Corrective Action Plan For the Year Ended June 30, 2022 2022 ? 002 Gramm-Leach-Bliley Act (Student Financial Aid Cluster ? All programs) Criteria Under the University?s Program Participation Agreement and the Gramm-Leach-Bliley Act (GLBA), schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid. According to 16 CFR 314.4(b), a school must identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in each relevant area of your operations, including: 1. Employee training and management; 2. Information systems, including network and software design, as well as information processing, storage, transmission, and disposal; and 3. Detecting, preventing, and responding to attacks, intrusions, or other systems failures. Condition Although the University has documented various IT policies around access, they are not comprehensive enough to cover the Gramm-Leach-Bliley Act requirements around the process of identifying the internal and external risks to data security. Cause The University has not conducted a formal risk assessment since January 2021. Effect Student information may be at risk of unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information. Questioned Costs There were no questioned costs related to this finding. Context During our review of the University?s Information Technology system, we noted through inquiry that a formal risk assessment of the University?s documented safeguards had not been performed since January 2021. Recommendation We recommend that the University re-engage the outside resource to independently perform and develop a formal risk assessment, along with recommendations for remediation of any open items and/or deficiencies. Corrective Action Planned The Board of Trustees announced in December 2022, plans to cease academic operations and degree granting in May 2023 after the completion of the spring semester. In spring 2022, Holy Names University was seeking a partner institution to keep the university functioning and continue the mission of our founders, SNJM. While the University had interest in long-term collaboration from potential partners, the University was not able to reach closure in a way that would allow it to continue offering programs and services. The ongoing impact of COVID-19 enrollment declines were especially significant, particularly for fall term 2022. In addition, the University experienced rising operational costs and student retention issues. In January 2023, the University declared financial exigency, which gave the University greater flexibility to allocate its remaining resources to deliver spring term academic and athletic programs and support the transition of continuing students to other institutions. The University initiated layoffs beginning February 3, 2023 and continues to reduce expenses, funding only the most critical instructional and health and safety expenses. In February 2023, The University bondholder filed a notice of default based on noncompliance with the prior period operating ratio covenant. In March 2023 the University began marketing efforts to support the sale of the 60-acre campus. In April 2023 the University sold the residence, formerly occupied the University's President, for $3 million. The net proceeds to the University were $1.2 million after expenses and after a repayment of a $1.6 million loan on the property drawn in 2023. The net book value of the property at June 30, 2022 was $1.2 million. Responsible Personnel Jeanine Hawk, EdD, MBA Vice-President, Finance and Administration Mobile: 408-590-5834 hawk@ndnu.edu