FDIC bank examinations generally include a focus on the information  technology (“IT”) systems of banks with a particular focus on information security. The federal banking agencies issued implementing Interagency Guidelines Establishing Information Security Standards (Interagency Guidelines) in 2001. In 2005, the FDIC developed the Information Technology—Risk Management Program (IT-RMP), based largely on the Interagency Guidelines, as a risk-based approach for conducting IT examinations at FDIC-supervised banks. The FDIC also uses work programs developed by the Federal Financial Institutions Examination Council (FFIEC) to conduct  IT  examinations  of third party service providers (“TSPs”).

The examination process relies to some extent on bank management attestations regarding the extent to which IT risks are being managed and controlled. Examiners focus their efforts on management-identified weaknesses and may confirm selected safeguards described by management as adequate. Nonetheless, reports by the Office of the Inspector General within the FDIC indicate that examiners may not be consistent in their review of the bank’s compliance with the Interagency Guidelines and do not regularly provide a clear statement of adequacy on intrusion detection programs and incident response plans.

Click here to view the table.

What bank directors should be thinking about when preparing for an examination:

Click here to view the table.