Evaluation of Third-Party Cybersecurity Risk Management Processes for Vendors Supporting the Main Street Lending Program (MSLP) and the Secondary Market Corporate Credit Facility (SMCCF)
In response to the economic effects of the COVID-19 pandemic, the Board created new lending programs and facilities to provide loans to employers, certain businesses, and communities across the country to support the U.S. economy. To support the implementation of specific programs and facilities, the Federal Reserve Banks have contracted with third-party vendors for various services, such as administrative, custodial, legal, design, and investment management services. These vendors provide data generated from the operations and management of the facilities to the Reserve Banks, who then provide the data to the Board. We plan to evaluate the effectiveness of (1) the risk management processes designed to ensure that effective information security and data integrity controls are implemented by third parties supporting the administration of the MSLP and the SMCCF and (2) select security controls managed by the Reserve Banks for selected systems that process and maintain MSLP and SMCCF data.
Audit of the Board's Data Aggregation, Validation, and Reporting Processes for its CARES Act Lending Programs
Section 4026 of the CARES Act and section 13(3) of the Federal Reserve Act require the Board to report certain information regarding its emergency lending programs. The Board has stated its commitment to transparency and accountability by announcing that it will report, on a monthly basis, information on the lending programs using CARES Act funding, including the names and details of the participants in each program; the amounts borrowed and the interest rate charged; and overall costs, revenues, and fees for each program. The Board also reports aggregate information on its weekly comprehensive balance sheet, which is publicly available. We plan to assess the Board’s processes for aggregating and reporting lending information related to its CARES Act programs, including the data validation processes it uses to ensure that the information is current, accurate, and complete.
Monitoring of the Federal Reserve’s Lending Facilities
In response to the economic effects of the coronavirus pandemic, the Federal Reserve recently announced that it would create new lending facilities to provide loans to employers, certain businesses, and communities across the country to support the U.S. economy. Specifically, the following programs have been created or are in development: the Main Street Lending Program, the Paycheck Protection Program Liquidity Facility, the Municipal Liquidity Facility, the Primary Market Corporate Credit Facility, and the Secondary Market Corporate Credit Facility. We are initiating an active monitoring effort of these programs to gain an understanding of operational, governance, reputational, and financial matters associated with them. Through this monitoring effort, we will refine our focus on the programs and identify areas for future audits or evaluations. Some of the topics we are considering include the design, operation, governance, and oversight of the lending programs; data collection and reporting associated with the programs; and the effect of the programs on the Board’s supervision and regulation activities.