Industry Compliance Guide

Financial Services Compliance

GLBA Safeguards Rule and cybersecurity compliance for banks, credit unions, investment advisors, and lenders.

Get a Free Consultation
← All Industries

What’s at stake: Examiners expect a written program, board reporting, and evidence of independent testing. Findings turn into matters requiring attention, consent orders, or restrictions on growth.

Regulations That Apply

RegulationWhat It Covers
GLBA Safeguards RuleWritten information security program for customer non-public personal information
FFIEC IT HandbookFederal examination guidance for IT and cybersecurity
PCI DSS v4.0.1Required if processing or storing cardholder data
SEC Reg S-PCustomer information safeguards — 30-day breach notification
NCUA Part 748Credit union security — 72-hour cyber incident notification to NCUA
NYDFS 23 NYCRR 500If licensed in New York — Second Amendment through Nov 1, 2025

What You Need In Place

  • Designated qualified individual / CISO function
  • Written Information Security Program
  • Annual risk assessment
  • Multi-factor authentication on all customer data access
  • Encryption of customer data
  • Continuous monitoring or annual penetration testing
  • Vendor / service provider oversight program
  • Annual board reporting

Common Threats In This Sector

Financial firms are targeted for direct theft and for the customer data that enables downstream fraud. Wire-transfer authority and account access make even small RIAs and broker-dealers attractive targets.

  • Business email compromise targeting authorized signers and operations staff
  • Account takeover attacks against client-facing portals
  • Credential phishing for online banking, custodial platforms, and core systems
  • SEC and FINRA impersonation phishing aimed at compliance staff
  • Insider risk with broker-dealer or RIA access to client holdings
  • Third-party fintech vendor compromise reaching client data via integration

Documentation You’ll Be Asked For

GLBA, SEC Reg S-P, Reg S-ID, FINRA rules, and (for NY-licensed entities) NYDFS 23 NYCRR Part 500 all converge on a similar artifact set. State examiners, federal regulators, and cyber insurance underwriters request the same core documents.

  • Written Information Security Program meeting the GLBA Safeguards Rule (16 CFR Part 314 for FTC-regulated entities; equivalent federal banking-agency rules for depository institutions)
  • Designated Qualified Individual or CISO accountable for the program
  • Annual written risk assessment
  • Identity Theft Prevention Program (SEC Reg S-ID / FTC Red Flags Rule, 17 CFR § 248.201)
  • Vendor management documentation, especially for fintech integrations
  • Incident response plan including SEC, FINRA, and state notification timelines
  • Encryption inventory covering email, file transfer, and customer data at rest

Where Most Small Firms Fall Short

SEC OCIE and FINRA exam findings consistently surface the same handful of gaps in smaller registered firms. None of them are individually expensive to address.

  • No formal Safeguards Rule program — or one that has not been updated since GLBA was first written
  • MFA not enforced on every system that accesses customer data
  • Identity Theft Prevention Program written years ago and never refreshed
  • Fintech vendors onboarded without security review
  • No tested incident response process aligned to SEC and FINRA reporting expectations
  • Encryption gaps on email and on file transfers with custodians

How CGetty Helps

Risk assessments, GLBA Safeguards program development, vendor risk reviews, and security advisory tuned to small financial institutions.

Discuss your security program

Not Sure Where Your Business Stands?

We help small businesses understand what applies to them and build a practical plan to get there. Let’s talk.

Contact Us