WASHINGTON — The Federal Deposit Insurance Corporation’s Office of Inspector General issued a report Wednesday detailing deficiencies in the FDIC’s cybersecurity risk mitigation program.
The inspector general identified a number of problems with the FDIC’s program for examining member banks’ Internet technology risks, also known as InTREx, urging the agency to “take steps to ensure that its examiners evaluate and address effectively address IT and cyber risks during IT exams”.
Wednesday’s report identified weaknesses both in the way the agency prepares its inspection staff and in the agency’s own hazard inspection procedure. The inspector general found the FDIC’s InTREx program to be out of date and said it did not meet current federal guidelines in three of its four IT exam modules. The report criticized the regulatory agency for failing to communicate with the inspector general when making updates to its testing schedule, something required by the agency’s watchdog.
Bloomberg News
In addition to updating its program, the office criticized the FDIC for failing to ensure its employees follow written procedures. Their report says that the banking regulator did not closely review IT working papers to ensure accurate results and that it needs to better train its employees on compliance with IT risk examination procedures.
“FDIC examiners did not complete the necessary InTREx examination procedures and decision factors to support the examination findings and URSIT scores,” the office stated.
The office also criticized the agency’s own examination procedures, saying they lacked clarity and led examiners to submit “inconsistent and untimely” IT examinations.
The report said the FDIC should provide more guidance to inspection personnel on reviewing threat information so they are up-to-date on relevant emerging cyberthreats. The report also noted that the regulator is not using all available tools to improve its InTREx program and is not building proper performance metrics to measure its progress in examining banks’ IT risks.
The inspector general’s office provided 19 recommendations to the FDIC, including generally updating its IT examination program, informing examiners of the need to adhere to written procedures and deadlines, and ensuring that examiners are kept up to date on emerging cyber threats. They also recommended that the agency review and correct IT exams identified as deficient and use them as a teaching tool to ensure that examiners adhere to the written rules.
The report also recommends that the FDIC review IT problem reviews and take corrective action as necessary, and provide employees with new InTREx training to promote consistent and compliant risk assessments. The inspector general suggested that the FDIC consider using a tool for analyzing unstructured test data, AlphaRex, which the FDIC developed in 2017, to improve test quality. Finally, the report recommended that the FDIC create a self-assessment rubric to measure the effectiveness of its InTREx assessments.
After agreeing with 16 of the inspector general’s 19 recommendations and partially agreeing with three, the FDIC proposed to take corrective action by December 31, 2023, actions that the inspector general said satisfied 14 violations. However, the office says that the FDIC’s proposed corrective actions for the remaining 5 issues were not satisfactory, meaning the two agencies must continue to work to resolve these five deficiencies moving forward.
Those unresolved issues include the inspector general’s request that the FDIC establish established examination targets and a rubric to measure the effectiveness of InTREx toward them, improved data collection, corrective actions to address past weaknesses, and internal control measures to compel examiners to comply with established InTREx policy.
