IG: FDIC ill-equipped to identify major cyber incidents

A pair of inspector general reports paints a gloomy picture of IT security at the Federal Deposit Insurance Corp.

Shutterstock image: open lock.

The Federal Deposit Insurance Corp.'s breach reporting guidelines are inadequate for identifying "major" cyber incidents, according to a new inspector general report. The finding comes amid a congressional probe of several FDIC breaches that the agency has retroactively deemed major incidents.

The IG report also found that FDIC, an agency charged with maintaining public confidence in financial institutions, devotes limited resources to sifting through potential security breaches discovered by a network monitoring tool. That resource shortage, and a flood of detected threats, have "hindered meaningful analysis of the information and the FDIC's ability to identify all security incidents, including major incidents," the report states.

In May, FDIC reclassified five data breaches that had occurred since Oct. 30, 2015, as major incidents. Those breaches happened when ex-FDIC employees inadvertently downloaded agency data. A "major" incident is one that meets a number of Office of Management and Budget criteria, including that at least 10,000 records or users were affected by the breach.

In responding to a draft of the report, FDIC CIO Lawrence Gross said the agency had updated internal procedures to refer employees and contractors to the OMB definition of a major incident.

"We believe this will be effective in ensuring proper assessment of any future incidents," Gross wrote.

A second IG report released last week examined the parallel concern of intentional data theft. The audit came in response to a breach in September 2015, when a departing FDIC employee took sensitive "resolution plans" that banks are required to produce to show they can withstand financial distress.

The audit found that a key security control designed to prevent the breach failed, and an insider threat program would have better positioned FDIC to "detect and mitigate the risks posed by the employee."

FDIC officials had taken steps to develop a formal insider threat program, but those efforts stalled in the fall of 2015, according to the IG. After the breach of resolution plans, officials drew up additional controls for guarding those plans. However, the IG said it could not test the effectiveness of those controls because the agency had yet to develop written policies governing them.

The IG audits follow a June report from the Government Accountability Office that found that FDIC's IT security controls are insufficient to the point of placing "the confidentiality, integrity, and availability of financial systems and information at risk."

Taken together, the three reports paint a gloomy picture of IT security at FDIC at a time when hackers have steadily targeted the widely used bank transfer system supplied by the Society for Worldwide Interbank Financial Telecommunication.