The Board Can Enhance Its Approach to the Cybersecurity Supervision of Community Banking Organizations

Date Issued

Wednesday, May 28, 2025

Submitting OIG

Federal Reserve Board & CFPB OIG

Agencies Reviewed/Investigated

Board of Governors of the Federal Reserve System

Report Number

2025-SR-B-008

Report Type

Inspection / Evaluation

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

External Link

https://oig.federalreserve.gov/reports/board-cybersecurity-community-banking-ma…

Open Recommendations

This report has 5 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
1	No	$0	$0
Assess whether the Information Technology Profile and Information Technology Risk Examination work programs used by Reserve Bank examiners address emerging information technology and cybersecurity risks and, based on this assessment, provide supplemental guidance and customize the Information Technology Profile and Information Technology Risk Examination work programs for System-led examinations as needed.
2	No	$0	$0
Establish a process to periodically assess whether the Information Technology Profile and Information Technology Risk Examination work programs used by Reserve Bank examiners, including the Board’s customized guidance, address current material risks in the information technology and cybersecurity environment and update the Information Technology Profile and Information Technology Risk Examination work programs as needed.
3	No	$0	$0
Clarify accountability for defining systemwide community banking organization information technology and cybersecurity training requirements.
4	No	$0	$0
Develop information technology and cybersecurity training guidance that describes expectations for generalist examiners conducting community banking organization information technology examinations, including expectations for on-the-job training and expectations following the completion of the community banking organization Examiner Commissioning Program.
5	No	$0	$0
Clarify in guidance the expectations for updating and reaffirming responses in Information Technology Profiles and retaining Information Technology Profiles for each information technology examination in the appropriate system of record, and expectations for assessing ongoing compliance.