Table of Contents
- GLBA Risk Assessment and Audit: Step-by-Step Guide
- What Is a GLBA Risk Assessment?
- Who Owns the GLBA Risk Assessment?
- GLBA Risk Assessment Requirements
- How to Conduct a GLBA Risk Assessment
- Risk Assessment Documentation and Evidence
- How to Simplify GLBA Risk Assessments
- How to Conduct a GLBA Audit
- GLBA Risk Assessment and Audit FAQs
GLBA Risk Assessment and Audit: Step-by-Step Guide
A GLBA risk assessment evaluates risks to the security, confidentiality, and integrity of customer information to satisfy data security requirements. In 2026, the Federal Trade Commission‘s (FTC) Safeguards Rule requires it under the Gramm-Leach-Bliley Act.
For organizations covered by GLBA, the risk assessment forms the foundation of an effective information security program (ISP). It identifies the risks affecting customer information and determines how safeguards should be designed to address them. The results of a GLBA risk assessment inform security testing, service provider oversight, and the Qualified Individual’s annual report to the board.
This guide explains what a GLBA risk assessment must include, a step-by-step process for conducting one, and how to prepare for a GLBA audit. It also supports the requirements outlined in our GLBA compliance guide.
What Is a GLBA Risk Assessment?
A GLBA risk assessment identifies and evaluates risks, while the broader information security program manages those risks through safeguards, monitoring, and remediation.
A GLBA risk assessment is a mandatory evaluation of risks to the security, confidentiality, and integrity of customer information held by financial institutions. Required under Element 2 of the FTC’s Safeguards Rule (16 CFR 314.4(b)), it identifies internal and external threats, evaluates existing controls, and supports the design of the organization’s information security program.
Under the GLBA Safeguards Rule, the risk assessment must accomplish three things:
- Identify reasonably foreseeable internal and external risks to customer information
- Assess the sufficiency of existing safeguards in controlling those risks
- Be documented in writing, including criteria for evaluating and categorizing risks, assessing control adequacy, and how identified risks will be mitigated or accepted
Risk assessment results guide how the organization designs safeguards, tests and monitors controls, and oversees vendors. Results also inform the annual report delivered to the board by the Qualified Individual, the person responsible for the information security program. The report summarizes the key risks identified, the status of those risks, and significant updates to the program.
Financial institutions covered by GLBA must conduct risk assessments. This includes banks, credit unions, insurance companies, higher education institutions processing Title IV funds, auto dealers that offer in-house financing or arrange consumer financing, and other entities regulated by the FTC. Organizations should perform a full assessment at least once a year and repeat the process whenever major changes affect their systems, business operations, or risk environment.
For a plain-language walkthrough of all Safeguards Rule elements, see the FTC’s small entity compliance guide.
Note: Financial institutions that serve fewer than 5,000 consumers are exempt from the written risk assessment requirement under the small business exception (§314.6, Exceptions). Even so, they must still identify risks to customer information and put safeguards in place to address those risks as part of their information security program.
Who Owns the GLBA Risk Assessment?
Under the Safeguards Rule, financial institutions must appoint a Qualified Individual responsible for overseeing the organization’s information security program (16 CFR §314.4(a)).
This person ensures that the organization performs and maintains its GLBA risk assessment—that risks to customer information are identified, documented, and addressed through appropriate safeguards.
The Safeguards Rule also requires the Qualified Individual to report at least once a year to the board of directors or governing body on the status of the information security program. The report typically summarizes risk assessment results, safeguard effectiveness, security incidents, and recommended improvements.
The Qualified Individual can be an internal employee, an affiliate, or a service provider. In any case, the financial institution itself remains responsible for complying with the Safeguards Rule.
GLBA Risk Assessment Requirements
The Safeguards Rule requires every GLBA risk assessment to identify internal and external risks, evaluate the effectiveness of existing safeguards, document findings in writing, and connect results to remediation actions.
Requirement 1: Identify internal risks
Evaluate threats that originate inside the organization, such as unauthorized employee access, accidental disclosure, weak access controls, poor training, improper data handling, shadow IT, or insider threats.
