FDIC dinged again for inadequate infosec


The Federal Deposit Insurance Corporation needs to improve its information security controls, and do more to separate its financial systems from the rest of its network, according to a recent Government Accountability Office report.

FDIC "relies extensively" on computerized systems to store sensitive financial information and to carry out its mission to enforce banking laws, regulate banking institutions and protect customers, auditors wrote.

And while FDIC has made some progress in shoring up its systems, auditors noted that resolving these remaining information security weaknesses is essential for FDIC to carry out its mission to enforce banking laws, regulate banking institutions and protect customers.

The remaining weaknesses represent "a significant deficiency in FDIC's internal control over financial reporting systems," and increase the risk of improper data access, the report states.

GAO reported that the "underlying reason for many of the information security weaknesses" was that six previous recommendations -- two regarding access controls, one regarding the information security program and three "other controls" -- remain unfulfilled.

Specifically, auditors found that FDIC did not consistently implement controls over authorization, that the agency's review process did not include all accounts on the mainframe and that one-fifth of accounts had privileges that had not received authorization from users' supervisors.

GAO noted that because FDIC lacked a complete list of its IT assets, the agency could not consistently apply management controls to track them. Further, GAO noted FDIC still falls short of having a FISMA-compliant information security program, and still has shortcomings in its incident response process -- particularly in the timely identifying and reporting of security incidents.

GAO also reported that FDIC lacked strong encryption on connections to its main network.

Sensitive data including user IDs and passwords, "continue to be transmitted over the network in clear text, exposing them to potential compromise," auditors wrote.

Additionally, FDIC did not scan all of its servers for vulnerabilities, nor did the agency review changes to critical files at a granular enough level to identify which accounts were making the changes.

This is not the first time security at FDIC has attracted the attention of oversight bodies. The agency topped the Office of Management and Budget's Federal Information Security Modernization Act report for fiscal year 2016, tallying 10 of 16 major information security incidents.

In this report, GAO recommended that FDIC update the procedure for granting users access and to detail the duties and steps to ensure that access is granted by the proper supervisors. In a separate report, GAO made six further recommendations to bolster internal controls over financial reporting data, systems and networks.

FDIC agreed with the recommendations, and stated that corrective actions will be completed by July 2017.

About the Author

Chase Gunter is a former FCW staff writer.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.