KapacyberKapacyber
Compliance · Mortgage8 min read

The FTC Safeguards Rule for Mortgage Brokers

If you broker or originate loans, the FTC already considers you a financial institution — and in 2026, enforcement of the Safeguards Rule is ramping. Here's what your WISP must contain, and what's at stake if it doesn't.

Kapacyber

Security Research Team

The FTC Safeguards Rule applies to mortgage brokers, and many brokers don't realise it until a lender partner, an auditor, or a breach forces the issue. The FTC Safeguards Rule sits under the Gramm-Leach-Bliley Actand defines “financial institution” broadly enough to cover any business “significantly engaged” in financial activities — and brokering or originating mortgages is squarely that. If you handle borrowers' financial information, you're in scope.

Why 2026 Matters

The Rule isn't new, but two things have changed the picture. First, the FTC added a breach-notification duty: covered institutions must report a security event touching the unencrypted information of 500 or more consumers, generally within 30 days. Second, after a grace period, the FTC's posture has shifted from education toward enforcement— the expectation now is continuous compliance, not a one-time policy document filed away. For a broker still treating cybersecurity as optional, the gap between “we have antivirus” and “we have a WISP” is closing fast.

What Your WISP Must Contain

The heart of the Rule is a Written Information Security Program built on nine required elements:

The 9 FTC Safeguards Elements

  • A Qualified Individual to oversee the security program
  • A written, documented risk assessment
  • Access controls and authentication
  • A data inventory of where borrower information lives
  • Encryption of customer information in transit and at rest
  • Secure development / application security practices
  • Multi-factor authentication for anyone accessing customer information
  • Secure disposal and change management
  • Continuous monitoring, training, testing, and an incident response plan

The Borrower Data You're Sitting On

A single loan file is a goldmine: Social Security numbers, bank statements, tax returns, pay stubs, and account details for every applicant. That concentration of nonpublic personal information is exactly why brokers draw business email compromise and ransomware attacks — and why the FTC holds you to a real standard for protecting it.

The Penalty Side

Civil penalties under the FTC Act are inflation-adjusted each year and reach $53,088 per violation as of 2026 (verify the current figure before relying on it — it moves annually). Add state attorney-general action and the direct cost of a breach, and non-compliance is far more expensive than the program that prevents it.

What to Do

Treat the nine elements as a checklist and close the gaps — starting with MFA on email and your loan-origination system, EDRon every device, and a documented WISP with a named Qualified Individual. The Rule's requirements overlap heavily with what your cyber insurer asks for, so you're solving both at once. For the closely related accountant version of this rule, see our FTC Safeguards guide for accounting firms, and for the controls insurers expect, our cyber insurance readiness page.

Build a WISP That Holds Up

We help mortgage brokers stand up the nine FTC Safeguards elements — MFA, EDR, encryption, a Qualified Individual, and a documented WISP — and operate them day to day.

Get a Free WISP Assessment
← Back to Security Insights

Keep Reading

Compliance · Insurance7 min read

E&O Insurance and Your WISP: Why a Claim Gets Denied Without One

Read More
Compliance · Insurance7 min read

Selling Your Agency? The Cyber Diligence Checklist Buyers Now Run

Read More
Compliance · Auto8 min read

The FTC Safeguards Rule for Auto Dealers — What Your WISP Must Include

Read More

Explore Our Managed Security Services

EDR, 24/7 monitoring, backup, and incident response in one predictable plan.

Learn More