On July 13, 2020, the Federal Trade Commission (FTC) held a workshop titled “Information Security and Financial Institutions: FTC Workshop to Examine Safeguards Rule.” This workshop discussed the proposed amendments to the Gramm-Leach-Bliley Act’s (GLBA) Safeguards Rule, which requires financial institutions to develop, implement, and maintain a comprehensive information security program.… Continue Reading

On April 2, 2019, the FDIC issued Financial Institution Letter FIL-19-2019 (the “Letter”) to remind financial institutions about certain contractual provisions and other requirements pertaining to technology service provider contracts. Apparently, during recent routine examinations, the FDIC found several technology service provider contracts that were inadequate under existing guidance. These contracts were missing or inadequately addressed key terms, such as:

  1. Requiring the service provider to maintain a business continuity plan,
  2. Establishing recovery standards,
  3. Specifying the institution’s remedies if the service provider misses a recovery standard,
  4. Requiring the service provider to respond to security incidents by, among other things, notifying the institution, and
  5. Defining key terms in the contracts relevant to business continuity and/or incident response.As
Continue Reading

The Office of the Inspector General (OIG) has released the “2015 list of major management challenges” faced by the CFPB that the OIG believes will hamper the CFPB’s ability to accomplish the CFPB’s strategic objectives.  Like the 2014 list, one of the challenges identified by the OIG is the need to ensure that the CFPB has an effective information security program. … Continue Reading

The most notable items added by the Office of Inspector General (OIG) to its work plan, updated as of July 7, 2014, are audits of the CFPB’s information security program, pay and compensation program, and distribution of civil penalty funds.

Information Security

Pursuant to the Federal Information Security Management Act of 2002 (“FISMA”), each agency Inspector General must annually evaluate the agency’s information security program.… Continue Reading

The Bureau’s Office of Inspector General (OIG) (which it shares with the Fed) recently issued its 2013 report card on the CFPB’s information security system.  While the OIG states in the audit report that the CFPB has made “significant progress in developing, documenting, and implementing its information security program,” the OIG nevertheless found “opportunities” for further improvement. … Continue Reading

The CFPB’s latest report card on its information security system, delivered last week by the Bureau’s Office of Inspector General (OIG), indicates that the system still needs improvement.  In May 2012, the Government Accountability Office issued a report that identified various problems with the CFPB’s internal controls and accounting systems that included the absence of an agency-wide information security program for the information and information systems that support the CFPB’s financial reporting, operations, and assets. … Continue Reading