Industry Guide
Cybersecurity for Financial Services: GLBA, FTC Safeguards & SOC 2 Guide | CyberStackHub
Financial services SMBs — independent RIAs, mortgage brokers, insurance agents, credit unions, fintech startups, and accounting firms — face overlapping federal and state cybersecurity regulations: GLBA, the FTC Safeguards Rule, NY DFS 23 NYCRR 500, SOC 2, and PCI DSS. Criminals know this sector holds the highest-value data (SSNs, account numbers, financial records) and that smaller organizations often lack the controls that big banks have. This guide covers which regulations apply to your business type, what controls they require, and how to close the gaps before regulators or attackers do it for you.
300x
more likely to be targeted than other industries
Boston Consulting Group Financial Services Cyber Report 2025
Get Your Free Assessment
See exactly how your financial services organization scores on cybersecurity readiness
Check Your FTC Safeguards Compliance →
Top Cyber Risks for Financial Services Businesses
FTC Safeguards Rule non-compliance
Civil penalties up to $50,000 per day; mandatory remediation reporting to the FTC
Account takeover via credential stuffing
Average $40K loss per ATO incident; regulators treat successful ATOs as evidence of inadequate controls
Business Email Compromise / wire fraud
$2.9B in BEC losses reported to FBI IC3 in 2024; financial sector is the #1 target
Third-party data processor breaches
62% of financial SMB breaches originate with a vendor or processor you already work with
NY DFS 23 NYCRR 500 violations
New York-licensed financial institutions face up to $1,000 per violation per month — and NY DFS actively audits
Regulations That Apply to Financial Services Firms
Five overlapping frameworks may apply to your firm depending on business type, state of incorporation, client base, and payment processing. Not all apply to every firm — use this guide to identify which are relevant to you.
FTC Safeguards Rule (16 CFR Part 314)
Applies to: All financial institutions under FTC jurisdiction: RIAs, mortgage brokers, insurance agents, credit unions, tax preparers, payday lenders, check-cashing firms, car dealers financing in-house.
- Written Information Security Plan (WISP) — must be maintained and updated annually
- Designated "Qualified Individual" overseeing the security program (can be external)
- Multi-factor authentication (MFA) for all internal systems accessing customer data
- Encryption of all customer data at rest and in transit
- Annual penetration testing; quarterly vulnerability scans
- Inventory of covered data and where it is stored, processed, transmitted
- Incident response plan with 72-hour notification to FTC for covered incidents
- Oversight of all service providers with access to customer data (contractual + monitoring)
Penalty: $50,000 per day per violation; FTC has levied $25M+ in enforcement actions since 2023.
NY DFS 23 NYCRR 500
Applies to: Covered entities: businesses operating under a DFS license in New York — includes insurance companies, banks, money transmitters, virtual currency businesses, and mortgage brokers originating in NY.
- Cybersecurity Program with annual CISO approval and board reporting
- Annual penetration testing and bi-annual vulnerability assessments
- MFA required for all internal access; privilege access management for admin accounts
- Encryption of Nonpublic Information (NPI) at rest and in transit
- Data retention schedule — only keep what is necessary
- Class A for large entities (>$10M gross revenue or 1,000 employees): requires independent CISO audit
- 72-hour notification to NY DFS Superintendent for cybersecurity events
- Affiliate and third-party oversight under the program
Penalty: $1,000 per violation per month; DFS has issued enforcement actions against insurance companies and debt collectors.
GLBA (Gramm-Leach-Bliley Act)
Applies to: All financial institutions — this is the foundational federal law. FTC Safeguards Rule is GLBA's implementing regulation. State attorneys general can also enforce GLBA.
- Financial Privacy Rule: disclose what data you collect, how you use it, and how you protect it
- Safeguards Rule: implement measures to protect customer NPI — now explicitly includes specific technical controls under the 2023 amendment
- Pretexting protection: procedures to prevent social engineering and phone-based fraud
- Disposal Rule: properly dispose of customer information when no longer needed
Penalty: Civil and criminal penalties; state AG enforcement; reputational harm from public breach disclosure.
SOC 2 (for fintechs and RIAs with enterprise clients)
Applies to: Fintechs with B2B clients, RIAs serving institutional investors, and any firm where enterprise clients ask for a vendor security review. Not legally mandated but contractually required by most enterprise prospects.
- Trust Services Criteria: Security (required), Availability, Processing Integrity, Confidentiality, Privacy
- Common Criteria: CC1–CC7 (Control Environment through Monitoring)
- Continuous monitoring of controls — not a point-in-time checklist
- Annual audit by an independent CPA firm; Type II report covers 6+ months
- Evidence collection and retention for every control tested
Penalty: Loss of enterprise contracts; excluded from RFPs; investor due diligence failure.
PCI DSS (if accepting or processing card payments)
Applies to: Any firm that accepts, stores, processes, or transmits payment card data — regardless of size. Different self-assessment questionnaires (SAQs) apply based on how you accept cards.
- SAQ A (e-commerce/card-not-present): PCI DSS 4.0 requirements for merchants using hosted payment pages
- SAQ A-EP (e-commerce using redirect): additional scoping requirements for cardholder data flows
- Install and maintain network firewalls, change default passwords on all system components
- Encrypt cardholder data in transit with TLS 1.2+; at rest with strong cryptography
- Maintain inventory of all system components in scope; restrict access by business need-to-know
- Regularly test security systems and processes — at least annually and after significant changes
- Maintain information security policy and acceptable use documentation
Penalty: $5,000–$100,000 per month from card networks; loss of ability to accept cards; liability for fraud losses.
