FDIC cyber risk examinations need work: Inspector general
WASHINGTON — The Office of Inspector General for the Federal Deposit Insurance Corp. issued a report Wednesday detailing shortcomings in the FDIC’s cybersecurity risk mitigation program.
The inspector general identified a number of issues with FDIC’s program for Internet Technology risk examination at nonmember banks — also known as InTREx — urging the agency “to take actions to ensure that its examiners effectively assess and address IT and cyber risks during IT examinations.”
Wednesday’s report identified weaknesses both in how the agency prepares its examination staff and in the agency’s risk examination procedure itself. The inspector general found FDIC’s InTREx program to be outdated, saying it fell short of current Federal guidance in three of its four IT examination modules. The report criticized the regulatory agency for not communicating with the inspector general when updates were made to its examination program, something required by the agency’s watchdog.
The Federal Deposit Insurance Corp.’s Office of the Inspector General found that the agency had some shortcomings in its implementation of a cybersecurity risk examination program it had developed for banks under its jurisdiction.
Bloomberg News
In addition to updating its program, the office criticized FDIC for failing to ensure its employees follow written procedures. Its report said the banking regulator did not closely review IT workpapers to ensure precise results, and that it needs to better train its employees on adherence to IT risk examination procedures.
“FDIC examiners did not complete InTREx examination procedures and decision factors required to support examination findings and URSIT ratings” the office stated.
The office also criticized the agency’s examination procedures themselves, saying they lacked clarity, and led examiners to submit “inconsistent and untimely” IT examinations.
The report said that FDIC needs to provide more guidance to examination staff around reviewing threat information so they are up-to-date on relevant emerging cyber threats. The report also noted that the regulator is not utilizing all available tools to improve their InTREx program, and fails to construct adequate performance metrics to measure its progress in examining banks’ IT risks.
The inspector general office provided 19 recommendations to the FDIC, including that they generally update their IT examination program, inform examiners of the need to adhere to written procedures and deadlines, and ensure that examiners stay up to date on emerging cyber threats. They also recommended that the agency review and correct those IT examinations identified as deficient, and use them as a teaching tool to ensure examiners are adhering to written rules.
The report also recommends that the FDIC review problem IT examinations and take corrective actions as necessary, and provide employees with new InTREx training to promote consistent and compliant risk assessments. The inspector general suggested the FDIC look into using a tool to conduct analysis of unstructured data from examinations, AlphaRex — which FDIC developed in 2017 — to improve examination quality. Finally, the report recommended the FDIC create a self-evaluating rubric for measuring the effectiveness of its InTREx assessments.
After concurring with 16 of the inspector general’s 19 recommendations and partially concurring with three, the FDIC proposed taking corrective actions by Dec. 31, 2023 — actions that the inspector general said satisfied 14 infractions. However, the office says the FDIC’s proposed corrective actions for the remaining 5 issues were unsatisfactory, meaning the two agencies must continue working at resolving these five deficiencies in the future.
Those unresolved issues include the inspector general’s request that FDIC establish set examination goals, and a rubric to measure InTREx’s effectiveness towards them, enhanced data collection, corrective actions to fix past inadequacies, and internal control measures to compel examiners’ adherence to stated InTREx policy.