FTC Safeguards Rule for MSPs: How to Build a Financial Compliance Service Line

Auto dealers are not tech companies. Mortgage brokers are not running security operations centers. Tax preparers are not thinking about incident response plans.

But since June 2023, all of them have been required to have one — along with eight other elements of a written information security program — under the updated FTC Safeguards Rule.

The FTC estimates that more than 15,000 non-bank financial institutions are subject to the Rule. The vast majority are small businesses. Most of them have an MSP managing their IT. Almost none of them have built a compliant information security program. Many don’t know where to start.

If you serve any of these clients — or want to — this is your service line.

What the FTC Safeguards Rule Actually Is

The Safeguards Rule is the FTC’s implementation of the Gramm-Leach-Bliley Act (GLBA) security requirements for non-bank financial institutions. The original Rule dated from 2003 and was vague enough that most companies could satisfy it with a loose set of policies and a password policy document.

The 2021 amendments — which took full effect in June 2023 — changed that. The updated Rule is prescriptive. It names specific technical controls. It requires a designated qualified individual. It requires board-level reporting for larger companies. It requires an incident response plan. It requires annual risk assessments with documented findings and remediation actions.

In short: it looks a lot like a real information security program now, not a checkbox exercise.

The covered entities are broad. The Rule applies to any financial institution subject to FTC jurisdiction under the GLBA. That includes:

• Auto dealers that offer financing or leasing (and most do)
• Mortgage companies, brokers, and lenders
• Tax preparers and accounting firms handling financial data
• Registered investment advisors
• Insurance agencies and carriers
• Payday and personal loan providers
• Student loan servicers
• Real estate appraisers
• Retailers that offer branded credit cards through partner banks

The common thread: they handle customer financial information, they’re not federally regulated banks or credit unions, and the FTC is their regulator.

The Nine Elements Your Clients Need

The Rule requires a written information security program built around nine required elements. This is the structure your service line delivers.

1. Qualified Individual. The program must be overseen by a designated qualified individual — either an employee or a service provider (that’s you). This person reports on the program at least annually. For most SMB clients, the MSP is the natural choice for this role. It formalises the relationship and creates a recurring touchpoint.

2. Risk Assessment. A written risk assessment that identifies internal and external risks to customer information, evaluates existing safeguards, and prioritises remediation. This is not a checklist — it needs to be specific to the client’s systems, how they collect and store financial data, and who has access to it.

3. Safeguards Based on Risk Assessment. Controls implemented in response to the risk assessment. The Rule specifies a minimum list: access controls, data inventory, encryption at rest and in transit, multi-factor authentication, disposal procedures, change management, and monitoring. MSPs who are already managing endpoints, email, and cloud environments are delivering many of these — but the Safeguards Rule requires they be documented as part of the formal program.

4. Regular Monitoring and Testing. Either continuous monitoring or periodic penetration testing and vulnerability assessments. The Rule requires annual penetration testing and biannual vulnerability scanning at minimum. For many MSP clients, this is a new cost centre — and a new revenue line for you.

5. Security Awareness Training. A training program for all employees who access customer financial information. Annual training is standard; the Rule requires it be updated to reflect current threats. MSPs who resell security awareness training platforms (KnowBe4, Proofpoint, etc.) can bundle this into the service.

6. Service Provider Oversight. A written process for selecting, monitoring, and contractually obligating service providers who handle customer financial information. For most clients, this means reviewing their cloud storage, payroll, and SaaS vendors. The MSP facilitates this — you become the vendor oversight function.

7. Incident Response Plan. A written plan covering: the scope of response, internal processes for responding to an incident, recovery goals, and clear internal reporting roles. Most SMB clients have nothing written down. This is a one-time deliverable that becomes part of the ongoing retainer to maintain and test.

8. Periodic Evaluation and Adjustment. The program must be reviewed whenever there are material changes to operations or at least annually. This is the justification for a recurring retainer — the program is not static.

9. Board or Equivalent Reporting (for 5,000+ customer records). Companies with more than 5,000 customer records must report on the information security program to the board or equivalent at least annually. Auto dealers almost always hit this threshold. The qualified individual writes this report — another deliverable in your recurring service.

Why MSPs Are the Right Delivery Vehicle

The Safeguards Rule is not written for sophisticated enterprises with internal security teams. It is written for the auto dealer principal who signs off on the compliance paperwork the same afternoon they close a car deal.

What these businesses need is someone who understands both the regulation and the IT environment, can build the program without overcomplicating it, and will maintain it without requiring constant client involvement. That is an MSP.

Banks have compliance departments. Your clients have you.

The opportunity is structural: the Rule requires ongoing program management, annual risk assessments, regular training, penetration testing, and board reporting. None of those are one-time deliverables. All of them justify a monthly retainer. The FTC is the motivator — you are the solution.

