The Federal Deposit Insurance Corporation (FDIC) Office of Inspector General has issued a report on its Review of the FDIC’s Ransomware Readiness.
Ransomware can severely impact business processes and leave organizations without the data needed to operate or deliver mission-critical services. The organizations affected often experience reputational damage, significant remediation costs, and interruptions in their ability to deliver core services. We conducted a review to assess the adequacy of the FDIC’s process to respond to a ransomware incident.
The FDIC relies heavily on information systems to carry out its responsibilities of insuring deposits; examining and supervising financial institutions for safety, soundness, and consumer protection; making large and complex financial institutions resolvable; and managing receiverships. The FDIC needs effective controls for safeguarding its information systems and data to reduce the risk that a ransomware incident could disrupt critical operations and allow inappropriate access to, and disclosure, modification, or destruction of, FDIC information.
Overall, we determined that the FDIC had an adequate process to respond to a ransomware incident and generally followed applicable guidance and best practices within the control areas we assessed. However, the FDIC did not fully adhere to Federal standards, FDIC policies, and/or industry best practices related to: (1) protecting and restoring from backup data; (2) Continuity Implementation Plan maintenance; (3) Wireless Priority Service access; and (4) Disaster Recovery Awareness training.
We made eight recommendations for the FDIC: (1) evaluate and implement solutions to protect backup data; (2) evaluate and consider enhanced solutions to store backup data; (3) review and update policies and procedures to ensure timely control implementation of new Federal requirements; (4) test recovery of Active Directory from backups; (5) ensure the Continuity Implementation Plan is regularly updated in a timely manner to ensure it is current, complete, and accurate; (6) periodically review and update key personnel enrolled in Wireless Priority Service and perform quarterly testing as part of its Emergency Communications Program; and ensure that key individuals complete (7) initial and (8) subsequent annual Disaster Recovery Awareness training. The FDIC concurred with all of the recommendations and plans to complete corrective actions by February 28, 2025.