Press Release  Auditor DiZoglio Releases Audit of the Woods Hole, Martha’s Vineyard and Nantucket Steamship Authority

Boston — Today, State Auditor Diana DiZoglio’s Office released an audit of the Woods Hole, Martha’s Vineyard, and Nantucket Steamship Authority (the Steamship Authority), which reviewed the period of July 1, 2019, through December 31, 2021.

Our audit found that the Steamship Authority does not have a formal, documented cybersecurity awareness training program to ensure all employees complete cybersecurity training.[1] During our review, we recommended the Steamship Authority consider best practices to monitor training, update training content to ensure relevant information is included, and follow up in an appropriate timeframe with any employees who have not completed training.

In addition, our team reviewed the Steamship Authority’s Coronavirus Aid, Relief, and Economic Security (CARES) Act funds in accordance with the Federal Transit Administration (FTA) guidance and the Steamship Authority’s memorandum of understanding with Cape Cod Regional Transit to ensure proper documentation for all expenses. The team concluded that the Steamship Authority spent CARES Act funds in accordance with the FTA.

“It is through our audits that meaningful change can happen, especially when an auditee is willing to implement our recommendations to help ensure greater accountability and reliable policies and procedures moving forward,” said Auditor DiZoglio. “Based on the Steamship Authorities’ response to our cybersecurity finding, they have acknowledged and agreed with our recommendations to establish and maintain a comprehensive cybersecurity training program that follows best practices. We appreciate the swift action taken by the Steamship Authority to address our concerns on this matter.”

The report’s ‘Other Matters’ section also noted that despite employee passage and ticket agency policies being in place, Steamship Authority employees did not always follow the established policies to issue trip passes to current, retired, temporary, or seasonal employees and eligible nonemployees.  Additionally, weaknesses were identified in the areas of badge permitting access to facilities and free rides, the absence of travel logs in most of the facilities, and the inconsistency of information gathered when granting trip passes.

[1] This audit was prompted by the 2021 ransomware attack on the Steamship Authority (https://www.nbcboston.com/news/local/mass-steamship-authority-delayed-due-to-cyber-attack/2395477/)

###