FDIC bank examinations generally include a focus on the IT systems of banks with a particular focus on information security. The federal banking agencies issued Interagency Guidelines Establishing Information Security Standards (“Interagency Guidelines”) in 2001. In 2005, the FDIC developed the Information Technology—Risk Management Program (IT-RMP), based largely on the Interagency Guidelines, as a risk-based approach for conducting IT examinations at FDIC-supervised banks. The FDIC also uses work programs developed by the Federal Financial Institutions Examination Council (“FFIEC”) to conduct IT examinations of service providers.
The examination process relies on bank management attestations regarding the extent to which IT risks are being managed and controlled. Examiners focus their efforts on management-identified weaknesses and may confirm selected safeguards described by management as adequate. Nonetheless, reports by the Office of the Inspector General within the FDIC indicate that examiners may not be consistent in their review of bank compliance with the Interagency Guidelines and do not regularly provide a clear statement of adequacy on intrusion detection programs and incident response plans. The following provides a snapshot of information concerning IT examinations:
Number of IT examinations at financial institutions and technology service providers conducted by FDIC in a year.1
Time spent by FDIC to perform an IT examination at a financial institution found to have adequate security.2
15- 20 days
Time spent by FDIC to perform an IT examination at a financial institution found to have some degree of supervisory concern.3
Percentage of Consent Orders issued in 2015 specifically citing deficiencies in IT as a basis for the Order. Over 50% involve either IT deficiencies or BSA and Compliance issues.
What bank directors should be thinking about when preparing for an examination:
- Is the Board comfortable that the Bank has management qualified to oversee all aspects of the Bank’s IT operations, including compliance with all applicable data security laws and regulations?
- Is there a designated Vendor Management Coordinator in the Bank with an appropriate level of due diligence and vendor risk modeling experience for the type and quality of the Bank’s IT services?
- Do the directors understand what IT services are being outsourced and whether the Bank’s Vendor Management Program meets the requirements and guidance of the FFIEC IT Examination Handbook, Outsourcing Technology Services?
- Does the Bank’s Business Continuity Planning/Disaster Recovery Plan (“BCP/DR” Plan) adequately address the sudden loss of IT services?
- When did senior management last review the organization’s incident response portion of the BCP/DR Plan?
- Has the incident response plan been strategically tested (g., a breach tabletop simulation)?
- Has the incident response plan been operationally tested (g., a breach simulation)?
- Does the organization have a plan for how it would communicate a breach to bank customers, regulators and law enforcement?
- Has the organization retained cyber insurance coverage? Does management understand what is, and what is not, covered under the policy?
- Does the organization have external resources already identified, and under contract, to provide assistance in the event of a security incident?