In two reports issued on September 29, 2016, the Federal Reserve’s Office of Inspector General (“OIG”) discussed major management challenges facing the Federal Reserve Board (the “Board”) and the Consumer Financial Protection Bureau (“CFPB”). Although not required statutorily, the OIG compiles these annual listings of major management challenges facing the Board and the CFPB. According to the OIG, these challenges represent the areas that are most likely to hamper the Board’s and the CFPB’s accomplishment of their strategic objectives if not addressed. Concerns related to cybersecurity topped both lists.
For the second year in a row, the OIG highlighted cybersecurity-related issues as the top two management challenges facing the Board. First, according to the OIG, the Board needs to enhance its oversight of cybersecurity at supervised financial institutions. The Board has already designated cybersecurity oversight as a high priority, and, through its supervisory program for financial institutions, it already undertakes efforts to ensure that supervised financial institutions manage and mitigate the potential risks and vulnerabilities associated with cyberattacks. However, in light of the increasing number and sophistication of cyberthreats and attacks at financial institutions, the Board must continue to update and tailor its supervisory approach, define appropriate short- and long-term goals, and work with other regulators to provide supervised institutions with support and guidance.
Second, the OIG recommended that the Board focus on ensuring that it has an effective information security program. The OIG noted that the importance of information security in the federal sector was highlighted by recent data breaches involving sensitive data and the increase in information security incidents reported by federal agencies over the last several years. While the Board has already undertaken efforts to protect its IT infrastructure, it should pursue additional opportunities to enhance its information security programs, ensure that only those with a need to know have access to its online collaboration environments, and ensure that its third-party providers meet information security program requirements.
Ensuring an effective information security program was also the top management challenge identified by the OIG as facing the CFPB. This is the second year in a row that this challenge topped the list issued by the OIG. The CFPB has taken steps to develop and implement an information security continuous monitoring program. However, it continues to face challenges associated with maturing that program, including centralizing and automating the tools contained in it. Successfully managing this challenge is critical given the amount of sensitive information the CFPB collects and stores. Unauthorized access to or disclosure of that information could undermine the public’s trust in the CFPB and limit its ability to accomplish its mission. The OIG further identified opportunities for the CFPB to better detect and protect against these threats.
