The Government Accountability Office (GAO) has identified four additional priority recommendations for the Department of the Treasury as of May 2022, including recommendations on improving cybersecurity and modernizing the U.S. financial regulatory system.
In June 2021, GAO identified 21 priority recommendations for Treasury as part of an annual exercise. Since then, Treasury implemented three of those recommendations, but received four news one in the latest review, leaving it with a total of 22 open priority recommendations from the past two years of reviews.
“In November 2021, we reported that on a government-wide basis, 76 percent of our recommendations made 4 years ago were implemented,” wrote GAO in its latest report. “Treasury’s implementation rate was 76 percent. As of May 2022, Treasury had 165 open recommendations, not including recommendations to the Internal Revenue Service (IRS), which are addressed in a separate letter to the Commissioner.”
“Fully implementing these open recommendations could significantly improve Treasury’s operations,” GAO said.
The government watchdog’s latest batch of recommendations includes three to improve cybersecurity at Treasury, and one to modernize the U.S. financial regulatory system. The cybersecurity recommendations are:
- Taking steps to consult with respective sector partners to develop methods for determining the level and type of cyber framework adoption by entities across those sectors;
- Completing appropriate assignment of codes to employee positions performing IT, cybersecurity, or cyber-related functions; and
- Facilitating the analysis of gaps between current skills and future needs, developing strategies for filling the gaps, and succession planning.
Treasury did not agree or disagree with the first recommendation, but as of February 22 had yet to develop methods to determine the level and type of framework adoption needed.
Treasury partially concurred with the second recommendation, but as of February 2022, it had not provided sufficient evidence to demonstrate that it had completed its efforts to validate work role codes.
Lastly, Treasury fully agreed with the third recommendation and has provided documentation showing it fully implemented the activity to assess competency and staffing needs regularly.
GAO maintains that implementing all recommendations would help fortify Treasury’s cyber posture.
To modernize the U.S. Financial Regulatory System, GAO recommends that the Comptroller of the Currency should communicate in writing to banks that “engage in third-party relationships with financial technology lenders on the appropriate use of alternative data in the underwriting process.”
The Comptroller agreed with that recommendation, however, agencies have not finalized proposed guidance from Federal banking regulators and the Consumer Financial Protection Bureau (CFPB) on third-party risk management.
GAO says fully implementing the recommendation would help manage associated risks.