On May 5, the OIG for the Fed authored a report with several recommendations for the CFPB following a major security incident regarding confidential supervisory information (CSI). The OIG issued four findings with seven recommendations, such as defining policies better, updating documents and directives, and developing trainings; for example, the OIG recommended the Bureau would define the process for examiners to request access, assess the need to know, document such needs, and outline consequences for unauthorized access. The CFPB concurred with six of the seven recommendations and stated its plans to develop processes, update directives, and provide training, but did not provide completion timelines. The OIG will follow up in 90 days for implementation dates.

The report followed a security breach that escalated to a major incident. In February 2023, CFPB officials discovered that the examiner had sent approximately 65 emails containing confidential and personal information for hundreds of thousands of consumers and 46 institutions to a personal email account from February 2022 through February 2023. The Bureau’s Breach Response Team declared it a major incident, which was the CFPB’s first.