Examiner expectations have tightened
The 2023 Safeguards Rule revisions put explicit GLBA penetration-testing language into 314.4(d)(2). Examiners now look for current evidence as a standard part of program review.
The FTC Safeguards Rule requires annual GLBA penetration testing. Your Qualified Individual needs current evidence.
Annual penetration testing under 16 CFR § 314.4(d)(2), scoped to your customer information and technical safeguards — delivered as a report your Qualified Individual can hand to examiners as-is.
What is at stake
FTC examiners are looking for current pentest evidence. A gap is a finding.
The continuous-monitoring path is harder than it sounds
314.4(d)(2) allows continuous monitoring as an alternative, but it requires a documented program meeting a higher evidentiary bar. Most institutions find annual pentests the cleaner path.
State rules add another layer
State regulators — notably NYDFS under 23 NYCRR 500 — have their own testing expectations. A report mapped only to the federal rule may leave a gap with your state examiner.
How we help — what we cover
Six Safeguards Rule expectations your examiner will check.
We scope and report against the specific 314.4 paragraphs your program needs to address — including applicable state rules — so your Qualified Individual has complete evidence.
314.4(d)(2) — Penetration testing
Annual penetration testing of information systems or continuous monitoring plus periodic assessments. Most institutions choose annual pentests — the continuous-monitoring path requires a higher evidentiary bar.
314.4 — Information security program
A written program tailored to the institution's size, complexity, and activities. The pentest sits in the program's monitoring and testing pillar.
314.4(a) — Qualified Individual
A Qualified Individual oversees the information security program. Our reports are written so the QI can defend the testing program to examiners.
314.4(b) — Risk assessment
A periodic written risk assessment informing the program. Penetration testing produces the real-world exposure data a credible risk assessment is grounded in.
314.4(c) — Safeguards
Access controls, encryption, MFA, change management, and secure disposal. Our testing covers the technical safeguards directly.
Who is covered
Non-bank financial institutions under FTC jurisdiction — mortgage brokers, payday lenders, auto dealers extending credit, tax preparers, collection agencies, non-SEC-registered investment advisors, and others.
How an engagement works
Four phases, every GLBA engagement.
- 01
Customer-information scoping
We map systems handling non-public personal information and confirm the Qualified Individual's scope expectations.
- 02
Manual testing
Authenticated and unauthenticated testing across in-scope applications, APIs, networks, and cloud accounts, aligned to 314.4(c) safeguards.
- 03
Safeguards-mapped reporting
Each finding tagged to the 314.4 paragraphs it touches, with cross-references to applicable state rules.
- 04
Retest and reissue
After fixes we retest and reissue; the version your Qualified Individual hands to examiners reflects post-fix state.
Examiner review coming up?
A quick scoping call confirms your 314.4 coverage, state rule overlap, and a start date.
Get a straight answer Control mapping in the report
How findings tie to the Safeguards Rule.
Every finding is tagged to the specific 16 CFR § 314.4 paragraphs it touches, with cross-references to applicable state rules (NYDFS and others) where relevant.
| Example finding | Mapped to |
|---|---|
| Plaintext storage of customer information | § 314.4(c)(3) Encryption of customer information at rest |
| Multi-factor authentication missing on a system handling NPI | § 314.4(c)(5) Multi-factor authentication |
| Inadequate access controls to non-public personal information | § 314.4(c)(1) Access controls |
| No change-management controls on security-relevant code paths | § 314.4(c)(7) Change management |
| Insufficient logging of authorized user activity | § 314.4(c)(8) Monitoring authorized users and detecting unauthorized access |
| Secure disposal process for customer information missing | § 314.4(c)(6) Secure disposal of customer information |
| No periodic testing program in place | § 314.4(d) Testing of safeguards (pentest or continuous monitoring) |
Each finding also carries severity, CVSS, reproduction steps, evidence, and a paste-ready remediation — the § 314.4(a) Qualified Individual section for examiners, the fix for your engineering team.
Adjacent engagements
GLBA pentests pair with these.
Compliance pentest index →
See coverage across SOC 2, ISO 27001, PCI DSS, HIPAA, and GLBA in one place.
SOC 2 pentest →
Financial services SaaS often runs SOC 2 + GLBA together on one engagement.
Network and cloud testing →
The information-system surface 314.4(d)(2) names directly.
Authenticated testing →
Role-matrix coverage for the access-control safeguard under 314.4(c).
Further reading
Background from our team.
FAQ
GLBA pentest — common questions
Who is subject to the FTC Safeguards Rule?
Non-bank "financial institutions" under FTC jurisdiction. The FTC reads the term broadly — mortgage brokers, payday lenders, finance companies, auto dealers that extend credit, tax preparers, non-SEC-registered investment advisors, collection agencies, and more. If you handle non-public personal information in connection with a financial activity, the Rule likely applies.
Is penetration testing actually mandatory?
Under 314.4(d)(2), institutions must implement either annual penetration testing or continuous monitoring plus periodic assessments. In practice most choose annual pentests because the continuous-monitoring path requires a documented program meeting a higher evidentiary bar. Examiners now look for current pentest evidence as a standard part of program review.
Does the Safeguards Rule replace state-level requirements?
No. State regulators — notably NYDFS under 23 NYCRR 500 — have their own technical testing expectations that may be stricter. We map findings to both federal and applicable state rules in a single report.
How does this differ from a SOC 2 pentest?
The methodology is the same. The framing differs: SOC 2 maps to Trust Services Criteria; a GLBA pentest maps to Safeguards Rule sections (especially 314.4(c) and 314.4(d)(2)). Many customers carry both and we produce one report aligned to both.
Want a credible answer when a customer, auditor, or your board asks how secure you are?
A quick scoping call with the senior tester who would run your engagement. No slides, no pitch — we look at what you have, tell you what we would test first, and give you a fixed scope, price, and date.