Audit chides FDIC for sloppy breach protocols

An Inspector General's audit found that the Federal Deposit Insurance Corporation's protocols for responding to a data breach aren't being followed, even as the agency has faced dozens of security incidents in the past two years.

The audit stemmed from a series of data breaches at the FDIC over nearly two years, from January 2015 to December 2016. Overall the agency has confirmed or suspects that it was compromised 54 times within that time period. The Office of Inspector General selected 18 of those breaches to evaluate for the audit.

In the wake of those failures, the FDIC has taken steps to better comply with the Federal Information Security Management Act by instituting a breach response plan that designates clear ownership within the agency for breach management and notification protocols.

However, auditors found that the organization often failed to implement key components of this plan for the majority of the security incidents reviewed. For example, while they were supposed to notify individuals or businesses who had their sensitive information compromised within 10 business days of completing analysis of an incident, FDIC officials waited an average 288 days (or more than nine months) after a breach was discovered before notifying affected individuals.

While the plan did delineate who would be responsible for such procedures, those positions were either unfilled for long periods of time or staffed by employees who were not properly trained, leading to long delays in the process. That potentially left the sensitive and personally identifiable information of hundreds of thousands of people and organizations further exposed and unaware of their jeopardy. Auditors also found instances of sloppy or incomplete paperwork related to risk analysis that may have led to inconsistencies in the FDIC's response to each incident.

The breach notification plan established a data breach management team, composed of "a cross-divisional group of FDIC stakeholders responsible for addressing significant data breaches and security incidents" that would be activated in the event of a breach. However, the group lacked a charter and its governance structure was poorly defined, leading to instances where the team was not activated within the necessary timeframe.

The FDIC has a history of high-profile and embarrassing cybersecurity failures dating back to at least 2010, when officials suspect hackers associated with the Chinese military infiltrated the agency's network. However, many of the breaches can be traced back to former employees who took sensitive data with them when they left the job.

In May 2016, FDIC CIO Lawrence Gross was taken to task by lawmakers after the agency failed to classify five previously known breaches that each exposed more than 10,000 records as "major incidents," something that would have required them to notify Congress.

The inspector general's office recommended seven corrective actions, including better funding and resource allocation, better and more thorough documentation practices when justifying the impact of an incident, a charter to guide its data breach management team and the establishment of metrics to assess employee and agency performance in the event of a breach.

The FDIC agreed with all of the recommendations and told auditors it expects to complete corrective actions by Sept. 30, 2018.