GLBA Penetration Testing Requirements
The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to protect customer information, and its Safeguards Rule now spells out exactly how. Since the updated rule took effect in June 2023, annual penetration testing is a specific technical requirement for institutions under FTC jurisdiction.
This guide breaks down what the Safeguards Rule requires for penetration testing, who counts as a financial institution, the testing cadence, and how Budget Security delivers engagements built for that obligation.
What the Safeguards Rule Requires
The 2021 update to the Safeguards Rule turned GLBA from a general obligation into a set of concrete technical controls. The ones that shape your testing programme are:
Annual Penetration Testing
16 CFR 314.4(d)(2) requires annual penetration testing of information systems, or effective continuous monitoring in its place
Six-Monthly Vulnerability Assessments
Vulnerability assessments at least every six months, and after material changes to systems handling customer information
Written Security Program
A documented information security program overseen by a designated Qualified Individual
Supporting Controls
Encryption, multi-factor authentication, and access controls that penetration testing helps validate in practice
Regulators expect documented evidence that this testing has been performed and that findings have been remediated. A recent penetration test report is direct evidence of Safeguards Rule compliance.
Annual Testing or Continuous Monitoring
The Safeguards Rule gives institutions two paths to satisfy the ongoing testing obligation. Understanding the choice helps you plan:
The Annual Penetration Test Path
Perform a full penetration test of your information systems at least once a year. For most institutions this is the clearest, most defensible way to demonstrate compliance, and it produces a single report that regulators and auditors recognize.
The Continuous Monitoring Path
If you operate effective continuous monitoring that detects changes and new vulnerabilities on an ongoing basis, you can use it in place of the annual test, but you must still run vulnerability assessments at least every six months.
Testing After Material Changes
Either path requires reassessment when there are material changes to operations or systems, such as launching a new application that handles customer financial information.
Who Is In Scope
Non-bank financial institutions
Mortgage lenders and brokers, payday lenders, auto dealers arranging financing, tax preparers, debt collectors, and investment advisers under FTC jurisdiction.
Fintech and data handlers
Fintech companies and service providers that collect or process consumer financial information fall within the Safeguards Rule.
The testing cadence
Annual penetration testing (or continuous monitoring) plus six-monthly vulnerability assessments on systems handling customer information.
Evidence and oversight
The Qualified Individual reports on the program, and test results and remediation records support that reporting.
How Budget Security Helps You Meet GLBA
Budget Security delivers the annual penetration testing the Safeguards Rule requires, scoped to the systems that handle customer financial information. Use our platform to scope and launch engagements on your timeline, starting at EUR 849 per day.
Scope to customer-information systems
Define the applications, networks, and APIs that store or process customer financial information, so testing matches your Safeguards Rule scope.
Testing by qualified engineers
Our testers hold recognized offensive security certifications (OSCP, OSWE) and follow OWASP, PTES, and NIST SP 800-115 methodologies.
Regulator-ready reporting
Reports document the annual test with CVSS v3.1 scores, exploitation evidence, and remediation guidance, formatted for your Qualified Individual and examiners.
Remediation tracking and retesting
Track fixes through our vulnerability dashboard, then retest to confirm remediation and evidence continuous improvement.
Get Your GLBA Pentest Quote
See exactly what your GLBA-aligned penetration test would cost. Engagements satisfy the Safeguards Rule annual testing requirement and produce regulator-ready evidence for your Qualified Individual.