Cyber

CFPB’s cybersecurity program ‘not effective’ after staff cuts, watchdog says

An IG audit found that the CFPB hasn’t maintained “an effective level of awareness of security vulnerabilities” following staff departures and diminished contractor support.

By Matt Bracken

November 4, 2025

Listen to this article

0:00

This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.

A view of the Consumer Financial Protection Bureau (CFPB) headquarters in Washington, D.C., on Feb. 10, 2025. (Photo by Saul Loeb / AFP via Getty Images)

The Trump administration’s ongoing decimation of the Consumer Financial Protection Bureau has rendered the agency’s overall information security program ineffective, a federal watchdog revealed Monday.

In an audit of CFPB’s cybersecurity program, the Federal Reserve’s Office of Inspector General found that the agency is no longer keeping up with its authorizations to operate many systems, and is “using risk acceptance memorandums without a documented analysis of cybersecurity risks.”

As a result of those floundering protocols, the Fed OIG said the CFPB’s overall information security program has declined to level-2 maturity (defined) in fiscal 2025, down from level-4 (managed and measurable).

“We further concluded, based on the results of our determinations of effectiveness in each domain and function, that the CFPB’s overall information security program is not effective,” the watchdog wrote.

Backsliding on these security measures can be at least partially attributed to a loss of contractor support for continuous security monitoring and testing, per the audit, as well as the mass exodus under the Trump administration of CFPB staff.

“As such, the CFPB is unable to maintain an effective level of awareness of security vulnerabilities in its environment,” the audit noted.

Despite the staffing constraints the agency finds itself in, the OIG credited remaining CFPB employees for taking “some steps to maintain and strengthen its information security program.” The audit pointed specifically to updated and formalized processes for how the CFPB should respond to possible ransomware incidents, in addition to weekly meetings between the senior agency information officer and system owners to help manage cyber risks.

The CFPB is also working to decommission and modernize legacy IT systems, the audit stated, though outdated software on the agency’s network is still in use — so outdated, in fact, that vendors are no longer pushing through security updates or patches.

“A key reason for this issue is delays in modernizing, rearchitecting, and retiring legacy applications,” the OIG wrote. “We have previously raised this issue and have an open recommendation related to it. As such, we are not including a new recommendation and suggest that management prioritize efforts to reduce the risks resulting from the use of outdated software.”

The OIG’s audit — first reported by Bloomberg Law and Reuters — comes weeks after Russell Vought said on a podcast that he plans to shut down the agency “within the next two or three months.” Vought, the Office of Management and Budget director, has played the role of acting director of the CFPB since February.

The CFPB was targeted early and often by President Donald Trump in the months after he assumed office, including massive staff cuts and orders to halt nearly all of the agency’s consumer protection work.

Since then, the agency reportedly granted “god-tier” data privileges to DOGE that critics called “deeply anticompetitive,” withdrew a rule targeting data brokers, and signaled changes to a rule that gives the public more control over their personal financial data.