The Office of Inspector General of the Federal Deposit Insurance Corporation has issued its report on Implementation of the FDIC’s Information Technology Risk Examination Program – otherwise known as InTREx.
Cyber risks present some of the greatest systemic threats facing the financial services sector – both domestically in the United States, and globally. The FDIC – along with the Federal Reserve Board and Comptroller of the Currency – have all recognized that cybersecurity is a critical challenge facing the banking industry. These threats include ransomware attacks, denial of service, data breaches, phishing, and supply chain vulnerabilities. And they are increasing in both sophistication and frequency. Banks also may suffer cybersecurity incidents through their interconnections with third-party providers -- that deliver administrative or management services to financial institutions, such as accounting, human resources, and transaction processing.
The FDIC supervises banks to ensure that their operations function in a safe and sound manner, and comply with all laws and regulations. The FDIC examines institutions to assess their financial condition, management practices – as well as the banks’ capabilities to identify and address IT and cyber risks, and to maintain appropriate internal controls.
In June 2016, the FDIC implemented the InTREX program. We conducted an audit to determine whether the InTREx program effectively assesses and addresses IT and cyber risks at financial institutions.
We found that the FDIC needs to improve its InTREx program to effectively assess and address IT and cyber risks at financial institutions. Specifically, we found the following weaknesses in the program that limit the ability of examiners to assess and address IT and cyber risks at financial institutions:
- The InTREx program is outdated and does not reflect current Federal guidance and frameworks for three of four InTREx Core Modules;
- The FDIC did not communicate or provide guidance to its examiners after updates were made to the program;
- FDIC examiners did not complete InTREx examination procedures and decision factors required to support examination findings and examination ratings;
- The FDIC has not employed a supervisory process to review IT workpapers prior to the completion of the examination, in order to ensure that findings are sufficiently supported and accurate;
- The FDIC does not offer training to reinforce InTREx program procedures to promote consistent completion of IT examination procedures and decision factors;
- The FDIC’s examination policy and InTREx procedures were unclear, which led examiners to file IT examinations workpapers in an inconsistent and untimely manner;
- The FDIC does not provide guidance to examination staff on reviewing threat information to remain apprised of emerging IT threats and those specific to financial institutions;
- The FDIC is not fully utilizing available data and analytic tools to improve the InTREx program and identify emerging IT risks; andThe FDIC has not established goals and performance metrics to measure its progress in implementing the InTREx program.
The weaknesses detailed above collectively demonstrate the need for the FDIC to take actions to ensure that its examiners effectively assess and address IT and cyber risks during IT examinations. We made 19 recommendations to address these weaknesses.