Overview
What it is, in plain English.
The Gramm-Leach-Bliley Act governs how financial institutions protect customer financial information. The 2023 amendments to the FTC Safeguards Rule materially raised the bar — requiring named CISOs, written incident response plans, MFA, encryption, continuous monitoring, and qualified third-party assessments. Lyra runs GLBA programs for banks, lenders, fintech, broker-dealers, RIAs, and the long tail of non-bank financial institutions the FTC now actively enforces.
GLBA Safeguards Rule and Privacy Rule compliance — including risk assessment, written information security programs, and ongoing testing.
Who needs it
Built for organizations that have to get this right.
Banks, credit unions, and savings institutions
Mortgage lenders, brokers, and servicers
Auto dealers (yes, really — covered as financial institutions)
Tax preparers, accountants, RIAs, broker-dealers, and non-bank lenders
Higher-ed institutions handling student financial aid (Title IV)
Our approach
How we get you audit-ready and keep you there.
We don't drop policy templates and disappear. We design controls, implement them in your environment, prepare every artifact, and walk with you through the audit — then operate the program after certification so you stay compliant year over year.
- 01
Risk Assessment
Written, periodic risk assessment of foreseeable internal and external threats to customer information — the foundation the Safeguards Rule explicitly requires.
- 02
Written Information Security Program (WISP)
We build the WISP, designate the Qualified Individual (CISO), and define accountability all the way to the board.
- 03
Implement Required Safeguards
MFA, encryption, access controls, secure development, incident response, training, vendor oversight, continuous monitoring or annual pentest + biannual vulnerability assessment.
- 04
Annual Reporting & Testing
We produce the annual report to the board and run the testing cycles the rule requires.
Key controls
What's actually in scope.
Designated Qualified Individual (de facto CISO) accountable to the board
Multifactor authentication on all systems containing customer info
Encryption of customer information at rest and in transit
Incident Response Plan with FTC notification within 30 days for breaches affecting 500+ customers
Continuous monitoring OR annual penetration test plus biannual vulnerability assessment
Vendor oversight with contractual safeguard requirements
Deliverables
What you walk away with.
Written Information Security Program (WISP)
Risk assessment report
Incident Response Plan and tabletop exercise
Annual board report
Vendor management program and contract templates
Timeline
WISP and Safeguards Rule readiness: 8–14 weeks. Annual program operation is continuous.
Questions we hear
Straight answers to the real questions.
- Are auto dealers really covered?
- Yes — under the FTC's interpretation, anyone in the business of extending credit qualifies. The 2023 Safeguards Rule amendments hit dealerships especially hard, and FTC enforcement has been visible.
- What's the FTC breach notification rule?
- Effective May 2024 — financial institutions must notify the FTC of unauthorized acquisition of unencrypted customer information affecting 500+ consumers within 30 days.
- Does this apply to higher-ed Title IV operations?
- Yes — the Department of Education has formally adopted GLBA Safeguards Rule expectations into the Federal Student Aid Program Participation Agreement, with audit findings now common.
Other frameworks we support
SOC 2 (Type 1 and Type 2)
AICPA SOC 2
Learn moreISO 27001
ISO/IEC 27001 ISMS
Learn moreCMMC
Cybersecurity Maturity Model Certification
Learn moreNIST 800-171
Protecting CUI in non-federal systems
Learn moreNIST CSF (including 2.0)
NIST Cybersecurity Framework
Learn moreHIPAA / HITRUST
Healthcare privacy and security
Learn more
24 / 7 Recovery
When the worst day hits, every minute matters.
Our breach team is standing by — call, email, or submit a request and we respond within minutes.