When it comes to judging a bank's system security method, examiners depend excessively on bank testimonials due to understaffing and the IT expertise necessary to make risk assessments.

That's according to a new report, “The FDIC's Supervisory Approach to Cyberattack Risks,” conducted by the FDIC Office of Inspector General, an independent unit that conducts audits, investigations and other reviews of FDIC programs and operations.

In the study, OIG reported most financial institutions rely heavily on information technology systems, external technology service providers (TSPs), and Internet-connected applications to provide or enable key banking functions.

The report also asserted that FDIC and FFIEC IT examination work programs focus on security controls at a broad program level, which, if they operate effectively, help institutions protect against and respond to cyberattacks. However, the work programs do not explicitly address cyberattack risk, could be updated and strengthened, and could better specify desired characteristics for key program-level controls, according to the report.

The OIG framed its recommendations to complement the Division of Risk Management Supervision's efforts to assess financial institutions and TSPs' information security programs and compliance with the Interagency Guidelines – efforts associated with updating examination and institution guidance, addressing resource and training challenges, and enhancing information collection and sharing initiatives.

The office concluded that the FDIC could be more assured that financial institutions and TSPs are adequately prepared by taking the following actions:

  • Update and expand IT examination procedures
  • Provide consistency and transparency to the IT examination scope and procedures performed
  • Ensure that examiners consistently conclude on financial institution/TSP program level controls and consider the scope of vendors' third-party reviews
  • Make efforts to estimate examiner resource and competency needs, and ensure those involved in reviewing IT examination reports receive sufficient and current training
  • Continue to enhance information-sharing associated with cyber risks

The OIG also determined examiners frequently determined the adequacy of risk assessment and audit programs, but were far less likely to have documented their review and/or provided a clear statement of adequacy on intrusion detection programs and incident response plans.

“With respect to vendor management, although financial institutions and IT risk management programs rely on periodic third-party reviews and audits of vendors' IT controls and risk management practices, we observed that vendors frequently obtained third-party reviews that provided lower levels of assurance,” the report stated.

The study also observed the average hours spent conducting individual IT-RMP examinations increased by about 21% since 2006. In 2013, the FDIC conducted 2,323 IT examinations at financial institutions and TSPs. In 2013, RMS spent an average of eight to 10 days to perform an IT examination at financial institutions with adequate or better IT security programs, and 15 to 20 days for FIs exhibiting some degree of supervisory concern. The total number of IT examination staff increased by about 36% since 2008. However, much of the increase occurred in non-commissioned IT examination analyst positions, many of whom are term employees who will be leaving the FDIC soon.

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Roy Urrico

Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).