Oversight

IG: FDIC ill-equipped to identify major cyber incidents

Shutterstock image: open lock. 

The Federal Deposit Insurance Corp.'s breach reporting guidelines are inadequate for identifying "major" cyber incidents, according to a new inspector general report. The finding comes amid a congressional probe of several FDIC breaches that the agency has retroactively deemed major incidents.

The IG report also found that FDIC, an agency charged with maintaining public confidence in financial institutions, devotes limited resources to sifting through potential security breaches discovered by a network monitoring tool. That resource shortage, and a flood of detected threats, have "hindered meaningful analysis of the information and the FDIC's ability to identify all security incidents, including major incidents," the report states.

In May, FDIC reclassified five data breaches that had occurred since Oct. 30, 2015, as major incidents. Those breaches happened when ex-FDIC employees inadvertently downloaded agency data. A "major" incident is one that meets a number of Office of Management and Budget criteria, including that at least 10,000 records or users were affected by the breach.

In responding to a draft of the report, FDIC CIO Lawrence Gross said the agency had updated internal procedures to refer employees and contractors to the OMB definition of a major incident.

"We believe this will be effective in ensuring proper assessment of any future incidents," Gross wrote.

A second IG report released last week examined the parallel concern of intentional data theft. The audit came in response to a breach in September 2015, when a departing FDIC employee took sensitive "resolution plans" that banks are required to produce to show they can withstand financial distress.

The audit found that a key security control designed to prevent the breach failed, and an insider threat program would have better positioned FDIC to "detect and mitigate the risks posed by the employee."

FDIC officials had taken steps to develop a formal insider threat program, but those efforts stalled in the fall of 2015, according to the IG. After the breach of resolution plans, officials drew up additional controls for guarding those plans. However, the IG said it could not test the effectiveness of those controls because the agency had yet to develop written policies governing them.

The IG audits follow a June report from the Government Accountability Office that found that FDIC's IT security controls are insufficient to the point of placing "the confidentiality, integrity, and availability of financial systems and information at risk."

Taken together, the three reports paint a gloomy picture of IT security at FDIC at a time when hackers have steadily targeted the widely used bank transfer system supplied by the Society for Worldwide Interbank Financial Telecommunication.

About the Author

Sean Lyngaas is a former FCW staff writer.

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.