CFPB’s cybersecurity program ‘no longer effective:’ OIG says

• What’s at stake: The CFPB uses outdated software and has no strategy for responding to cybersecurity risks, the report found.
• Supporting Data: The CFPB’s information security program experienced a rapid drop in effectiveness — from a level 4 in fiscal year 2024 to a level 2 rating in fiscal year 2025.
• Forward Look: Despite the OIG’s critical assessment, the CFPB’s chief information officer asserted that the bureau maintains a “robust cybersecurity posture.”

The Consumer Financial Protection Bureau no longer has an effective cybersecurity program, according to the agency’s government watchdog, which found deterioration of the agency’s capabilities during the Trump administration. 

In a highly critical report issued Monday, the Federal Reserve’s Office of Inspector General said the CFPB does not have a strategy to respond to cybersecurity risks and is unable to maintain “an effective level of awareness” of its security vulnerabilities.

Since the Trump administration took control of the agency in February, the CFPB has cut off contractors that maintained its systems and has lost many employees, including Marianne Roth, the agency’s former chief risk officer. The CFPB’s overall level of information security has dropped from a level 4 in fiscal year 2024 to a level 2 in fiscal year 2025, with level 5 being the highest rating, the report states.  

“The CFPB’s overall information security program is not effective,” the OIG said in a 32-page report. “This year we found that the CFPB’s [enterprise risk management] program has been placed on hold as the agency’s chief risk officer and other individuals in the ERM office left the agency in March 2025. These individuals’ positions have not been backfilled, nor are their roles and responsibilities being fully performed.” 

The Fed’s OIG, a watchdog agency, issued the report as part of an annual 2025 audit of the CFPB’s information security program. The OIG cited the use of outdated software and that vendors are no longer providing security updates and patches for the CFPB’s information systems. A key reason is that the agency has had delays in modernizing and retiring legacy applications. 

Nathan Taylor, a partner at Morrison & Foerster LLP and an expert in privacy and data security, said the report is cause for concern. 

“Given the sensitivity and volume of consumer and institutional data handled by the CFPB, the OIG’s audit findings are disturbing,” Taylor said. “The fact that, in OIG’s view, the CFPB’s information security program and maturity have taken multiple steps backward are cause for concern.”

The CFPB oversees consumer debt markets worth $18 trillion. It has a huge amount of data on all key consumer finance markets: mortgages, student loans, credit cards and auto loans, including systems that hold personally identifiable information such as Social Security numbers. It maintains systems to collect, investigate and respond to consumer complaints. It also supervises and maintains confidential supervisory information on banks and nonbanks.

“We believe that the CFPB should continue to ensure adequate security is provided for these data and systems,” the OIG said.

Christopher Chilbert, the CFPB’s chief information officer, pushed back against the OIG’s report, yet agreed with all the OIG’s recommendations. In a letter to Khalid Hasan, the assistant inspector general for information technology, Chilbert argued that the CFPB has “a robust cybersecurity posture,” and pointed to the fact that the CFPB has not had any major information security incidents or breaches of personally identifiable information in 2025.

Chilbert also said that many of the issues the OIG identified were “low risk,” and did not contain any bureau data.

“Many of them represent non-material issues and documentation updates with little practical impact on the bureau’s cybersecurity posture,” Chilbert wrote.

In a reminder that cybersecurity breaches are not confined to private-sector firms, bank trade associations warned Treasury Secretary Scott Bessent in June about security weaknesses at federal regulatory agencies. The groups, led by the American Bankers Association and the Bank Policy Institute, expressed concern that regulators are increasingly the target of persistent and sophisticated attacks that could disrupt financial markets.

The CFPB has historically used contractors to support its information security program. But at the start of 2025, the agency  made changes, according to the OIG report, and started to  receive IT security and compliance services through the Bureau of Fiscal Service.

In addition, the OIG found that the CFPB continues to use “end-of-life software,” which it said increases the risk of malicious actors bypassing security protections. The CFPB is in the process of modernizing and retiring legacy systems, but has had delays in doing so, the report said. 

“While the CFPB has a strategy to identify, assess, and manage risks at the system level, it does not have a strategy to guide and inform how security and privacy risks are framed, assessed, responded to, and monitored at the organizational level,” the report stated. 

On the upside, the OIG said that since its last audit, the CFPB had taken steps to strengthen information security. It bolstered its incident response processes to address potential ransomware incidents. And it continues to manage cybersecurity risks, and is in the process of decommissioning and modernizing legacy technology systems.