FDIC bank examinations generally include a focus on the information technology (“IT”) systems of banks with a particular focus on information security. The federal banking agencies issued implementing Interagency Guidelines Establishing Information Security Standards (Interagency Guidelines) in 2001. In 2005, the FDIC developed the Information Technology—Risk Management Program (IT-RMP), based largely on the Interagency Guidelines, as a risk-based approach for conducting IT examinations at FDIC-supervised banks. The FDIC also uses work programs developed by the Federal Financial Institutions Examination Council (FFIEC) to conduct IT examinations of third party service providers (“TSPs”).
The FDIC Office of the Inspector General recently issued a report evaluating the FDIC’s capabilities regarding its approach to evaluating bank risk to cyberattacks. The FDIC’s supervisory approach to cyberattack risks involves conducting IT examinations at FDIC-supervised banks and their TSPs; staffing IT examinations with sufficient, technically qualified staff; sharing information about incidents and cyber risks with regulators and authorities; and providing guidance to institutions. The OIG report determined that the FDIC examination work focuses on security controls at a broad program level that, if operating effectively, help institutions protect against and respond to cyberattacks. The program-level controls include risk assessment, information security, audit, business continuity, and vendor management. The OIG noted, however, that the work programs do not explicitly address cyberattack risk.
The examination process relies to some extent on bank management attestations regarding the extent to which IT risks are being managed and controlled. Examiners focus their efforts on management-identified weaknesses and may confirm selected safeguards described by management as adequate. The OIG report suggests that the examiners in the field have concerns about whether such reliance is justified. Further, a review of work papers indicated that examiners were not consistent in their review of the bank’s compliance with the Interagency Guidelines and did not regularly provide a clear statement of adequacy on intrusion detection programs and incident response plans.
What bankers should expect. During the recession, credit quality was the main focal point of FDIC examinations. Examiners did not ignore compliance but it clearly took a back seat to the primary concerns over whether a bank was viable or not. Compliance exams have become more intense over the last two years as the fears of a financial meltdown have passed. With hacking of large retailers and banks making the news each week you can expect that everyone from examiners up to Assistant Regional Directors should be receiving much more training in the area of IT and cybersecurity. Examiners may give less weight to management attestations concerning cyberattack preparedness. Bank management should expect more focused questions about how the bank protects data from external risks, detects possible data breaches and then how it responds and recovers from an actual breach.
The FFIEC recently announced that it is going to provide some assistance to banks by issuing a self-assessment tool to assist institutions in evaluating their inherent cybersecurity risk and their risk management capabilities. At the same time it will also update and supplement its Information Technology Examination Handbook to reflect rapidly evolving cyber threats and vulnerabilities with a focus on risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management, and incident management and resilience.
Keep in mind that 20% of the Consent Orders issued so far this year by the FDIC have been triggered due to IT deficiencies. Over 50% of the Consent Orders so far this year have been triggered by a combination of IT, BSA and consumer compliance issues as opposed to credit quality.
Bank directors should be asking questions of senior management about the bank’s incident response plan portion of its Business Continuity Planning/Disaster Recovery Plan and how breaches are communicated to bank customers, regulators and law enforcement. They should also ask about whether the bank has cyberattack insurance and understand exactly what it does or does not cover and how it might be affected by the bank’s by-laws. Not all cyber insurance is the same.