Financial institutions regulated by the Federal Deposit Insurance Corp (FDIC) are being short-strawed by the independent agency’s subpar monitoring and assessing of cybersecurity risks, according to a recent report by the body’s Office of Inspector General (OIG).
The OIG’s report identified major areas in the FDIC’s IT and cybersecurity risk examination program, known as InTREx, which helps to “ensure that financial institution management promptly identifies and effectively addresses IT and cybersecurity risks.” The end result is that staffers are not kept fully aware of cyber threats.
MSSPS Take Note
The banking and financial sector has been a favorite target of cybersecurity hackers for a number of years. Financial market-focus managed security service providers (MSSPs) should take note of the FDIC’s cybersecurity weaknesses.
The OIG said it found that the FDIC needs to “improve its InTREx program to effectively assess and address IT and cyber risks at financial institutions.” The report uncovered major “weaknesses in the program that limit the ability of examiners to assess and address IT and cyber risks at financial institutions,” including:
- The InTREx program is outdated and does not reflect current federal guidance and frameworks for three of four InTREx Core Modules.
- The FDIC did not communicate or provide guidance to its examiners after updates were made to the program.
- FDIC examiners did not complete InTREx examination procedures and decision factors required to support examination findings and Uniform Rating System for Technology (URSIT) ratings.
- The FDIC has not employed a supervisory process to review IT workpapers prior to the completion of the examination in order to ensure that findings are sufficiently supported and accurate.
- The FDIC does not offer training to reinforce InTREx program procedures to promote consistent completion of IT examination procedures and decision factors.
- The FDIC’s examination policy and InTREx procedures were unclear, which led examiners to file IT examinations workpapers in an inconsistent and untimely manner.
- The FDIC does not provide guidance to examination staff on reviewing threat information to remain apprised of emerging IT threats and those specific to financial institutions.
- The FDIC is not fully utilizing available data and analytic tools to improve the InTREx program and identify emerging IT risks.
- The FDIC has not established goals and performance metrics to measure its progress in implementing the InTREx program.
“The weaknesses… collectively demonstrate the need for the FDIC to take actions to ensure that its examiners effectively assess and address IT and cyber risks during IT examinations,” the report reads. “Without effective implementation of the InTREx program, significant IT and cyber risks may not be identified by examiners and addressed by financial institutions.”
Recommendations for Improvement
The OIG outlined 19 recommendations for the agency to improve the program. Some of those include: (via MeriTalk)
- Review the InTREx RD Memorandum to identify any updates needed, consistent with InTREx design and purpose.
- Issue revised or updated guidance, as necessary, and communicate these changes to examination staff prior to the changes taking effect.
- Update examiner instructions that address workpaper review roles and responsibilities and implement any needed changes relative to the finding.
- Continue to provide IT examination training as part of FDIC’s all- staff training, as appropriate. Specify timeframes for uploading IT examination workpapers.
The FDIC said it would complete 14 of the 19 recommendations by the end of this year. “For the remaining five recommendations, the FDIC’s proposed 'corrective actions' don’t meet the recommendations, the report said.
“As a result, we consider these recommendations to be unresolved as of the publication of this report and will work with the FDIC to reach resolution during the audit follow-up process,” the OIG said.
