New FTC Guidance Clarifies Safeguards Rule Obligations

The Federal Trade Commission (FTC) has released new guidance in the form of FAQs to help financial institutions—and their service providers—better understand and comply with the Safeguards Rule.

Originally enacted under the Gramm-Leach-Bliley Act (GLBA), the Safeguards Rule requires non-banking financial institutions to maintain a written information security program designed to protect customer data. But recent updates—and the FTC’s clarified expectations—have made this rule more relevant than ever to managed service providers (MSPs).

What Changed—and Why It Matters to MSPs

The FTC amended the Safeguards Rule in 2021 to strengthen requirements in light of modern threats and evolving technology. In 2023, the rule was further revised to add mandatory breach reporting for incidents affecting customer data.

The new June 2025 FAQ guidance offers clarification on:

• What qualifies as a financial institution under the rule
• Specific technical and administrative safeguards required
• What triggers breach reporting obligations
• How the rule applies to service providers—including MSPs

If you support clients in financial services, auto dealerships, or other covered entities, this guidance affects you.

The MSP Connection: Shared Responsibility

MSPs are often responsible for implementing or managing security controls outlined in their clients’ information security programs. The new guidance reinforces that financial institutions must ensure their service providers also meet the rule’s requirements.

That means MSPs should be prepared to:

• Demonstrate how their services support compliance
• Assist clients in breach detection and reporting
• Maintain contracts that reflect GLBA-aligned responsibilities
• Undergo due diligence as part of vendor risk management

Stay Ahead of Compliance Expectations

MSPs offering cybersecurity, data storage, or managed IT services to regulated clients should review the updated FTC guidance to ensure alignment. Even if you’re not directly regulated, your role in safeguarding customer data can carry legal and reputational risk if ignored.

You can access the full FAQ and related resources on the FTC’s Safeguards Rule page.

Need help aligning your documentation and controls to meet client expectations under GLBA? Compliance Scorecard makes it easy to track safeguards, assign responsibilities, and prove compliance—whether you're the one being assessed or the one enabling it. Book a Live Demo to see what we can do for you.