WASHINGTON (Reuters) -President Donald Trump's clampdown on the U.S. Consumer Financial Protection Bureau earlier this year has compounded IT security lapses at the agency through the cancellation of contracts,
according to an audit report released on Monday.
The information security program at CFPB -- which maintains sensitive and confidential data from investigations, the oversight of companies and complaints received from members of the public -- is "not effective," according to the Office of Inspector General, which also covers the Federal Reserve.
Representatives of the agency did not immediately respond to a request for comment. However, in a response to the report, CFPB management accepted its findings and proposed solutions which the report said would be adequate if implemented.
Claiming the CFPB under previous administrations engaged in politicized enforcement and exceeded its legal authorities, the Trump White House has sought to shrink the agency drastically - proposing to cut the workforce by up to 90% - with top officials, including Trump and acting Director Russell Vought calling for its outright elimination.
The findings say the agency's data remains vulnerable nine months after the White House took control of the agency and ordered a halt to all activities while granting representatives of the so-called Department of Government Efficiency access to sensitive systems.
Democrats and worker unions at the time expressed concern for data security and the privacy of information held by the agency.
According to the report, the CFPB had not documented cybersecurity risks or maintained authorizations for many systems.
"This issue has been compounded by the loss of contractor resources supporting information security continuous monitoring and testing activities and the departure of agency personnel," it said.
This left the CFPB "unable to maintain an effective level of awareness" of its vulnerabilities, the report said, in particular noting contract cancellations and staff departures since February.
In a management response, the CFPB said it accepted all six of the auditors' recommendations, which included defining risk management roles and responsibilities; developing and maintaining cybersecurity registers and profiles; and performing reviews and monitoring risks and threats.
(Reporting by Douglas Gillison in Washington; Editing by Aurora Ellis)
