Finding Text
Finding 2024-008 LSC Financial Guide § 2.5.3 Electronic Data Processing and Cybersecurity Grantor: Legal Services Corporation Program Name: Legal Services Corporation Basic Field Grant CFDA No.: 09.952000 Award No.: Basic Field Grant Award Year: 2024 Repeat Finding From Prior Audit? No Finding Type: Significant deficiency Criteria: Per LSC Financial Guide § 2.5.3 Electronic Data Processing and Cybersecurity, the recipient is required to have written security policies and procedures for physical and digital assets including all financial data and records. The policies and procedures should be part of an overall data and records security policy and an annual overall risk-assessment process. Condition: MLSC did not conduct an annual risk assessment. MLSC’s cybersecurity policies are not complete and do not include controls and other measures to safeguard physical and digital assets, maintenance of physical access controls for servers and storage rooms, and development and periodic testing of its emergency disaster prevention and recovery plan and performance of regular backups and offsite storage of data records. There is no person within MLSC who is formally assigned to oversee computer and data security responsibilities. Cause : MLSC did not establish the policies and controls that meet the LSC Financial Guide § 2.5.3 Electronic Data Processing and Cybersecurity requirements. Effect: MLSC’s lack of a comprehensive cybersecurity program and annual risk assessment results in noncompliance with LSC Financial Guide § 2.5.3. The absence of documented security controls, defined responsibilities, disaster recovery procedures, and offsite backups increases the risk of unauthorized access, data loss, service disruption, and compromised financial and client information. These gaps weaken MLSC’s ability to safeguard both physical and digital assets. Finding 2024-008 LSC Financial Guide § 2.5.3 Electronic Data Processing and Cybersecurity, continued Recommendation: MLSC should develop and implement a complete cybersecurity and data security framework consistent with LSC Financial Guide § 2.5.3. This should include (1) conducting an annual risk assessment, (2) establishing formal security policies and procedures, (3) defining staff roles and responsibilities, (4) implementing physical and digital access controls, and (5) maintaining and periodically testing a disaster recovery and data backup plan, including offsite storage of critical records. Management’s Response and Corrective Action Plan: Management agrees, and has addressed this as follows: Responsible person: Lee Pliscou MLSC Board of Directors approved a revised accounting manual in October 2025 which requires an annual cybersecurity assessment and response in compliance with LSC Financial Guide § 2.5.3, together with a formal risk assessment of banking operations to identify and address vulnerabilities, as required by LSC Financial Guide § 3.2.1. Specifically, our cybersecurity policies include the following requirements: ● Perform (and document) an annual risk assessment ● Resolve any risk findings or conclusions ● Maintain physical access controls for servers and storage rooms ● Develop and periodically test an emergency disaster prevention and recovery plan ● Perform regular back up of electronic records and systems stored offsite or in a virtual environment with easy-to-use restoration options ● Formally assign computer and data security responsibilities The risk assessment process: ● Identifies the physical and digital assets susceptible to cyberattacks ● Identifies risks to those assets (risks should be evaluated annually for changes) ● Evaluates the risks (e.g., high, medium, or low) based on likelihood and impact ● Documents the results of the risk assessment, including the development and implementation of appropriate controls Finding 2024-008 LSC Financial Guide § 2.5.3 Electronic Data Processing and Cybersecurity, continued Also, per our new Accounting Manual, MLSC conducts a risk assessment of its electronic banking policies and procedures to identify areas that need additional safeguards and protections. We do this in conjunction with the annual cybersecurity risk assessment. As of November 2025, MLSC has contracted with a consultant to provide such an assessment, and the contractor has delivered a first draft of an assessment. Anticipated completion date: MLSC has already completed the requirement to have policies in compliance with LSC Financial Guide Sections 2.5.3 (Electronic Data Processing and Cybersecurity) and 3.2.1 (Bank accounts). MLSC will complete the annual assessment by February 28, 2026.