U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Response Letter to Congresswoman Suzanne Bonamici, (without Enclosure)

Report Information

Publish Date
Report sub-type
Congressional Correspondence
Report Number
No Report Number

Text Alternative

This is the accessible text file for Response Letter to Congresswoman Suzanne Bonamici, (without Enclosure), December 08, 2016

[FDIC OIG letterhead, FDIC logo, Federal Deposit Insurance Corporation, Office of Inspector General , 3501 Fairfax Drive, Arlington, Virginia 22226]

TRANSMITTED VIA ELECTRONIC MAIL

December 8, 2016

Honorable Suzanne Bonamici, U.S. House of Representatives

Washington, D.C. 20515

Dear Congresswoman Bonamici:

Thank you for your questions during the Committee on Science, Space, and Technology’s July 14, 2016 hearing, entitled Evaluating FDIC’s Response to Major Data Breaches: Is the FDIC Safeguarding Consumers’ Banking Information? During the hearing, you asked a series of questions about the Federal Deposit Insurance Corporation’s (FDIC) development of an insider threat program. Specifically, you asked that I follow up with the Committee on why the development of the insider threat program stalled.

FDIC Office of Inspector General audit staff researched this matter and concluded that the principal factor that caused the insider threat program to stall in the fall of 2015 was Division of Administration (DOA) management’s perception that the FDIC Chairman and other senior executives had significant reservations regarding the implications of implementing such a program at a civilian regulatory agency such as the FDIC. This perception stemmed from the negative tenor in which concerns were expressed by senior FDIC management regarding the manner in which DOA was pursuing insider threats in the spring of 2015. Notably, none of the officials my staff interviewed indicated that DOA was directed to halt the insider threat program. Rather, the officials generally indicated that DOA was directed to take a careful and deliberative approach. Following the departure of the FDIC’s Counterintelligence Officer in October 2015, progress on vetting the program’s policies and governance structure was slow, reflecting what we view as the level of priority being placed on those activities compared to certain other DOA initiatives.

Following the issuance of our preliminary results on the audit of The FDIC’s Controls for Mitigating the Risk of an Unauthorized Release of Sensitive Resolution Plans in May 2016, senior FDIC management made it clear that a high priority needed to be placed on establishing a formal insider threat and counterintelligence program. The FDIC formally established such a program on September 20, 2016.

The enclosure details the work performed by my staff and includes an in-depth explanation of their conclusion regarding why the insider threat program stalled. If you have questions regarding this information, please feel free to contact me at 703-562-6339 or fgibson@fdic.gov, or Amanda King of my staff at 703-562-2625 or amaking@fdic.gov.

Sincerely,

Fred W. Gibson, Jr. /signed/, Acting Inspector General

cc: Committee on Science, Space, and Technology of the U.S. House of Representatives

Enclosure