Requirement 2: Identify external risks
Assess risks that originate outside the organization, such as cyberattacks (phishing, ransomware, SQL injection), social engineering, vendor and third-party data exposure, physical theft, and distributed denial-of-service attacks.
Requirement 3: Assess sufficiency of current safeguards
Evaluate whether existing administrative, technical, and physical controls adequately address identified risks. Document gaps between current controls and the level of protection required.
Requirement 4: Connect findings to remediation
The written risk assessment must include requirements describing how identified risks will be mitigated or accepted and how the information security program will address those risks (§314.4(b)(1)(iii)). Use the results to prioritize corrective actions, assign remediation owners, and track risk treatment until gaps are resolved.
How to Conduct a GLBA Risk Assessment
A GLBA risk assessment follows five steps: identify information assets, assess threats and vulnerabilities, evaluate current controls, determine risk levels, and document and report findings.
Step 1: Identify information assets
Start by identifying all the systems, databases, applications, and physical locations that store, process, or transmit customer information. This includes nonpublic personal information (NPI) in both digital and physical form.
Your inventory should include cloud platforms, email systems, CRMs, file shares, endpoint devices, paper records, storage rooms, and backup media. Classifying assets by data sensitivity helps identify where the greatest risks exist.
Step 2: Assess threats and vulnerabilities
For each asset, identify the internal and external threats that could affect customer information. Then identify the vulnerabilities those threats could exploit.
For example, phishing is a threat. Missing multi-factor authentication is a vulnerability. Weak vendor due diligence is a vulnerability that can increase exposure to third-party risk.
Step 3: Evaluate current controls
Review the controls already in place for each identified risk. This includes administrative, technical, and physical controls.
Document what each control does, whether it is preventive, detective, or corrective, and whether it fully mitigates the identified risk or leaves residual exposure. This step shows whether the organization’s current control environment is sufficient or whether gaps remain.
Step 4: Determine risk levels
Score each identified risk based on likelihood and impact. Many organizations use a risk matrix to categorize risks as Critical, High, Medium, or Low. The GLBA does not prescribe a specific methodology, but many organizations align their risk scoring with NIST SP 800-30 as a best practice.
| Low Impact | Medium Impact | High Impact | |
| High Likelihood | Medium | High | Critical |
| Medium Likelihood | Low | Medium | High |
| Low Likelihood | Low | Low | Medium |
Use the scoring model consistently and prioritize remediation for Critical and High risks first.
Step 5: Document, Report, and Remediate
Compile findings into a written risk assessment report. The report should document the asset inventory, identified threat–vulnerability pairs, assessment of current safeguards, assigned risk ratings, and remediation actions with responsible owners and expected timelines.
Use our GLBA compliance checklist to track remediation actions identified during the assessment.
Risk Assessment Documentation and Evidence
The FTC Safeguards Rule requires financial institutions to base their information security program on a documented risk assessment. As a result, organizations must maintain records showing how risks were identified, evaluated, and addressed.
A GLBA risk assessment produces several supporting documents:
| Documentation | Purpose |
| Asset Inventory | Identifies systems and locations storing customer information |
| Threat-Vulnerability Analysis | Shows how potential threats could exploit weaknesses |
| Control Evaluation | Documents existing administrative, technical, and physical safeguards |
| Risk Register | Records identified risks with likelihood and impact ratings |
| Remediation Plan | Tracks corrective actions and responsible owners |
| Risk Assessment Report | Summarizes findings and informs board reporting |
Maintaining these artifacts helps demonstrate that the organization’s safeguards are based on a documented risk analysis, as required under the Safeguards Rule.
How to Simplify GLBA Risk Assessments
Spreadsheet-based risk assessments capture a snapshot, but they do not scale, they do not update in real time, and they do not connect findings to remediation workflows. Isora is the collaborative GRC Assessment Platform™ that gives security teams one shared workspace to run assessments, manage vendors and assets, track live risks, and publish audit-ready reports.
Risk Management. Track identified risks in a live risk register, assign owners, document remediation plans, and monitor status over time. Each risk includes attributes, assignees, responsible units, and custom fields — directly published from assessment findings with full context preserved.
