The Office of Inspector General (OIG) of the Federal Deposit Insurance Corporation (FDIC) issued its report on the FDIC’s Sharing of Threat Information to Guide the Supervision of Financial Institutions.
Banks face a wide range of threats to their operations, including cyber attacks, money laundering, terrorist financing, pandemics, and natural disasters. The consequences of these threats may significantly affect the safety and soundness of numerous financial institutions -- as well as the stability of the Nation’s financial system.
Therefore, it is important that the FDIC develop policies, processes, and procedures to ensure that vital threat information is shared with its personnel – such as FDIC policy-makers, bank examiners, supervisory personnel, and Regional Office staff – so that the data may be used in an actionable and timely manner. Our Office conducted a review to determine whether the FDIC had established effective and efficient processes to share threat information with its personnel. We identified several weaknesses in the FDIC’s sharing of threat information.
The FDIC did not establish effective governance processes to acquire, analyze, disseminate, and use relevant and actionable threat information to guide the supervision of financial institutions. Specifically, the FDIC:
- Did not establish a written governance structure to guide its threat information sharing activities;
- Did not complete, approve, and implement a governance Charter to establish a common understanding of the role for the FDIC’s Intelligence Support Program, or to define an overall strategy and its requirements;
- Did not develop goals, objectives, or measures to guide the performance of its Intelligence Support Program;
- Did not establish adequate policies and procedures that defined roles and responsibilities for key stakeholders involved in the threat information sharing program and activities; and
- Did not fully consider threat information sharing in its Enterprise Risk Inventory and Risk Profile.
Further, we identified additional gaps in the FDIC’s processes for acquiring, analyzing, and disseminating threat information, and in how the use of threat information can be improved. For example, the FDIC:
- Did not develop written procedures for determining its threat information requirements;
- Did not engage all relevant stakeholders when it developed its threat information needs;
- Did not establish procedures to guide its analysis of threat information; instead, the FDIC relied solely on the discretionary judgment of certain individuals to determine the extent to which threat information should be analyzed to support business and supervisory needs;
- Did not develop procedures for disseminating threat information;
- Had not established an infrastructure that would allow for the secure handling of classified information to certain senior FDIC officials; and
- Did not establish a procedure to obtain feedback from recipients of threat information to assess its utility and effectiveness.
We also found numerous gaps in the FDIC’s management of threat information sharing, including: not having backup personnel for its Senior Intelligence Officer (SIO) nor plans for an absence or departure; not establishing minimum training requirements for the SIO position; not obtaining required security clearance for certain senior FDIC officials; and not properly categorizing unclassified threat information.
We made 25 recommendations to the FDIC to address the findings in our report.
We also note that during the course of our review, in April 2020, the OIG issued a memorandum notifying the FDIC that there was no requirement for banks to promptly report destructive cyber incidents that could threaten the safety and soundness of insured financial institutions. As a result, in November 2021, the FDIC, along with other Federal financial regulators, promulgated a rule requiring banks to report such computer-security incidents.