Required Controls at a Glance
These controls appear across FTC Safeguards Rule, NY DFS 23 NYCRR 500, and GLBA — and are the basis for any compliance gap assessment.
| Control Area | Required Control |
|---|---|
| Access Control | MFA for all internal systems and admin accounts — FTC Safeguards Rule and NY DFS both require it |
| Encryption | TLS 1.2+ in transit; AES-256 or equivalent at rest for all customer NPI and card data |
| Incident Response | Written IR plan with 72-hour notification obligations to FTC and/or NY DFS; annual tabletop exercises |
| Third-Party Risk | Written contracts with all service providers requiring security standards; annual vendor risk assessments |
| Vulnerability Management | Annual penetration testing + quarterly vulnerability scans; all critical/high findings remediated within 30 days |
| Asset Inventory | Maintain a current inventory of all systems storing, processing, or transmitting customer data |
| Monitoring | Log collection, anomaly detection, and alerting for all systems accessing customer data — at minimum 90-day log retention |
| Security Awareness | Annual cybersecurity training for all employees; phishing simulations at least quarterly |
Frequently Asked Questions
Q: Does the FTC Safeguards Rule apply to my small RIA or mortgage broker?
Yes, if you are a 'financial institution' under FTC jurisdiction — and most RIAs, mortgage brokers, insurance agents, credit unions, and accounting firms that provide financial services qualify. The rule applies to firms of all sizes. The FTC has explicitly confirmed that small businesses are not exempt.
Q: What is the NY DFS 23 NYCRR 500 and do I need to comply?
If your firm is licensed by the New York Department of Financial Services — including insurance producers, mortgage brokers, banks, and money transmitters operating in NY — you must comply with NY DFS 23 NYCRR 500. Even if your main office is elsewhere, if you are NY-licensed you are covered. The regulation includes a specific 'Class A' designation for large entities (>$10M gross annual revenue or 1,000 employees) with additional requirements.
Q: What are the specific FTC Safeguards Rule technical requirements I need to implement?
Since the 2023 amendment, the Safeguards Rule requires: MFA for all internal systems, encryption of customer data at rest and in transit, annual penetration testing by a qualified third party, quarterly vulnerability scans, a designated Qualified Individual overseeing the security program, and continuous monitoring with log retention. These are not optional 'best practices' — they are specific obligations.
Q: What is the difference between GLBA and the FTC Safeguards Rule?
GLBA (Gramm-Leach-Bliley Act, 16 USC § 6801) is the foundational federal law requiring financial institutions to protect customer information. The FTC Safeguards Rule (16 CFR Part 314) is GLBA's primary implementing regulation — it spells out the specific requirements. Think of GLBA as the mandate and the Safeguards Rule as the rulebook. Both apply, and both have enforcement teeth.
Q: Do small financial services firms need SOC 2?
SOC 2 is not legally required, but it is increasingly contractually required by enterprise clients and institutional investors doing due diligence. If you are a fintech, RIA with institutional clients, or any B2B financial services firm, your enterprise prospects will ask for a SOC 2 Type II report as a prerequisite to signing. The absence of one disqualifies you from most formal RFPs.
Q: What is the penalty for FTC Safeguards Rule non-compliance?
Civil penalties up to $50,000 per day per violation. The FTC has levied enforcement actions totaling over $25 million since 2023, and the FTC has stated it is actively prioritizing Safeguards Rule enforcement. Beyond penalties, covered incidents require mandatory remediation reporting to the FTC — and failed controls are documented in the public enforcement record.
Q: How do I know if my third-party vendors are covered under Safeguards Rule oversight?
Any service provider with access to customer Nonpublic Information (NPI) — including cloud storage providers, email platforms, CRM systems, payroll processors, and document management tools — requires contractual security obligations and monitoring. You must maintain a list of all covered service providers and assess their security posture at least annually.
Q: What is the 72-hour notification requirement under the FTC Safeguards Rule?
When you discover a 'covered security event' — unauthorized access to customer information that either affects 500+ consumers or results in substantial harm — you must notify the FTC within 72 hours. The notification must include: what happened, what data was affected, how you discovered it, and remediation steps. This requires an incident response plan and defined decision-making criteria before an incident occurs.
Take Action
Your next steps — all free, no account required to start.
Start Free Compliance Gap Analysis →
Map your current controls against FTC Safeguards Rule, GLBA, NY DFS, and PCI DSS requirements — get a prioritized gap report in minutes.
Get a Cyber Insurance Quote →
Understand what coverage your firm needs based on your specific compliance gaps and risk profile.
Take Your Free Security Assessment →
Full-stack security scoring across authentication, patching, network, and access controls — free, no account required.
Download Your Security Posture Report →
Get a detailed, actionable report on your current cybersecurity posture and what to fix first.
CyberStackHub Tools for Financial Services
These tools are most relevant for financial services businesses based on your sector's specific risk profile and compliance requirements.
Financial Services Cybersecurity Statistics
Data from public sources including Verizon DBIR, IBM Cost of Data Breach, FBI IC3, and industry-specific research.
$5.9M
Average data breach cost in financial services
IBM Cost of Data Breach 2025
$50K/day
Maximum FTC civil penalty for Safeguards Rule violations
FTC Safeguards Rule 16 CFR Part 314
62%
Of financial SMB breaches originate with third-party vendors
Verizon 2025 DBIR
$2.9B
In BEC losses reported to FBI IC3 in 2024
FBI IC3 2024 Annual Report
72 hrs
Required notification window to FTC under Safeguards Rule
16 CFR Part 314.9