Assessment Management. Distribute risk assessment questionnaires to control owners across the organization. Collect responses, evidence, and documentation in one centralized workspace. Organize assessments by compliance goal to streamline complex campaigns.
Reports and Scorecards. Generate scored reports, visualize risk levels, and produce outputs that support audit preparation and the Qualified Individual’s annual board reporting.
Book a demo to see how automated GLBA risk assessments simplify compliance.
How to Conduct a GLBA Audit
A GLBA audit evaluates whether the organization’s information security program aligns with the Safeguards Rule. The risk assessment is typically the first document auditors review because it shows how the organization identified risks and designed its safeguards. Auditors focus less on format and more on whether identified risks led to concrete safeguard improvements.
What a GLBA Audit Covers
A GLBA audit can cover all 10 elements of the Safeguards Rule, including governance, risk assessment, safeguard design, testing and monitoring, training, vendor oversight, program evaluation, incident response, board reporting, and breach notification. The FFIEC IT Examination Handbook — Information Security booklet describes the examination procedures federal banking regulators use to evaluate risk assessment adequacy.
The risk assessment (Element 2) is foundational because it shows that the organization understands its risk landscape and has designed safeguards accordingly.
The breach notification element is typically assessed only when a breach has occurred.
Who Conducts GLBA Audits
Different regulators examine different types of institutions:
- FTC: Non-bank financial institutions, including higher education institutions, auto dealers, and mortgage brokers
- OCC, FDIC, Federal Reserve, NCUA: Banks, credit unions, and savings associations
- State Regulators: Insurance companies and state-chartered institutions
- Internal Audit Teams: Proactive self-assessments that identify gaps before regulatory examination
Common audit findings: Missing or outdated risk assessments, incomplete vendor assessments, lack of security awareness training documentation, insufficient penetration testing frequency, and no written incident response plan. Conducting an internal self-assessment before the formal audit helps catch these issues early.
GLBA Risk Assessment and Audit FAQs
What is a GLBA risk assessment?
A GLBA risk assessment is a mandatory written evaluation of the risks to the security, confidentiality, and integrity of customer information required under Element 2 of the FTC’s Safeguards Rule (16 CFR 314.4(b)). It identifies internal and external risks, evaluates existing safeguards, and produces a written risk analysis that supports the design of the information security program.
How often should you conduct a GLBA risk assessment?
The Safeguards Rule requires risk assessments to be performed periodically and whenever material changes occur in business operations, arrangements, or information systems. Many organizations conduct a full assessment annually.
What does a GLBA audit cover?
A GLBA audit can evaluate compliance with all 10 elements of the Safeguards Rule including Qualified Individual designation, risk assessment, safeguard design, testing and monitoring, training, vendor management, ISP updates, incident response, board reporting and breach notification requirements.
Who conducts GLBA audits?
The regulator depends on the institution type. The FTC examines many non-bank financial institutions. Banking regulators such as the OCC, FDIC, Federal Reserve, and NCUA examine banks and credit unions. State regulators may examine insurance companies and state-chartered institutions.
What is a GLBA risk assessment template?
A GLBA risk assessment template is a structured spreadsheet or document used to document and organize risk assessment activities required under the FTC’s Safeguards Rule. It typically includes sections for asset inventory, threat and vulnerability identification, control evaluation, risk scoring, and remediation tracking to support compliance.
How do you prepare for an FTC GLBA examination?
Start by verifying that the risk assessment is current, documented in writing, and integrated with the broader information security program. Confirm that a Qualified Individual has been formally designated and is actively overseeing the program. Then gather evidence demonstrating compliance with all 10 elements of the Safeguards Rule. Conduct an internal self-assessment before the formal examination to identify gaps early.
What evidence do auditors expect from a GLBA risk assessment?
Auditors typically expect documentation showing how risks were identified, evaluated, and addressed. This includes asset inventories, risk registers, control assessments, remediation plans, and board reporting inputs.
This content is for informational purposes only and does not constitute legal or compliance advice. See our full disclaimer.
