguards Rule is a requirement to build and maintain a written information security program. The 2021 amendments specify the elements that program must contain. Several of these translate directly into IT work, and understanding them is the foundation of FTC Safeguards Rule compliance.

Designate a Qualified Individual

The rule requires you to name a single person responsible for overseeing and implementing your information security program. For a small practice, this does not have to be a full-time chief security officer, and the role can be filled with the support of an outside service provider. But someone must own it, and that ownership must be real, not a title on an org chart.

Conduct a written risk assessment

You must perform and document a risk assessment that identifies foreseeable internal and external risks to customer information and evaluates how well your current safeguards address them. This is the analytical foundation. Every control you implement should trace back to a risk this assessment identified, and it must be written down, not held in someone's head.

Implement specific technical safeguards

This is where the 2021 amendments became prescriptive. The program must include a set of controls that the rule now names directly:

• Access controls. Limit who can reach customer information to those who genuinely need it, and review that access periodically.
• Encryption. Customer information must be encrypted both at rest and in transit. Where encryption is not feasible, an approved alternative must be used with sign-off from the Qualified Individual.
• Multi-factor authentication. MFA is required for anyone accessing systems that hold customer information. A password alone is no longer sufficient under the rule.
• Data inventory and disposal. You must know what customer data you hold and where, and securely dispose of it when it is no longer needed.
• Change management. Changes to your systems must be managed in a controlled way.
• Logging and monitoring. You must be able to monitor authorized user activity and detect unauthorized access.

These requirements are not aspirational. They are the baseline an examiner or investigator will measure you against. Meeting them is the practical core of any credible cybersecurity solution for a covered financial practice.

Test your safeguards

The rule requires regular testing of the effectiveness of your controls, through continuous monitoring or through periodic vulnerability assessments and penetration testing. Controls that are never tested tend to fail when they matter, which is why documented penetration testing is both a security practice and a compliance one.

Train your people and oversee your vendors

The program must include security awareness training for staff and a process for overseeing the service providers who handle your customer data. A vendor's weakness can become your breach and your liability, so the rule expects you to select providers capable of maintaining appropriate safeguards and to hold them to it by contract.

Report to leadership

The Qualified Individual must report in writing, at least annually, to your board or a senior governing body on the state of the information security program. This forces security to the attention of leadership rather than leaving it buried in IT.

The breach notification requirement

A later amendment added a requirement that took effect in May 2024. Covered financial institutions must now report certain security incidents to the FTC. The trigger is a notification event, which the rule defines as the unauthorized acquisition of unencrypted customer information involving at least 500 customers. When such an event occurs, the institution must notify the FTC as soon as possible and no later than 30 days after discovery.

This requirement has a direct technical consequence that is easy to miss. The threshold is based on unencrypted information. Data that was properly encrypted, and whose encryption keys were not also compromised, generally does not trigger the obligation. This is one more reason the rule's encryption requirement matters so much: strong encryption is not only a control, it can be the difference between a reportable event and a contained one. It also underscores why the ability to determine quickly how many records and which data were affected, which depends on good logging, is essential.

How a small advisory practice can meet the standard

Reading the full list of requirements can feel overwhelming for a practice without a security team. In reality, the path is manageable when approached in a sensible order rather than all at once.

1. Confirm you are covered, and by which rule. Settle the FTC versus SEC question with your counsel before investing in the wrong compliance path.
2. Name your Qualified Individual. Decide who owns the program, internally or with outside support.
3. Complete and document the risk assessment. This drives every other decision and is itself a requirement.
4. Close the obvious technical gaps first. Turn on multi-factor authentication, confirm encryption at rest and in transit, and tighten access controls. These are the most common deficiencies and among the most consequential.
5. Establish monitoring, logging, and testing. Build the ability to see what is happening in your systems and to prove your controls work.
6. Address people and vendors. Train staff and put your service-provider oversight in writing.
7. Maintain and report. Keep the program current and deliver the annual report to leadership.

For most small practices, building and sustaining all of this internally is not realistic, and the rule explicitly allows the Qualified Individual to be supported by a service provider. A capable partner can serve as that support, run the technical controls day to day, and keep the program aligned as the rules evolve. This is the natural intersection of compliance and risk management and ongoing managed IT services, and it is how a small firm can meet a standard that was originally written with larger institutions in mind. Firms that want a partner familiar with the sector can review GlobeVM's approach to IT for financial services.

The cost of getting it wrong

It is worth being plain about why this matters beyond principle. The FTC can pursue enforcement actions against non-compliant financial institutions, and the reputational damage of a breach, especially one that reveals an inadequate security program, can be far more costly than the breach itself. For an advisory practice whose entire business rests on client trust, a publicized data security failure is an existential risk, not just a compliance one. The encryption, authentication, and monitoring the rule requires are the same measures that genuinely protect your clients, which means doing this well serves your business and your compliance obligation at the same time.

If your practice handles client financial data and you are not certain your technology meets the Safeguards Rule, the team at GlobeVM can assess your current controls against the rule's requirements and give you a clear, prioritized plan to close any gaps.