Financial Institutions
Managed IT and cybersecurity services for financial institutions and covered entities subject to the FTC Safeguards Rule under GLBA. Documentation examiners expect. Controls that actually operate.
Who We Serve
NTG provides managed IT and cybersecurity services to financial institutions and covered entities subject to the FTC Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA). We understand the regulatory landscape, the documentation that examiners expect, and the practical technology controls that make a Written Information Security Program (WISP) more than a paper exercise.
We serve organizations of all sizes: from single-location firms to multi-state operations. We build compliance programs that are right-sized for your business, not overengineered.
Financial Institutions Covered by the FTC Safeguards Rule
If your business handles nonpublic personal financial information (NPI) under GLBA, the Safeguards Rule applies to you, regardless of size.
What We Deliver
We build and maintain the documentation that state and federal examiners expect: WISP, risk assessment, vendor management records, access logs, and incident response procedures.
A Written Information Security Program is only valuable if the underlying controls actually work. We deploy and manage the technical safeguards that make your WISP more than a document.
The Safeguards Rule requires a designated Qualified Individual (QI) to oversee your information security program. NTG can serve in a virtual CISO capacity or support your designated QI with the technical substance they need.
We serve firms from single-location operations to multi-state enterprises. Compliance programs are scaled to your actual risk. No overspending on controls your business does not need.
Multi-location firms have one accountable IT partner. Remote management handles the majority of support; vetted local technicians are dispatched when onsite work is required.
The Safeguards Rule requires your QI to report to the board or senior officers annually. We prepare the technical summary and risk status report that supports that requirement.
Regulatory Requirements
The updated Safeguards Rule, which took full effect in 2023, requires covered financial institutions to implement a comprehensive WISP. Here are the key requirements and how NTG addresses each.
| Rule Ref. | Requirement | How NTG Addresses It |
|---|---|---|
| §314.4(b) | Risk Assessment | Annual documented risk assessment identifying risks to the security, confidentiality, and integrity of customer NPI. NTG conducts and documents this assessment annually. |
| §314.4(c) | Safeguards Implementation | Implement and regularly test safeguards to control the risks identified in the assessment. NTG deploys and manages the technical controls, with documented testing results. |
| §314.4(d) | Service Provider Oversight | Select and oversee service providers that maintain appropriate safeguards. NTG provides vendor risk management documentation and contract review guidance. |
| §314.4(e) | Program Evaluation | Regularly evaluate and adjust the information security program based on testing, monitoring, and material changes. NTG conducts annual reviews and provides updated documentation. |
| §314.4(f) | Written Incident Response Plan | Establish a written incident response plan addressing detection, containment, and notification. NTG develops, maintains, and tests your incident response procedures. |
| §314.4(g) | Qualified Individual | Designate a Qualified Individual to oversee, implement, and enforce your information security program. NTG supports your QI or serves in a virtual CISO capacity. |
| §314.4(h) | Annual Board Report | QI must report to the board or senior officers at least annually on the status of the information security program. NTG prepares the technical summary and risk report. |
| §314.15 | Encryption | Encrypt customer NPI in transit and at rest. NTG implements and documents encryption standards across your environment. |
| §314.15 | Multi-Factor Authentication | Implement MFA for any individual accessing customer NPI. NTG deploys and enforces MFA across systems handling customer financial data. |
| §314.15 | Access Controls | Limit and monitor access to customer NPI. NTG implements role-based access controls and maintains access logs. |
| §314.15 | Penetration Testing | Conduct annual penetration testing of your systems. NTG coordinates qualified penetration testing and documents results as part of your WISP evidence. |
| §314.15 | Security Awareness Training | Provide security awareness training to all personnel with access to customer NPI. NTG delivers and tracks annual security training. |
Gap Analysis
Many firms have no WISP at all, or have a template document that does not reflect their actual environment or controls. The Safeguards Rule requires a program tailored to your specific risks and operations.
The rule requires a named QI responsible for the information security program. Many smaller firms have never formally designated this role or given their QI the resources and reporting structure needed.
Multi-factor authentication is now explicitly required under the updated rule. Many firms still rely on passwords alone for remote access, email, and core business applications that touch customer financial data.
NPI stored on file servers, laptops, or cloud storage is frequently unencrypted. A laptop theft or cloud breach without encryption is a reportable incident. We implement encryption across all storage locations.
The rule requires you to oversee third-party service providers that access customer NPI. Most firms have no formal vendor inventory, no contractual security requirements, and no process for reviewing vendor controls.
The updated rule explicitly requires annual penetration testing. Many firms have never had a pen test conducted, or have outdated results that do not reflect current systems.
Services
Written Information Security Program (WISP)
Development and maintenance of a WISP tailored to your specific operations, risks, and customer data, not a generic template.
Annual Risk Assessment
Documented risk assessment identifying threats and vulnerabilities to customer NPI, with remediation recommendations and year-over-year tracking.
Qualified Individual (QI) Support / vCISO
Technical leadership and documentation support for your designated QI, or NTG serving in a virtual CISO capacity as your QI.
Multi-Factor Authentication
MFA deployment and enforcement across all systems and applications that access customer nonpublic personal information.
Encryption Implementation
Encryption of customer NPI at rest and in transit, with documented standards and inventory of where data lives.
Access Control and User Management
Role-based access controls, user lifecycle management, and access logging: limiting who can reach customer data and maintaining evidence of that control.
Vendor Risk Management Program
Vendor inventory, contractual security requirements, and annual review process satisfying the Safeguards Rule service provider oversight requirement.
Annual Penetration Testing
Coordination of qualified penetration testing with documented findings and remediation tracking as part of your WISP evidence package.
Incident Response Plan
Written incident response plan with defined detection, containment, notification, and recovery procedures: tested and updated annually.
Security Awareness Training
Annual training for all personnel with access to customer NPI, with completion tracking for examiner documentation.
Board / Senior Officer Annual Report
Preparation of the annual information security report your QI is required to deliver to the board or senior management.
24/7 Monitoring and Help Desk
Continuous monitoring of your environment with live support for staff, keeping operations running while maintaining the security posture your compliance program requires.
FAQ
The FTC Safeguards Rule is not optional, and enforcement is real. Here is what financial services firms need to know about staying compliant and protecting client data in 2026.
Financial services firms face strict BCP requirements under FINRA Rule 4370, the FTC Safeguards Rule, and SEC oversight. Here's how to build a plan that covers both physical and cyber disruptions.
CPA firms and financial services companies face unique IT budget pressures in 2026 — from FTC Safeguards Rule compliance costs to tax season infrastructure spikes. Here's how to plan strategically.
About the author
Ken Satkunam, CISM
President & Founder, NorthStar Technology Group
Ken has spent over 25 years in IT leadership, serving in roles from technical support to CIO for organizations as large as 23,000 employees. He founded NorthStar Technology Group in 2000 to help regulated organizations build secure, compliant, and operationally resilient technology environments. Ken holds the Certified Information Security Manager (CISM) credential from ISACA and is the co-author of the Amazon best-seller "Cyber Attack Prevention." He has been quoted in industry publications including eWeek and DM News, and NorthStar has been recognized on the Inc. 5000 list in both 2024 and 2025.
NTG starts every financial institution engagement with a no-cost Safeguards Rule gap assessment. You will see exactly which requirements are met, which are missing, and what it would take to close the gaps, before committing to anything.
