GLBA Compliance Overview

The Gramm-Leach-Bliley Act (GLBA) is a U.S. federal law that mandates that financial companies safeguard customers’ nonpublic personal information (NPI). It affects a wide range of entities in banking and financial services, including banks, lenders, investment firms, and other entities that handle sensitive financial data. GLBA describes how customer information is collected, stored, shared, and protected, with an understanding in the organization where sensitive data is stored and how it is protected in systems and workflows.

Why It Matters

GLBA sets clear requirements for protecting customer financial information. Organizations that do not comply with these standards can suffer from enforcement actions, civil penalties, and reputational damage. As financial information remains an attractive area for cyber threats, that is, because of its high value to the public, organizations will see their data governance and security programs as a must. It’s not an academic activity. It takes regular monitoring, risk assessment and controls to evolve based on changes in threats and business environments.

Core Focus Areas

GLBA focuses on three primary points: safeguarding customer information with adequate administrative, technical, and physical safeguards; minimizing the use and disclosure of nonpublic personal information; and having clear policies and responsibility in place as to how data is handled. It's not uncommon for organizations to adopt risk-based security programs, ensure that data is only accessible to authorized users, and monitor who handles the collection of confidential financial information.

Next Steps

For organizations that review GLBA posture, visibility into sensitive financial data needs improvements as do security controls in all its security areas, and governance processes to ensure continuous compliance. Clear documentation, audit-ready practices demonstrate adherence to GLBA requirements.