GAO: SBA Still Needs to Work on Cyber Defense and Disaster Planning

The Government Accountability Office (GAO) has issued an update on its priority recommendations for the Small Business Administration (SBA). These recommendations included a call for SBA to establish a process for conducting an organization-wide cybersecurity risk assessment.

In April 2019, GAO identified five priority recommendations for SBA. Since then, SBA has implemented two of those recommendations by, among other things, entering into an agreement with the Department of Agriculture to share loan data, enabling them to analyze borrower characteristics for loan programs.

In April 2020, GAO identified five additional priority recommendations for SBA, bringing the total number to eight. These recommendations include the following areas:

  • improving the agency’s ability to respond to disasters.
  • requiring lenders to assess borrower’s ability to obtain credit elsewhere.
  • improving the agency’s ability to address cybersecurity threats.
  • addressing staffing requirements and controls related to export promotion.

Two of GAO’s recommendations would improve SBA’s ability to respond to disasters. In February 2020, the watchdog recommended that SBA identify and document risks associated with its disaster response and plans to mitigate these risks in its disaster planning documentation, and identify the key elements of a disaster action plan and provide additional guidance to staff on how to incorporate these elements into future action plans. 

SBA told GAO that to address the first recommendation it would identify and document known risks associated with SBA’s disaster response and implement a risk-informed approach to its direct response and recovery operations. For the second recommendation, SBA said the agency would develop the key elements of, and templates for, a disaster action plan. SBA also stated that it would include this information in the agency’s Disaster Preparedness and Recovery Plan. 

GAO made two recommendations to improve lender compliance with the credit elsewhere requirement— that lenders only make SBA 7(a) loans to creditworthy small business borrowers who cannot obtain credit through a conventional lender at reasonable terms. In April 2020, SBA stated that the agency would provide a response addressing these recommendations by September 30, 2020. 

To address cyber threats, GAO recommended in July 2019 that SBA establish a process for conducting an organization-wide cybersecurity risk assessment. SBA agreed with this recommendation and stated it would update its strategy to more clearly address risk tolerance and risk-mitigation strategies and finalize a process for conducting a cybersecurity risk assessment. As of February 2020, this effort was not complete according to GAO’s latest update which was publicly released on April 28. 

Finally, to address export promotion, GAO made three recommendations to help address staffing requirements and improve controls in export promotion grant programs. In January 2020, SBA told GAO that the agency had hired additional export finance specialists, bringing the total hired to 25. SBA also said the agency was establishing a strategy for future hires and requesting fiscal year 2021 funding to hire individuals to fill the remaining five positions. However, as of February 2020, SBA had not yet put in place the 30 export finance specialists required by law. 

In these unprecedented times, SBA may have other more immediately pressing concerns, but each of GAO’s recommendations will help strengthen it as it seeks to help small businesses through the pandemic and out the other side.

This week, the Bank of America Corp. sent 184,000 applications for rescue loans to SBA, with more expected. SBA will now need to process and approve the loans.

Read the full report at SBA

(Visited 88 times, 1 visits today)

Kylie Bielby has more than 20 years' experience in reporting and editing a wide range of security topics, covering geopolitical and policy analysis to international and country-specific trends and events. Before joining GTSC's Homeland Security Today staff, she was an editor and contributor for Jane's, and a columnist and managing editor for security and counter-terror publications.

Leave a Reply

Latest from Cybersecurity

Go to Top
X
X