Compliance · GLBA Safeguards Rule

The Safeguards Rule offers a choice.
Continuous is the stronger one.

The FTC Safeguards Rule lets you meet its testing obligation with continuous monitoring, or with annual penetration testing plus semiannual vulnerability assessments. SpartanX supports either path with a continuous adversary that proves exploitability inside and out. It supports your program and complements your assessor; it does not make you compliant on its own.

The requirement

Continuous monitoring, or annual testing plus semiannual assessment.

Under the FTC Safeguards Rule (16 CFR Part 314), a financial institution must regularly test or otherwise monitor the effectiveness of its safeguards. Section 314.4(d)(2) gives two paths: continuous monitoring of information systems, or, absent that, annual penetration testing plus vulnerability assessments at least every six months and whenever there is a material change. Either way, the testing has to be real and documented.

Scope

Non-banking financial institutions that handle customer information.

The Safeguards Rule reaches a broad set of financial institutions, including many fintechs, lenders, and financial-services providers, that maintain customer information. The systems that hold or touch that information are in scope, and continuous monitoring is the path that best fits a modern, fast-changing environment.

How it supports your program

Continuous monitoring you can actually evidence.

The continuous-monitoring path
SpartanX runs an always-on adversary, which is the continuous-monitoring option the rule prefers, with proof rather than a status light.
External and internal
It tests your external surface, and through NodeX runs the same adversary inside the perimeter where customer information lives. Learn about NodeX.
Exploit-validated findings
Proof with every finding, defensible to an assessor.
Remediate and retest
Prioritized, fixed, and re-attacked to confirm closure, including after material changes.
Audit-ready evidence
Continuous, dated, Safeguards-mapped reporting for your qualified individual and your examiners.
The outcome

The continuous path, with the paperwork done for you.

Rather than stitching together an annual test and semiannual scans, you get continuous, exploit-validated monitoring and a live evidence trail, which satisfies the spirit of the rule and stays current between reviews.

Support your Safeguards Rule program with continuous monitoring that proves itself.

See how SpartanX runs the continuous path and hands you the evidence.