Most Orlando business owners have heard of HIPAA. Many know about PCI-DSS. Far fewer are aware that a federal regulation called the FTC Safeguards Rule applies directly to their business — and that non-compliance carries civil penalties up to $46,517 per violation per day. If your business touches customer financial data in any form, there is a meaningful chance you are covered by this rule and may not have the technical controls in place to prove it.
This is not a new regulation — it was significantly updated in 2021 under the Gramm-Leach-Bliley Act (GLBA) and has been in full enforcement since June 2023. What is new in 2026 is the FTC's active enforcement posture, expanded definition of covered businesses, and the intersection of this requirement with cyber insurance underwriting. Understanding where your Orlando business stands is urgent, not optional.
Who Is Actually Covered — The Surprise Is in the Definition
The FTC Safeguards Rule applies to any business that is "significantly engaged" in providing financial products or services to consumers. The word "bank" does not appear in that definition — and that is intentional. The covered business types that consistently surprise small business owners include:
- Tax preparers and CPA firms — collecting SSNs, income data, bank account details, and filing federal returns constitutes providing a financial service
- Insurance agencies — health, auto, life, and property insurance agencies that collect consumer financial information
- Auto dealers with financing — dealers who arrange financing or take credit applications are explicitly named in the rule
- Mortgage brokers and loan originators — originating or brokering mortgage loans regardless of volume
- Investment advisors not registered with the SEC — state-registered advisors and financial planners
- Payday lenders and check cashers
- Debt collectors who regularly access consumer financial information
- Real estate settlement service providers handling escrow or title services
The common misconception is that size provides an exemption. It does not. A solo tax preparer in Winter Park with 50 clients has the same compliance obligations as a 200-person regional insurance agency. The only size-based exception is for businesses with fewer than 5,000 customers, which are exempt from one requirement — designating a qualified individual (QI) in a written annual report — but must still meet all other technical and administrative controls.
Orlando's economy is particularly dense with covered businesses. The region has a high concentration of independent insurance agencies, auto dealers, mortgage brokers, and tax preparation firms that may have never evaluated their Safeguards Rule exposure.
The Six Core Requirements — What You Actually Have to Do
The updated Safeguards Rule is more specific than its predecessor. Rather than vague language about "appropriate safeguards," the 2021 revision spells out concrete technical and administrative requirements. Covered businesses must implement and maintain all of the following:
1. Designate a Qualified Individual (QI). Someone must be accountable for your information security program. This does not have to be a full-time CISO — it can be an employee, officer, or a service provider (such as a managed IT firm). The QI must report to the board or senior leadership at least annually on the status of the security program.
2. Conduct a written risk assessment. You must formally identify and document the risks to customer information across all business operations — not just technology. This includes how paper records are handled, how employees access data, and how vendors interact with customer information. The risk assessment must be reviewed and updated regularly.
3. Implement specific safeguards based on your risk assessment. The rule specifies eight technical and administrative control categories:
- Access controls — limiting who can access customer financial information based on business need
- Inventory and data mapping — knowing what customer data you have, where it lives, and how it flows
- Encryption — protecting customer data in transit and at rest
- Secure development practices — if you build or maintain software that touches customer data
- Authentication — multi-factor authentication for any information system accessing customer financial data
- Patch management — keeping systems and software updated on a documented schedule
- Penetration testing — annual pen tests and vulnerability scans
- Activity monitoring — logging and monitoring access to customer information systems
4. Oversee service providers. Every vendor with access to your customer financial data must be contractually required to implement appropriate safeguards. This means your cloud accounting software provider, your CRM, your email platform, and any third-party processor must be evaluated and under written agreement to maintain security controls.
5. Maintain a written incident response plan. The plan must address how you will detect, respond to, and recover from a security incident — including specific roles, communication procedures, and breach notification obligations. It must be tested, not just documented.
6. Conduct employee training. All staff who handle customer financial information must receive regular security awareness training. The training must be documented and updated as threats evolve.
The MFA Requirement Deserves Special Attention
Multi-factor authentication is the one technical control the Safeguards Rule names explicitly — and it is now also the number-one underwriting requirement for cyber insurance. If any employee can access customer financial information systems using only a password, your business is non-compliant with the Safeguards Rule and likely ineligible for cyber insurance coverage on email-based breach claims.
For a tax preparation firm running Drake Tax or Lacerte on Windows, for an insurance agency using Applied Epic or Vertafore, or for a mortgage broker accessing LOS platforms — MFA must be enforced at the application level, not just at the network perimeter. Browser-based access to these platforms via Microsoft 365 credentials means MFA must be configured in Microsoft Entra ID (formerly Azure AD) with Conditional Access policies that enforce it universally, including on mobile devices and remote access.
PTG's assessment work consistently finds that businesses believe they have MFA enabled because employees use an authenticator app for one system — while three or four other systems with access to customer data remain password-only. The FTC does not distinguish between partial MFA and no MFA; if any path to customer data bypasses MFA, the control is not compliant.
The Cyber Insurance Connection
In 2026, Safeguards Rule compliance and cyber insurance underwriting have essentially converged. The technical controls that insurers now require before quoting an affordable policy — MFA, EDR on all endpoints, tested backups isolated from production, documented incident response — are the same controls the Safeguards Rule mandates. This is not a coincidence. Insurers have structured their questionnaires to screen for the exact gaps that drive the claims they pay out most frequently.
The practical implication: if your business is Safeguards-compliant, you are also well-positioned for favorable cyber insurance terms. If you have never evaluated Safeguards compliance, your cyber insurance renewal questionnaire this year will expose the same gaps — except the consequence there is denied coverage or 40–60% premium increases, not FTC enforcement action.
For Orlando businesses in financial services, the smart approach is treating Safeguards compliance as the foundation and cyber insurance as the validation layer. Getting compliant first, then going to market with documented controls, consistently produces better coverage terms than trying to buy insurance first and comply later.
Common Gaps PTG Finds in Orlando Financial Businesses
After conducting IT Resilience Assessments for Orlando tax firms, insurance agencies, and financial services businesses, these are the Safeguards Rule gaps that appear most frequently:
No written information security program (WISP). The rule requires a written, documented program — not a mental checklist. Many businesses have reasonable security practices but no written policy that documents them, which creates an enforcement exposure even when the technical controls exist.
Vendor agreements without security provisions. Standard software subscription agreements do not include the security commitments the Safeguards Rule requires from service providers. A Business Associate Agreement (BAA) satisfies HIPAA's vendor requirement but does not satisfy GLBA's — they are different standards with different specific requirements.
No formal risk assessment on record. The rule requires a documented risk assessment that is reviewed periodically. A risk assessment from 2022 that was never updated does not satisfy the ongoing review requirement, particularly after significant operational changes like moving to remote work, adding a new cloud application, or hiring staff with access to customer data.
Encryption not enforced on mobile devices. Laptops may have BitLocker enabled, but employee phones with access to customer email or cloud applications frequently lack device encryption enforcement through a mobile device management (MDM) solution.
If you are unsure where your business stands on any of these requirements, a free IT Resilience Assessment from PTG evaluates your current controls against the Safeguards Rule's six core requirements and delivers a prioritized gap analysis with specific remediation steps. For businesses that need to document compliance for an FTC audit, a cyber insurance application, or a client due diligence request, having that assessment on record is the starting point.
