The Federal Housing Finance Agency Office of InspectorGeneral has found that the FHFA's supervisory standards for and are deficient, and thatFannie Mae's cyber risk management policies do not meet the FHFA's oversightexpectations.
In an evaluation report released March 31, the OIG said theFHFA patterned its oversight of the government-sponsored enterprises after thesupervisory authority of the Office of the Comptroller of the Currency and theBoard of Governors of the Federal Reserve System.
However, the OIG found that when matters requiringattention, or MRAs, are identified, FHFA examiners only inform the managementof the GSEs rather than the entities' boards. Further, instead of involving thedirectors of the regulated entities in coming up with remedial plans to addressthe identified issues, the FHFA only holds the GSEs' management responsible forformulating the plans. The FHFA also does not require the GSEs' boards tooversee the implementation of the remedial measures and does not expect theboards to update it of the measures' progress.
"Absent clear supervisory expectations from FHFA, thereis a significant risk that an enterprise board could become no more than abystander to management's efforts to remediate MRAs, and FHFA risks prolongedor inadequate resolution of the most serious threats to the enterprises' safetyand soundness," the OIG said in its report.
The OIG recommended that FHFA alter its supervision guidanceto require its Division of Enterprise Regulation to provide the chair of theaudit committee of an enterprise board with a letter identifying an MRA and toprovide the audit committee chair with each plan to remediate such MRAs,according to the report. The OIG also recommended that the FHFA require itsdivision to identify and include all open MRAs in the annual report ofexamination beginning this year.
The FHFA agreed with most of the recommendations but refusedto agree to provide MRA remediation plans directly to the board audit committeechair, saying that it would instead communicate to management its expectationfor the latter's clear, timely and detailed reporting to the enterprise boardon open remediation plans. In response to FHFA's comments, the OIG said thatthe lack of the plan itself limits an enterprise board to monitoringmanagement's efforts, which "falls far short of its oversightresponsibilities under FHFA's governance principles and guidance."
In a separate report released the same day, the OIG foundthat Fannie Mae's board failed to adequately oversee the enterprise'smanagement's plan for improving cyber risk management.
After reviewing the minutes of the meetings held betweenFannie Mae's board and management, the OIG observed that management offered"plan after plan to enhance Fannie Mae's existing program withoutexplaining the reasons for the numerous plans or the integration of one planwith another, and offered timeline upon timeline, but provided little evidenceof concrete progress in remediating conditions giving rise to FHFA'ssupervisory concerns."
The OIG report also found that Fannie Mae's board generallyjust received management's presentations without questioning the timelines andthe rationale for the multiple plans.
In order to address the issue, OIG recommended that the FHFAinstruct Fannie Mae's board to improve the enterprise's cyber risk managementpolicies, to establish a desired target state for such management of cyberrisk, and to oversee the efforts of Fannie Mae's management to leverageindustry standards.
The FHFA agreed with the OIG's suggestions, however, itdisagreed with some aspects of the findings, according to the report. The FHFAargued that the OIG's findings do not adequately recognize Fannie Mae's board'srecent activities, and that the board is aware of the need to enhance theenterprise's information security program.