Skip to main content
    GLBA Safeguards Rule / 16 CFR 314
    ·By Budget Security

    GLBA Penetration Testing Requirements

    The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to protect customer information, and its Safeguards Rule now spells out exactly how. Since the updated rule took effect in June 2023, annual penetration testing is a specific technical requirement for institutions under FTC jurisdiction.

    This guide breaks down what the Safeguards Rule requires for penetration testing, who counts as a financial institution, the testing cadence, and how Budget Security delivers engagements built for that obligation.

    What the Safeguards Rule Requires

    The 2021 update to the Safeguards Rule turned GLBA from a general obligation into a set of concrete technical controls. The ones that shape your testing programme are:

    Annual Penetration Testing

    16 CFR 314.4(d)(2) requires annual penetration testing of information systems, or effective continuous monitoring in its place

    Six-Monthly Vulnerability Assessments

    Vulnerability assessments at least every six months, and after material changes to systems handling customer information

    Written Security Program

    A documented information security program overseen by a designated Qualified Individual

    Supporting Controls

    Encryption, multi-factor authentication, and access controls that penetration testing helps validate in practice

    Regulators expect documented evidence that this testing has been performed and that findings have been remediated. A recent penetration test report is direct evidence of Safeguards Rule compliance.

    Annual Testing or Continuous Monitoring

    The Safeguards Rule gives institutions two paths to satisfy the ongoing testing obligation. Understanding the choice helps you plan:

    The Annual Penetration Test Path

    Perform a full penetration test of your information systems at least once a year. For most institutions this is the clearest, most defensible way to demonstrate compliance, and it produces a single report that regulators and auditors recognize.

    The Continuous Monitoring Path

    If you operate effective continuous monitoring that detects changes and new vulnerabilities on an ongoing basis, you can use it in place of the annual test, but you must still run vulnerability assessments at least every six months.

    Testing After Material Changes

    Either path requires reassessment when there are material changes to operations or systems, such as launching a new application that handles customer financial information.

    Who Is In Scope

    Non-bank financial institutions

    Mortgage lenders and brokers, payday lenders, auto dealers arranging financing, tax preparers, debt collectors, and investment advisers under FTC jurisdiction.

    Fintech and data handlers

    Fintech companies and service providers that collect or process consumer financial information fall within the Safeguards Rule.

    The testing cadence

    Annual penetration testing (or continuous monitoring) plus six-monthly vulnerability assessments on systems handling customer information.

    Evidence and oversight

    The Qualified Individual reports on the program, and test results and remediation records support that reporting.

    How Budget Security Helps You Meet GLBA

    Budget Security delivers the annual penetration testing the Safeguards Rule requires, scoped to the systems that handle customer financial information. Use our platform to scope and launch engagements on your timeline, starting at EUR 849 per day.

    1

    Scope to customer-information systems

    Define the applications, networks, and APIs that store or process customer financial information, so testing matches your Safeguards Rule scope.

    2

    Testing by qualified engineers

    Our testers hold recognized offensive security certifications (OSCP, OSWE) and follow OWASP, PTES, and NIST SP 800-115 methodologies.

    3

    Regulator-ready reporting

    Reports document the annual test with CVSS v3.1 scores, exploitation evidence, and remediation guidance, formatted for your Qualified Individual and examiners.

    4

    Remediation tracking and retesting

    Track fixes through our vulnerability dashboard, then retest to confirm remediation and evidence continuous improvement.

    Get Your GLBA Pentest Quote

    See exactly what your GLBA-aligned penetration test would cost. Engagements satisfy the Safeguards Rule annual testing requirement and produce regulator-ready evidence for your Qualified Individual.

    GLBA Penetration Testing FAQ

    Does GLBA require penetration testing?
    Yes. The FTC Safeguards Rule under the Gramm-Leach-Bliley Act (16 CFR 314.4(d)(2)) requires financial institutions to perform annual penetration testing of their information systems, or to implement continuous monitoring in its place, along with vulnerability assessments at least every six months. This became a firm requirement with the updated Safeguards Rule that took effect in June 2023.
    What is the GLBA Safeguards Rule?
    The Safeguards Rule is the part of GLBA, enforced by the Federal Trade Commission, that requires financial institutions to develop, implement, and maintain a written information security program to protect customer information. The 2021 update added specific technical requirements, including penetration testing, encryption, multi-factor authentication, and a designated Qualified Individual to oversee the program.
    Who has to comply with the GLBA Safeguards Rule?
    The rule applies to financial institutions under FTC jurisdiction, which is broader than banks. It includes mortgage lenders and brokers, payday lenders, auto dealers that arrange financing, tax preparers, debt collectors, investment advisers, and many fintech companies that handle consumer financial information.
    How often does GLBA require penetration testing?
    The Safeguards Rule requires annual penetration testing of information systems. If an institution runs effective continuous monitoring that detects changes and vulnerabilities on an ongoing basis, it can use that in place of the annual test, but it must still perform vulnerability assessments at least every six months.
    What triggers extra GLBA testing?
    Beyond the annual cadence, the Safeguards Rule expects reassessment whenever there are material changes to your operations or information systems, or when circumstances suggest a material impact on your information security program, such as a new application handling customer data or a significant infrastructure change.
    How much does a GLBA penetration test cost?
    A GLBA-aligned penetration test with Budget Security starts at EUR 849 per day. Total cost depends on the number of applications, network segments, and APIs that store or process customer information. Use our pricing page to calculate an estimate for the systems in your Safeguards Rule scope.