IG: FDIC ill-equipped to identify major cyber incidents

Shutterstock image: open lock. 

The Federal Deposit Insurance Corp.'s breach reporting guidelines are inadequate for identifying "major" cyber incidents, according to a new inspector general report. The finding comes amid a congressional probe of several FDIC breaches that the agency has retroactively deemed major incidents.

The IG report also found that FDIC, an agency charged with maintaining public confidence in financial institutions, devotes limited resources to sifting through potential security breaches discovered by a network monitoring tool. That resource shortage, and a flood of detected threats, have "hindered meaningful analysis of the information and the FDIC's ability to identify all security incidents, including major incidents," the report states.

In May, FDIC reclassified five data breaches that had occurred since Oct. 30, 2015, as major incidents. Those breaches happened when ex-FDIC employees inadvertently downloaded agency data. A "major" incident is one that meets a number of Office of Management and Budget criteria, including that at least 10,000 records or users were affected by the breach.

In responding to a draft of the report, FDIC CIO Lawrence Gross said the agency had updated internal procedures to refer employees and contractors to the OMB definition of a major incident.

"We believe this will be effective in ensuring proper assessment of any future incidents," Gross wrote.

A second IG report released last week examined the parallel concern of intentional data theft. The audit came in response to a breach in September 2015, when a departing FDIC employee took sensitive "resolution plans" that banks are required to produce to show they can withstand financial distress.

The audit found that a key security control designed to prevent the breach failed, and an insider threat program would have better positioned FDIC to "detect and mitigate the risks posed by the employee."

FDIC officials had taken steps to develop a formal insider threat program, but those efforts stalled in the fall of 2015, according to the IG. After the breach of resolution plans, officials drew up additional controls for guarding those plans. However, the IG said it could not test the effectiveness of those controls because the agency had yet to develop written policies governing them.

The IG audits follow a June report from the Government Accountability Office that found that FDIC's IT security controls are insufficient to the point of placing "the confidentiality, integrity, and availability of financial systems and information at risk."

Taken together, the three reports paint a gloomy picture of IT security at FDIC at a time when hackers have steadily targeted the widely used bank transfer system supplied by the Society for Worldwide Interbank Financial Telecommunication.

About the Author

Sean Lyngaas is an FCW staff writer covering defense, cybersecurity and intelligence issues. Prior to joining FCW, he was a reporter and editor at Smart Grid Today, where he covered everything from cyber vulnerabilities in the U.S. electric grid to the national energy policies of Britain and Mexico. His reporting on a range of global issues has appeared in publications such as The Atlantic, The Economist, The Washington Diplomat and The Washington Post.

Lyngaas is an active member of the National Press Club, where he served as chairman of the Young Members Committee. He earned his M.A. in international affairs from The Fletcher School of Law and Diplomacy at Tufts University, and his B.A. in public policy from Duke University.

Click here for previous articles by Lyngaas, or connect with him on Twitter: @snlyngaas.


Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.