The Federal Deposit Insurance Corp. isn’t doing enough to monitor cyber risk effectively at the financial institutions it regulates, according to a federal government watchdog.
In a report issued Wednesday, the FDIC’s Office of Inspector General identified major deficiencies in the agency’s IT and cyber risk assessment program, which is known as InTREx.
Cyberattacks pose a major threat to banks because the disruption or degradation of systems, or unauthorized alteration of information, can substantially alter the risk profile of a financial institution.
The FDIC is the independent government agency responsible for monitoring the health of commercial banks and savings banks across the U.S. In its report, the organizations’s watchdog found that information used in InTREx was outdated, and that in some cases agency examiners were not completing tests.
In addition, the study found that staff were not being kept abreast of latest cyberthreat updates, and that no training for examiners was offered to reinforce InTREx procedures. According to the OIG, unclear procedures have also led to InTREx examiners failing to file exam work papers properly.
After carrying out its assessment, the FDIC watchdog has recommended the agency take 19 steps to remedy its concerns with the program. The FDIC has said it will carry out 14 of the 19 recommendations by the end of this year, but the watchdog says that actions taken by the agency to address its remaining five concerns have not been sufficient.
Last year, the FDIC’s then-CIO Sultan Meghji resigned from his post at the agency, and outlined his rationale for leaving in a blistering Op-Ed published by Bloomberg News. He said that he received resistance from staff at the agency in response modernization efforts such as ending the use of fax machines and physical mail, and criticized the knowledge and open-mindedness of staff.
The latest report comes amid a wider debate about how private sector entities are held to account for poor cybersecurity practices. In an Op-Ed published in Foreign Affairs on Wednesday, Cybersecurity and Infrastructure Security Agency Chief Jen Easterly called on the commercial sector to work to ensure that strong cybersecurity is the cornerstone of every product, and to elevate cybersecurity to a board-level concern.