FDIC Still Isn’t Protecting Its Sensitive Information, Audit Finds


The agency isn’t patching vulnerabilities quickly enough or fixing longstanding information security weaknesses.

The agency responsible for insuring U.S. bank accounts still isn’t meeting federal information security requirements, according to the unclassified summary of an inspector generals’ report released Wednesday.

The Federal Deposit Insurance Corporation, or FDIC, failed to patch software vulnerabilities within its own timeframe and failed to fix known and longstanding weaknesses in its cybersecurity policies and procedures, the inspectors found.  

Those weaknesses “limited the effectiveness of the FDIC’s information security program and practices and placed the confidentiality, integrity, and availability of the FDIC’s information systems and data at risk,” according to the report.

The inspectors gave FDIC an information security score of 3 points on a 5-point government scale. That means security controls are “consistently implemented” but not truly effective. Some portions of FDIC’s information security program earned only 1 or 2 points.

Most weaknesses uncovered in the inspector general’s audit are classified because an adversary might use them to compromise FDIC systems.

The unclassified summary describes instances in which contractors who were supposed to test that FDIC security controls worked effectively in the field instead merely relied on descriptions of those controls and FDIC managers’ assurances that they were in place.

The report also dinged FDIC for not effectively determining what are its highest value and highest risk digital systems and data. Without that determination,“FDIC cannot be sure that it is effectively prioritizing resources toward addressing risks with the most significant potential impact on achieving strategic objectives,” the report found.

A separate inspector general report and congressional letter in April found FDIC misled congressional overseers about eight separate information security lapses during 2015 and 2016.

Those lapses all resulted from FDIC employees who left the organization and took sensitive information with them about citizens or financial institutions. In total, the lapses affected more than 10,000 individuals or records, the report states.

A 2017 Government Accountability Office report found FDIC wasn’t sufficiently vetting that employees were who they said they were before allowing them to access sensitive files. The agency also wasn’t effectively encrypting user connections to certain sensitive systems, the auditor found.