Compliance crosswalk · GLBA
GLBA Safeguards Rule (US) - email + domain controls, mapped to Wiredepth
Framework version: 16 CFR Part 314 - 2021 revisions effective June 9 2023
Who this is for.US financial institutions under the FTC's jurisdiction (broader than banks): mortgage brokers, payday lenders, automobile dealers extending credit, tax-prep firms, investment advisors not SEC-registered, finance companies, and many more. The 2021 Safeguards Rule revision dramatically tightened technical requirements + expanded the population of qualifying institutions.
What changed in 2023. The revised rule (effective June 9, 2023) introduced explicit requirements: written information-security programme, designated qualified individual, encryption of customer information at rest + in transit, multi-factor authentication, risk assessments, incident response plan, annual board reporting, and 30-day notification of breaches affecting 500+ customers (notification rule effective May 13, 2024).
Where email + domain controls fit. Email is one of the channels customer information moves through. The encryption-in-transit requirement under 314.4(c)(3) is the headline email-relevant clause; service-provider oversight under 314.4(f) covers authorised email-sending vendors. The 30-day breach notification rule expands the audit-log + incident-response surfaces in scope.
Clause-by-clause mapping
Each row maps a specific GLBArequirement to the Wiredepth surface that addresses it. The clause ids are the framework's own naming - verify them against the official text. We use precise language: "addresses" (the tool directly satisfies the control), "supports" (the tool contributes evidence the auditor will need), and "evidence for" (the artifact is part of the attestation package).
| Clause | Requirement | Wiredepth response |
|---|---|---|
314.4(a) - Designated qualified individual Reporting | Designate a qualified individual responsible for overseeing, implementing, + enforcing the information security programme. | Wiredepth is a sub-processor option for the qualified individual. Scheduled compliance PDFs + the audit-log chain feed into the periodic reporting the qualified individual takes to the board. |
314.4(b) - Risk assessment Inventory | Conduct a written risk assessment that identifies reasonably foreseeable internal + external risks to the security, confidentiality, and integrity of customer information. | Email-auth scorecard PDF + vendor consolidation audit are direct inputs to the risk-assessment exercise. Per-domain posture grade quantifies the email-channel risk in the format an FTC examiner expects. |
314.4(c)(3) - Encryption of customer information in transit Transport | Encrypt all customer information held or transmitted by the institution, both in transit over external networks + at rest. | TLS + MTA-STS analyser scores per-domain transport encryption. PROTECTED + above sensitivity requires TLS 1.2 minimum; the per-port testing (25 / 587 / 465 / 443) covers the email-channel transit surface explicitly. |
314.4(c)(4) - Adopt secure development practices Monitoring | Adopt secure development practices for in-house applications + procedures for evaluating, assessing, or testing the security of externally-developed applications. | Audit-log Merkle chain (see /docs/verify) + the free public verifier are themselves a worked example of secure development with verifiable integrity properties. The model + the code patterns are reusable for internal apps that need similar properties. |
314.4(c)(5) - Multi-factor authentication Authentication | Implement multi-factor authentication for any individual accessing any information system, unless the qualified individual has approved in writing the use of reasonably equivalent or more secure access controls. | Email-auth posture is the channel-security foundation MFA-via-email depends on. DMARC at p=reject prevents MFA-email impersonation; alerts on regression catch when the foundation moves. |
314.4(d) - System monitoring + testing Monitoring | Regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures. Continuous monitoring is the preferred form. | Hourly cadence + alert routing + continuous threat-intel layer cover the monitoring requirement. Pen-test alternative path: the rule allows continuous monitoring as a substitute for annual pen tests + bi-annual vulnerability assessments. |
314.4(f) - Service provider oversight Inventory | Oversee service providers by (1) taking reasonable steps to select + retain service providers capable of maintaining appropriate safeguards, (2) requiring those providers by contract to implement + maintain such safeguards, and (3) periodically assessing service providers based on the risk they present. | Vendor consolidation audit enumerates authorised email senders. Per-vendor posture grade + scheduled rescans cover the periodic assessment. De-authorisation guides at /docs/deauthorize cover offboarding. |
314.4(h) - Incident response plan Reporting | Establish a written incident-response plan designed to promptly respond to + recover from any security event materially affecting the confidentiality, integrity, or availability of customer information. | Incident-readiness workpaper documents the plan in the format an FTC examiner would expect. Hosted DMARC report inbox provides the detection signals that often trigger plan activation. |
Notification of security events affecting 500+ customers Reporting | As of May 13 2024, notify the FTC within 30 days of discovering a security event involving the unencrypted information of 500 or more consumers. | Incident-readiness workpaper includes the 30-day FTC notification timeline. Tamper-evident audit log provides the chronological evidence necessary for the post-event investigation. |
What auditors actually look at
An FTC compliance examiner reviewing the email + domain surface would typically request:
- The written information-security programme + the qualified individual's designation
- Risk-assessment documentation with email-channel risks explicitly enumerated
- Per-domain TLS + DMARC posture sampled across the examination window
- Service-provider register of authorised email senders + last-assessed dates
- Incident-response plan + records of any events that triggered the 30-day notification analysis
Generate a GLBA-tagged evidence pack (Wiredepth Prove)
Prove subscribers can generate a ZIP of all five workpapers + a GLBA README in one click. Single domain, single click, ready to file in your audit binder. See pricing at /pricing#prove ($499/mo standalone, bundled in Enterprise).
Other compliance crosswalks
Disclaimer. This crosswalk is provided for informational purposes. It is not legal advice, audit guidance, or a substitute for engagement with a qualified assessor (QSA for PCI, accountant or QSA for SOC 2, lawyer for HIPAA / NIS2 / SEC). Framework clause ids and language may have been updated since publication; verify against the official text. Wiredepth does not guarantee compliance based on the use of any tool or page on this site.