Report: SBA IT system was “not effective” during influx of pandemic relief loan applications

WASHINGTON, DC — The agency in charge of giving pandemic relief to millions of small business owners had gaps in security with its information technology system, according to a new watchdog report.

The Inspector General Report rated the Small Business Administration’s overall IT program as “not effective” in FY 2020 and said its data was at risk of being compromised at times.

The report lists reasons including SBA not always updating its systems on time.

“SBA did not reinforce its patch management and configuration policies to ensure that identified systems were properly configured and vulnerabilities remediated within specified timeframes,” the report said.

“If SBA does not promptly make security updates when they become available, there is an increased risk the confidentiality, integrity, and availability of the data residing on information systems could be compromised,” the report said. “There is also an increased risk that existing or new vulnerabilities could expose information systems and applications to attacks, unauthorized modification, or compromised.”

The report also said SBA didn’t always correctly carry out its user access review process.

“SBA did not correctly execute its new and existing user access review process to reduce the risk that improper access is approved and not identified,” the report said. “We identified 11 of 13 new users of two systems for whom SBA could not provide evidence that access had been properly authorized.”

The report recommends more security training and for SBA to fix the technological vulnerabilities among other changes.

The report said SBA agreed with all ten recommendations listed in the report and has resolved the issues.

Last year, SBA had a data breach that could have exposed information from thousands of emergency loan applications.

SBA said then there were no signs the data had been misused and businesses affected were given a year of free credit monitoring.