Building the Service: Phase Structure

Phase 1: Gap Assessment (4–6 weeks, fixed fee)

Start with a written gap assessment against the nine elements. Document what the client has, what’s missing, and what the risk exposure looks like. For most non-bank financial institutions, this reveals: no written information security program, no formal risk assessment, no incident response plan, and no vendor oversight process. Basic technical controls (MFA, encryption) may partially exist through the MSP’s existing work but aren’t documented in the right context.

Deliverable: a gap report with a remediation roadmap. This is what the client signs off on and what becomes the foundation for the program.

Phase 2: Program Build (60–90 days, project-based)

Build the written information security program. This includes:

• Written WISP (Written Information Security Program) document covering all nine elements
• Risk assessment for the client’s specific environment
• Policy documentation (acceptable use, data classification, access control, incident response, vendor management)
• MFA implementation where gaps exist
• Data inventory documenting what financial information is collected, where it lives, and who can access it
• Incident response plan, tabletop-tested
• Vendor review for the client’s material third parties
• Security awareness training deployment

This is the build phase. It ends with a compliant program in place and documented.

Phase 3: Ongoing Compliance Management (monthly retainer)

Annual risk assessment refresh, continuous monitoring or biannual vulnerability scanning, annual penetration test coordination, security awareness training maintenance and annual campaign, vendor oversight reviews, policy updates as the business changes, and the annual board report for clients with 5,000+ records.

This is the retainer. The FTC’s ongoing requirements make it defensible. The qualified individual designation makes you contractually named as the responsible party, which justifies a premium over standard MSP rates.

Pricing the Service

The economics depend on client size and complexity. A rough guide:

Small financial clients (tax preparer, insurance agency, <50 employees, <5,000 records): Gap assessment at $1,500–$2,500. Program build at $4,000–$7,000. Monthly retainer at $1,200–$1,800.

Mid-size financial clients (mortgage broker, registered investment advisor, 50–150 employees): Gap assessment at $2,500–$4,000. Program build at $7,000–$12,000. Monthly retainer at $1,800–$2,800.

Auto dealers and larger clients (multiple locations, 5,000+ records, board reporting required): Gap assessment at $4,000–$6,000. Program build at $10,000–$18,000. Monthly retainer at $2,500–$4,000.

Penetration testing is typically scoped and priced separately — either passed through from a specialist or, if your team has the capability, delivered directly. Annual pen test costs for SMB environments typically run $3,000–$8,000 and can be included in the retainer or invoiced as a separate line item.

The qualified individual function — where you are formally named in the program — commands a premium. Clients accepting regulatory risk exposure value this designation highly.

What Most MSPs Get Wrong

Treating it as a one-time project. The Safeguards Rule requires ongoing program management. MSPs who build the WISP and walk away are leaving most of the value on the table and exposing their clients to regulatory risk when the program goes stale.

Underestimating the documentation requirement. The FTC expects a written program with evidence of implementation. “We have MFA” is not sufficient. “Here is our MFA policy, implementation documentation, and access review records” is. The documentation is the deliverable, not just the control.

Missing the vendor oversight element. Most MSPs overlook the service provider management requirements. Every client that uses a cloud payroll provider, a web-based accounting system, or a third-party document management platform needs that relationship reviewed and documented. This is time-consuming but important — and FTC investigations often focus on third-party breach vectors.

Not using the qualified individual role as a differentiator. Being formally named as the qualified individual in a client’s WISP is a significant relationship anchor. It makes you difficult to replace, creates ongoing reporting obligations, and justifies above-market retainer pricing. Don’t give it away as a free add-on.

The Enforcement Environment

The FTC has been active. High-profile enforcement actions have targeted mortgage servicers, auto dealers, and financial technology companies for Safeguards Rule violations. State attorneys general have parallel enforcement authority under GLBA. Data breach notifications trigger regulatory scrutiny — and the first thing an examiner will ask for is the written information security program.

Companies that can produce a documented, tested, qualified-individual-managed program are in a defensible position. Companies that cannot are looking at civil penalties and, in some cases, consent orders requiring third-party audits.

Your clients do not have the internal capability to build this program. They need someone who has done it before, who maintains it ongoing, and who can stand behind it if a regulator asks questions. That positioning — not just IT support, but compliance partner — is what separates high-margin MSP practices from commodity help desks.

Next Step

If you have auto dealers, mortgage brokers, tax preparers, or insurance agencies in your client base, they are almost certainly subject to the Safeguards Rule and almost certainly non-compliant. That gap is your opening.

Start with a gap assessment conversation. Frame it around the FTC’s enforcement record and the specific requirements of the 2023 amendments. Most clients will not push back when they understand what the Rule requires and what the exposure looks like without a compliant program.

GetCybr maps the nine Safeguards Rule elements to specific controls and evidence requirements, so you can track compliance posture across multiple financial institution clients from one dashboard. When a client faces an FTC inquiry, the program documentation is already built and auditable.

Book a demo to see how GetCybr supports FTC Safeguards compliance delivery.