A new report from the Federal Housing Finance Agency (FHFA) Office of Inspector General (OIG) finds that FHFA doesn’t have an agency-wide cybersecurity incident data analysis program based on a consistent data set, and that it lacks sufficient information to conduct trend or other time-series analyses for security purposes.
The report suggests that FHFA should enhance supervision of its regulated entities’ cybersecurity risk management.
FHFA oversees Fannie Mae, Freddie Mac, the 11 Federal Home Loan Banks, and the Office of Finance, which is the Federal Home Loan Banks’ (FHLBanks) fiscal agent. Those enterprises handle and store borrower information, including financial data and personally identifiable information. OIG said it used established criteria to examine FHFA’s cybersecurity practices and found that “regulated entities submitted only a handful” of cybersecurity incident reports.
Additionally, enterprises under the scope of FHFA define cybersecurity “events” and “incidents” differently from one another, OIG said. FHFA’s Division of Enterprise Regulation (DER) – which supervises the enterprises – and Division of Federal Home Loan Bank Regulation, which supervises the FHLBanks and Office of Finance, each collect cybersecurity incident data. But that data can’t be “reconciled for comparison purposes,” the agency watchdog said.
The review also found that “FHFA does not have an agency-wide cybersecurity incident data analysis program based on a consistent dataset.”
“We recommend that FHFA conduct inquiries and analyses to explain the large disparities in reported cybersecurity events and incidents between the Enterprises and evaluate the cybersecurity data it obtains from the regulated entities and revise, as appropriate, its existing cybersecurity reporting requirements,” the report said.