The Consumer Financial Protection Bureau’s procedures for securing its information systems have deteriorated in recent months, and the issue has been made worse by the loss of contractor resources and bureau personnel, according to a recent audit by the Federal Reserve Office of Inspector General.
The CFPB’s systems house sensitive data about consumers and financial institutions, including Social Security numbers and confidential supervisory information. The OIG found that the CFPB’s cybersecurity program declined in fiscal year 2025, with the bureau not maintaining authorizations to operate for many systems and using risk acceptance memorandums without a documented analysis of cybersecurity risks. It has also not maintained contractor resources that support continuous monitoring and testing activity, and has lost agency staff, according to the report.
“As such, the CFPB is unable to maintain an effective level of awareness of security vulnerabilities in its environment,” the OIG concluded.
Still, the CFPB was able to take some steps to maintain and strengthen its information security program, according to the report. The bureau updated and formalized processes for responding to potential ransomware incidents and transitioned toward a continuous vetting model for employee background reinvestigations. In addition, the senior agency information security officer continues to meet with system owners on a weekly basis to manage cybersecurity risks, and the CFPB is in the process of decommissioning and modernizing legacy technology systems.
