Audit: FDIC Must Boost InfoSec ScrutinyReport Calls for Less Reliance on Banks' Security Statements
The Federal Deposit Insurance Corp. needs to improve the way it determines that banks are taking adequate steps to defend against cyber-attacks, a report from the FDIC inspector general office says.
The report, the FDIC's Supervisory Approach to Cyberattack Risks, contends that when the FDIC sizes up banks' system security efforts, it relies too heavily on statements from banks, in part, because of a lack of agency staff, especially managers, with the IT and information security expertise to make security risk assessments. Among its recommendations, it calls for the FDIC to update and expand its IT examination procedures and ensure that those involved in reviewing IT examination reports receive sufficient training.
FDIC bank examiners have raised concerns about the value of financial institutions' statements about computer security, the IG says. "Examiners focus their efforts on management-identified weaknesses and may confirm selected safeguards described by management as adequate," the IG report says, adding that examiners question whether the bank statements provide "meaningful information."
The IG's call for the FDIC to boost its efforts to help banks improve data security received the backing from industry experts. "Most banks' security programs are only as mature as the regulators require them to be," says Jackson Schultz, a consultant at the IT advisory firm GraVoc Associates. "Until there is a major culture shift in financial services with regards to cybersecurity, the FDIC must continue to ensure that basic steps are taken to lock down a network and safeguard data."
Greg Garcia, executive director of the Financial Services Sector Coordinating Council, says the industry recognizes the need for regulatory guidance on effective standards of practice for cybersecurity risk management.
"It's a constantly moving target, and just as financial institutions need to regularly calibrate their controls to evolving threats, so do the regulatory agencies need to keep pace with new threats, new financial business process models and the necessary skill sets to evaluate the intersection of those two for security and resiliency purposes," he says.
The IG evaluation comes in the wake of last year's massive breach at JPMorgan Chase, which exposed information related to 76 million households and 7 million small businesses (see Chase Attackers Exploited Basic Flaws).
In its report, the IG says FDIC examination reports routinely include statements attesting to financial institutions' compliance with security guidelines and frequently identify concerns or recommended improvements to information security programs. But, the IG says, examiners often don't document their reviews or provide a clear statement of the adequacy of intrusion detection programs and incident response plans. "Because examiners have wide discretion in conducting and documenting IT examination work and are only required to document examination findings and recommendations," the IG says, "we could not always tell what procedures examiners performed to reach their conclusions."
Limited IT Training
Agency examiners are spending more time on conducting risk assessments at banks, with the number of hours devoted to examining IT risk management increasing by 21 percent since 2006, according to the IG. And, FDIC IT examination staff has increased by 36 percent since 2008. Still, the IG says, many of these examiners' supervisors, including assistant regional directors and case managers, have received limited IT examination training. IG auditors say they observed a few situations where IT examination analysts conducted examinations of complex financial institutions under supervisors who were not IT specialists, posing a potential security risk.
"These officials would benefit from a continuing, basic foundation in IT examination principles and concepts, as well as knowledge of emerging environmental IT issues, trends and risks within the banking industry," the IG report says.
Acknowledging the weaknesses detailed in the IG evaluation, the FDIC says it's working to strengthen its programs to help banks secure their IT, including providing examiners and managers more IT training, and set a December 2016 deadline to complete those improvements.
GraVoc's Schultz, however, says the problem with some security audits is a misdirected focus rather than an IT security knowledge gap. "Federal auditors can have a tendency to review business processes and policies not to ensure effectiveness, but rather just make sure they are in place," he says. "In some cases, they will review procedures that are not even in scope, thus providing recommendations that have nothing to do with security.
"The same thing goes for remediation techniques. When bankers ask the auditors what next steps can be taken to correct some of the findings noted, the auditors have a hard time providing them with answers. Expanding the technical experience of field examiners and other staff should continue to be a priority for the FDIC moving forward."
Garcia called on banking regulators, which are independent agencies, to provide more uniform examination procedures. "The process could be more efficient so we can focus more on securing our infrastructure and less on answering multiple questionnaires in different ways," he says. "And we would like to see how the agencies will or will not map their examination standards to the NIST cybersecurity framework, which many agree is a good foundation for tailored and scalable cyber security risk management."