An audit found notable weaknesses within the FDIC’s information security processes.
The Federal Deposit and Insurance Corporation’s information technology and security systems are relatively strong, but some weaknesses could lead to sensitive financial information being compromised.
These findings come from the latest audit ordered by the FDIC’s Office of the Inspector General, as required by the Federal Information Security Modernization Act of 2014 to ensure government agencies’ IT and security infrastructure are sufficient.
Some of the critical data stored on FDIC networks include Social Security and bank account numbers, bank examination information, and credit card numbers. Without proper cybersecurity infrastructure, these data could be vulnerable to hacks or ransomware attacks.
The IG used metrics to evaluate the FDIC’s IT systems and examined their abilities to identify, protect, detect, respond and recover sensitive data contained within the agency’s networks.
Using a numerical scale to calculate a final score assessing the strength of a government agency’s IT infrastructure, the FISMA audit gave the FDIC a Maturity Level 4 out of a possible 5 levels. The high score was largely due to the FDIC’s strong security controls, updated privacy requirements, enhanced procedures for employee and contractor investigations, and improved oversight authorities.
The audit noted that despite the high score, cybersecurity risks are still possible.
“Achieving Level 4 does not mean that the FDIC is without risks to cyberattack,” the report reads. Weaknesses within the FDIC’s internal systems included its supply chain risk management program and administrative accounts security measures. Vulnerabilities in both of these arenas increase the likelihood of exploitation by hackers.
Ultimately, the audit resulted in six recommendations for the FDIC to consider implementing. They include implementing privacy controls and processes for all systems in accordance with government guidelines, and broadly strengthening the agency’s information security programs, particularly within supply chain risk management operations.
In a response, leadership at the FDIC agreed with the report’s findings, noting that it was “pleased” to score a Maturity Level 4.
“The FDIC concurs with these recommendations and is committed to addressing them as part of its continuing efforts to improve its information security posture,” a letter issued by the FDIC’s Chief Privacy Officer and Chief Information Officer Sylvia Burns and Chief Information Security Officer Zachary Brown read.