Terry Gerton The Consumer Financial Protection Bureau declared a major incident breach in 2023 that affected over 200,000 consumers and 46 institutions. As their inspector general investigated the event, they found a need for much stronger internal controls. Here with more on their findings and recommendations are Laura Shakarji and Michael Zeitler from the Office of the Inspector General of the Federal Reserve Board and Consumer Financial Protection Bureau. Thank you both so much for joining me. Laura, let me start with you because the topic of this report is a term that many people may not understand. What exactly is confidential supervisory information?
Laura Shakarji So, under CFPB regulations, confidential supervisory information includes, among other things, examination reports and information contained in or derived from such materials. It can also include communications between the CFPB and a supervised institution or a government agency. In addition, it could include information provided to the CFPB by an institution to enable the CFPB to monitor for risks to consumers.
Terry Gerton So it’s basically the kind of confidential information about an organization that CFPB accumulates as it supervises that organization. So now with that as a background, what prompted you all to begin an investigation of CFP’s confidential supervisory information?
Laura Shakarji So as background, the CFPB supervises depository and non-depository institutions to assess their compliance with federal consumer financial laws. And as part of their oversight activities, examiners collect and review confidential supervisory information from institutions, but they also create confidential supervisory information as they do their oversight of activities, such as analyzing information about institutions, documenting their conclusions and their examination reports, and also prioritizing their annual supervisory activities. Our office is the OIG for the CFPB, and we conducted this evaluation to assess the CFPB’s controls for safeguarding CSI. Specifically, we initiated this work after we learned that the CFPB declared a major incident breach. In February of 2023, the agency became aware that an employee and examiner forwarded confidential supervisory information to their personal email, and officials reviewed the examiner’s email history and determined that the examiners had forwarded to their email account approximately 65 emails over the span of about a year, and those emails contained confidential supervisory information from 46 institutions as well as personally identifiable information of about 256,000 consumers. The agency then later declared the breach to be a major incident based on the number affected consumers, and so this is what prompted us to initiate our evaluation of this topic.
Terry Gerton What are the primary risks associated when that kind of information gets out?
Michael Zeitler So breaches of confidential supervisory information and PII can expose the CFPB, the financial institutions that the CFPB supervises, and consumers to reputational and financial damage. So mishandling confidential supervisory information can lead to legal repercussions and damage to an institution’s reputation. And of course, mishandling PII and can expose individuals to fraud or financial loss. And as part of its supervisory activities, the CFPB needs access to this information and if they are not as strong at protecting it, the organizations they supervise may not be as willing to share it.
Terry Gerton Which will then make the supervisory responsibilities that much more difficult the next time around.
Michael Zeitler Exactly.
Terry Gerton So as you dug into this, Mike, what were the OIG’s findings regarding CFPB’s current practices?
Michael Zeitler First, we found that the CFPB lacked a formal process for an examiner to request access to files associated with an examination to which the examiner has not been assigned. So when an examiners is assigned to an event, they have access to the files with that event, but sometimes examiners need access to the files of examinations they’re not assigned to. And so the CFPB needs to set up a process for that. And then a second key finding from our report was that based on our analysis, the examiner who caused the breach had confidential supervisory information from the CFPB’s annual prioritization process without a clear need to know.
Terry Gerton I’m speaking with Laura Shakarji, a senior OIG manager, and Michael Zeitler, a manager in the Office of the Inspector General, Federal Reserve Board, Consumer Financial Protection Bureau. So Laura, let me come back to you. Tell me about the recommendations. Mike’s just summarized the findings for us. What did you recommend that CFPB start with?
Laura Shakarji We had a number of recommendations. We made seven in total, and I’ll just touch on a couple of them. Among other things, we recommended that the agency define in policy the process by which personnel determine whether an employee has a need to know the information to perform their work before granting them access to that sensitive information. We also recommended that CFPB hold staff responsible for breaches accountable. Specifically, we recommended that the agency update guidance to set expectations counseling, training, or taking other measures to hold staff responsible for breaches accountable — internal controls that we believe can enhance their safeguards for safeguarding this information.
Terry Gerton And how did CFPB respond? Did they accept those recommendations?
Laura Shakarji In response to our draft report, the CFPB concurred with our recommendations, and as we do for all of our open recommendations, we will be conducting follow-up activities to monitor the agency’s progress to implement the recommendations until they are fully satisfied.
Terry Gerton How do these gaps that you identified and the recommendations impact the agency’s ability to really respond effectively? How will it change their day-to-day practices?
Laura Shakarji We believe that the recommendations that we articulated in the report will help create stronger controls and safeguards to help more effectively articulate expectations for handling and safeguarding information, granting access to employees based on the principle of need to know and other measures to better respond to breaches should they occur, as well as hold responsible employees accountable.
Terry Gerton There are probably many other regulatory financial agencies that have similar responsibilities and create similar kinds of information. What lessons should they be taking from your report, your findings, and your recommendations here?
Laura Shakarji We do believe there are some lessons for other federal agencies. First, agencies should really ensure that expectations for sharing and handling confidential information are documented in policies and procedures. Agencies should also consider an employee’s need to know before granting access to sensitive information. And in terms of breaches, to the extent that agencies experience breaches of sensitive information, they can conduct trend analysis of the causes of those breaches to identify potential control weaknesses and then assess adjustments to controls based on any recurring themes that they identify. In addition, agencies could also hold employees responsible for breaches accountable. One agency’s insider threat mitigation guidance that we reviewed emphasized both the importance of holding staff accountable and really giving them the opportunity to acknowledge their responsibility in an incident while involving them in addressing consequences to help reduce potential for recurrence in the future.
Terry Gerton Would you categorize those as best practices, sort of universal approaches to protecting PII, and in this case, also protecting that confidential supervisory information?
Laura Shakarji Definitely. I think these practices, while in the context of our work were related to the CFPB, could be very more broadly applicable to other agencies as they think about information security and the information that they handle.
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
