Skip Ribbon Commands
Skip to main content
Home > Services > Audit and Compliance > GLBA Assessment Gap


GLBA Gap Assessment - Pre Audit


The Gramm-Leach-Bliley Act (GLBA), or The Financial Services Modernization Act, requires financial institutions to have a security program in place to safeguard the confidential information of their customers; as well as to determine the general risk levels of their third parties. GLBA broadly defines financial institutions to include credit unions, banks, savings and loans, investment and insurance firms and possibly retail merchants; granted they provide their own credit solution.

To help support the GLBA efforts, the Federal Financial Institutions Examination Council (FFIEC) developed the FFIEC IT Examination Handbook in concert with multiple agencies; for example: Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau* (CFPB). Each agency may have additional controls outside the FFIEC. GLBA requires financial institutions to understand the risks within their organization by implementing a formal risk management program that identifies, quantifies, and employs controls to mitigate risks where appropriate.

* Provisions of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (the Dodd-Frank Act) the Director of the newly created Consumer Financial Protection Bureau joins the membership of the Council, replacing the Director of the former Office of Thrift Supervision

Additionally, GLBA requires financial institutions to perform due diligence (e.g., 3rd party GLBA assessments) to ensure third parties have appropriate controls. This risk based approach consists of a vendor management program that includes surveys and on-site assessments.


  • Compliance with GLBA Safeguards and Privacy Rules
  • Identification of non-compliant areas and understanding of what actions are needed to comply with GLBA Safeguards and Privacy Rules
  • Proper 3rd party objective demonstration of GLBA compliance
  • Avoidance of fines that could result of a failing a GLBA Audit
  • Reduction of the cost, confusion, and complexity of GLBA compliance


SecureState’s Audit & Compliance consultants are experts in understanding both the technical aspects as well as the business aspects of your organization. SecureState’s experience and knowledge, developed while working with some of the top Fortune 500 financial institutions in the country and a governing body, provides your organization with a true picture of your compliance with GLBA.

Did You Know?

  • GLBA is comprised of three (3) major components 1) Financial Privacy Rule 2) Safeguards Rule and 3) Pretexting Protection
  • GLBA privacy notices need to incorporate Fair Credit Reporting Act information sharing provisions
  • In 2009, the interagency regulators released a Model Privacy Notice, a table format designed to make comparing Privacy Notices between financial institutions easier, but adopting provided safe harbor
  • In 2005, the interagency regulators adopted guidelines that, under specific circumstances, consumers of breached records were required to be notified. twenty eight states have since adopted their own data breach laws
  • A GLBA Gap Assessment – Pre-Audit should be performed annually

Our Approach and Methodology

A GLBA/FFIEC Gap Assessment identifies areas where an organization does not comply with GLBA (both 12 CFR 30 and 12 CFR 40). The assessment helps prepare financial institutions to evaluate their control effectiveness in preparation for a formal on-site Audit by a Federal Banking Regulator. SecureState GLBA Gap Assessments and Pre-Audits are based on:

  • OCC
  • FDIC
  • FRB
  • CFPB
  • As well as other banking regulation guidance.

SecureState’s GLBA Gap Assessment/Pre-Audit approach maps critical information processes to determine if regulatory controls have business impact. The goals are to:

  • Evaluate the effectiveness of your GLBA compliance program
  • Validate GLBA controls
  • Remediation cost-justification

The stages of our GLBA Gap Assessment/Pre-Audit, with limited descriptions, are as follows:

Pre-Onsite Visit:

  • Introduce engagement participants and define roles
  • Review engagement activities
  • Review any applicable documentation

Process Mapping:

  • Document the high level in-scope GLBA systems and technical infrastructure


  • On-site interview and information gathering to assess GLBA compliance status
  • Outline strategic recommendations to mitigate identified control gaps
  • Upload remediation activities to MyState Portal

What Makes Us Different

  • Provides comprehensive on-demand Privacy and Security expertise during the engagement and throughout the year
  • Maintains close relationships with our clients because we actually care about the outcome of the assessment
  • Supports its clients’ GLBA compliance program with our proprietary MyState Portal and a team of credentialed security specialists
  • Works with some of the top US financial institutions on GLBA compliance
  • Has consultants with direct experience working for Fortune 500 financial institutions
  • Has intimate knowledge of other control frameworks and regulations within the financial industry