If you run an insurance agency, the short answer is this: your agency is almost certainly a "financial institution" under the Gramm-Leach-Bliley Act (GLBA), but the FTC's version of the Safeguards Rule is usually not the rule that governs you. Under GLBA section 505 (15 U.S.C. 6805), rulemaking and enforcement for businesses engaged in insurance is allocated to state insurance authorities, not the Federal Trade Commission. So insurance activities are covered by GLBA Title V, but the agency is generally overseen by its state insurance regulator rather than the FTC.
That distinction matters, and it is also where a lot of agency owners get tripped up. Let me walk through what it actually means for a small office.
Why insurance agencies are "financial institutions" at all
GLBA covers a much wider set of businesses than the word "bank" suggests. The data-security obligations attach to "financial institutions," and insurance falls squarely inside that definition. Selling insurance, advising on it, and handling the customer information that comes with it are financial activities under Title V of the Act.
So if you have ever wondered whether GLBA touches your agency because you are "just" an agent and not a bank, it does. The harder question is not whether you are covered by GLBA. It is which regulator writes and enforces the data-security rules you have to follow.
Why the FTC's rule usually is not the one that applies to you
The FTC Safeguards Rule has a defined scope. Under 16 CFR 314.1(b), it applies to financial institutions that are subject to the FTC's jurisdiction and that are not already subject to another functional regulator. GLBA section 505 (15 U.S.C. 6805) hands insurance over to state insurance authorities. That is the carve-out that pulls most insurance agencies out from under the FTC's rule and places them under their state's insurance department instead.
In practical terms, for a Houston-area agency that means Texas. Your data-security obligations under GLBA are administered by the state insurance regulator, and many states have adopted their own insurance data-security requirements modeled on the National Association of Insurance Commissioners (NAIC) framework. I am not going to state a specific Texas statute here as a hard compliance fact, because the precise state requirement is exactly the kind of thing you should confirm against the current rule for your license rather than take from a blog post. The point I want to be confident about is the structure: GLBA covers you, and the state, not the FTC, is normally the body writing and enforcing the security rules for your insurance business.
The exceptions that catch agencies off guard
"Usually overseen by the state" is not the same as "never touched by the FTC." A few situations are worth thinking through.
First, mixed business lines. If your office does more than sell insurance, the other activity may pull a part of your operation back under the FTC Safeguards Rule. The FTC's business guidance lists many non-bank financial institutions, and the 2021 amendments even added "finders," companies that bring buyers and sellers together so they can negotiate the deal themselves (16 CFR 314.2(h)). If your agency also prepares taxes, brokers loans, or provides another listed financial service, that line of business can carry its own FTC obligations regardless of how your insurance side is regulated.
Second, the FTC's rule is a sensible benchmark even when it is not the binding rule. State insurance security requirements and the FTC's framework both implement the same federal statute, so they tend to ask for the same core things. Reading 16 CFR 314.4 gives you a clear, concrete checklist of what good looks like.
What the FTC's rule asks for, as a working checklist
Even though the FTC's rule may not be your governing rule, it is the clearest plain-language map of the safeguards regulators care about. Under 16 CFR 314.4, a written information security program is expected to: designate a Qualified Individual to run it (314.4(a)); be based on a risk assessment (314.4(b)); implement specific safeguards including access controls, encryption of customer information in transit and at rest, and multi-factor authentication for anyone accessing an information system (16 CFR 314.4(c)); test and monitor those safeguards (314.4(d)); train staff (314.4(e)); oversee service providers (314.4(f)); evaluate and adjust over time (314.4(g)); maintain a written incident response plan (314.4(h)); and have the Qualified Individual report at least annually to the board or a senior officer (314.4(i)).
The Qualified Individual does not need a specific title or degree, and under 16 CFR 314.4(a) the role can be filled by a service provider as long as the institution keeps responsibility and names a senior person of its own to oversee that work. For a small agency, those last few words are the whole story: you can lean on outside help for the technical execution, but the accountability stays with you.
How I work with agency owners on this
I want to be precise about what I do and do not do. I am not a law firm, and I do not issue any kind of compliance certification. There is no official FTC "certification" for the Safeguards Rule in the first place; compliance is shown by actually running a program like the one in 16 CFR 314.4, not by holding a certificate. What I provide is a gap report and remediation. I look at where your office stands against the relevant safeguards, I write up the gaps in plain English, and I help you close them. For an insurance agency, that includes flagging where your state insurance rule, rather than the FTC's, is the one you need to confirm against.
If you want a clear read on where your office actually stands, I offer a free 14-Point Safeguards Gap Report. You can also call me directly at 832-907-5594. And if you want the broader background first, I wrote a plain-English guide to the FTC Safeguards Rule for small financial offices that lays out the whole rule.