• This page, Prepare for cybersecurity regulatory expectations, is   offered by
  • Division of Banks

Prepare for cybersecurity regulatory expectations

Find out about regulations governing information security and expectations for financial institutions and non-depository institutions.

Gramm-Leach-Bliley Act (GLBA)

GLBA, also known as the Financial Services Modernization Act, requires companies acting as financial institutions to explain information-sharing practices. GLBA also requires financial institutions to protect sensitive data. This applies to companies offering consumers financial products or services like loans, financial or investment advice, or insurance.

Financial institutions must put in place an information security program as part of GLBA compliance (Section 501). The information security program should establish appropriate standards related to the administrative, technical, and physical safeguards of consumer records and information.

The GLBA Data Protection Rule defines the scope of these safeguards. According to the Data Protection Rule, your financial institution must:

  • Ensure the security and confidentiality of customer data.
  • Protect against any anticipated threats or hazards to the security or integrity of such data.
  • Protect against unauthorized access to, or use of, such data that would result in substantial harm or inconvenience to any customer.
  • Ensure the proper disposal of customer information.

The Federal Deposit Insurance Corporation (FDIC) and the National Credit Union Administration (NCUA) have issued their own regulations about GLBA requirements:

201 CMR 17.00: Standards for the Protection of Personal Information of the Residents of the Commonwealth

This regulation implements the provisions of M.G.L. c. 93H. Anyone owning or licensing personal information about a resident of Massachusetts must meet certain standards. The minimum standards must be met in connection with the safeguarding of personal information contained in both paper and electronic records. Banks, credit unions and non-depository institutions all have to follow 201 CMR 17.00.

Additional Resources

Help Us Improve Mass.gov  with your feedback

Please do not include personal or contact information.