Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Division of Banks

November 18, 2021 · Division of Banks · Read the full official report on mass.gov ↗

Published November 18, 2021 Audit covers July 1, 2017 – June 30, 2019 Under Suzanne M. Bump · 2011–2023

In plain English
The audit found that the Division of Banks generally did what it was supposed to do in the areas reviewed, but it did not make sure all employees completed required cybersecurity training on time.
source
“In performing our audit work, we found that not all DOB employees promptly received cybersecurity awareness training, as discussed in Finding 1.”
Read the plain-English breakdown
What is this?

This is a Massachusetts State Auditor performance audit of the Division of Banks, covering July 1, 2017 through June 30, 2019.

“This report details the audit objectives, scope, methodology, findings, and recommendations for the audit period, July 1, 2017 through June 30, 2019.”
Why was it audited?

Auditors checked whether the Division of Banks properly oversaw certain financial businesses, handled license information from other states, shared enforcement information, and made sure employees completed required cybersecurity training.

“In this performance audit, we determined whether DOB (1) ensured that foreign transmittal agencies maintained three years of records in accordance with Section 10 of Chapter 169 of the General Laws; (2) collected, and acted on, information on mortgage lenders or brokers that may have had their licenses suspended or revoked by the licensing authority of any other state, as required by Sections 42.04(2)(b)(4) and 42.06(2)(b)(4) of Title 209 of the Code of Massachusetts Regulations; and (3) shared its information regarding Massachusetts-licensed lenders and brokers that had been subjected to formal enforcement action from other states, as required by Section 5107 of Title 12 of the United States Code and Section 1508(d)(3) of Title V of Public Law 110-289 (the Secure and Fair Enforcement for Mortgage Licensing Act of 2008).”
Why it matters

The Division of Banks oversees many financial service providers in Massachusetts, so weak cybersecurity training could put sensitive information at risk.

“Untimely cybersecurity awareness training may lead to user error and compromise the integrity and security of protected information in DOB’s information technology systems.”
What's in it for me?

If you use banks, credit unions, mortgage lenders, money-transfer businesses, check cashers, or similar financial services in Massachusetts, this agency helps regulate those businesses and protect the financial services environment.

“DOB’s primary mission is to ensure a sound, competitive, and accessible financial services environment throughout the Commonwealth.”
The bottom line

The auditors answered yes to all three main oversight questions, but found one problem: some employee cybersecurity training was late.

“Below is a list of our audit objectives, indicating each question we intended our audit to answer and the conclusion we reached regarding each objective.”
What happens next

The Division of Banks said it is creating policies and procedures to make sure employees get cybersecurity training on time, including before new employees access systems.

“The DOB reviewed the recommendations, and we are developing and implementing policies and procedures in accordance with EOTSS policies to ensure employees receive the training in a timely manner.”
Why it's significant

The key issue was not about the agency failing its main licensing and enforcement-review duties; it was about making sure staff are trained on cybersecurity quickly and regularly enough to protect state systems and data.

“DOB did not ensure that all of its employees promptly completed cybersecurity awareness training.”
Jargon, unpacked

DOB means Division of Banks, the state agency reviewed here; FTA means foreign transmittal agency, a business that receives money to send to other countries; NMLS is the nationwide online licensing system for mortgage-related licenses.

“According to Section 45.02 of Title 209 of the Code of Massachusetts Regulations, a foreign transmittal agency (FTA) is “a person who engages or is financially interested in the business of receiving deposits of money for the purpose of transmitting the same or equivalents thereof to foreign countries.””

What the Auditor checked

What the Auditor found

DOB did not ensure that all employees completed cybersecurity awareness training on time.
cybersecurityinternal controls

Why it matters: Untimely cybersecurity awareness training increases the risk of user error and compromise of protected information in DOB systems.

Standard: EOTSS Acceptable Use of Information Technology Policy IS.002, EOTSS Information Security Risk Management Standard IS.010, and state Executive Order 504 ( Section 5.1.1 of the Executive Office of Technology Services and Security’s Acceptable Use of Information Technology Policy IS.002; Section 6.2.4 of EOTSS’s Information Security Risk Management Standard IS.010; Section 6 of state Executive Order 504 )

2 recommendations
  • DOB should develop and implement policies and procedures, in accordance with EOTSS policies, that require all current employees to receive annual cybersecurity awareness training.agency: agreed
  • DOB should develop and implement policies and procedures, in accordance with EOTSS policies, that require newly hired employees to receive cybersecurity awareness training during orientation or within a prescribed timeline before they have access to DOB’s systems.agency: agreed
Agency response & Auditor reply
Agency: "The DOB reviewed the recommendations, and we are developing and implementing policies and procedures in accordance with EOTSS policies to ensure employees receive the training in a timely manner."
Auditor: "Based on its response, DOB is taking steps to address these issues."

More audits of this entity

Other Office of the State Auditor reports on Division of Banks .

See this entity's page with all 4 audits →