The Federal Deposit Insurance Corp (FDIC) needs to figure out better ways to effectively assess cybersecurity concerns at the financial institutions that it regulators, according to a recent report from the agency’s Office of Inspector General (OIG).
The Jan. 31 OIG report details how the agency’s InTREx program is not meeting FDIC’s needs to undertake cybersecurity assessments. The InTREx program, according to FDIC, is an “enhanced, risk-based approach for conducting IT examinations” that “helps to ensure that financial institution management promptly identifies and effectively addresses IT and cybersecurity risks.
“We found that the FDIC needs to improve its InTREx program to effectively assess and address IT and cyber risks at financial institutions,” the OIG said. “Specifically, we found…weaknesses in the program that limit the ability of examiners to assess and address IT and cyber risks at financial institutions,” it said.
The report outlines how the program has become “outdated and does not reflect current Federal guidance and frameworks for three of four InTREx Core Modules.” It also finds that the FDIC did not communicate or provide guidance to its examiners after updates were made to the program.
The OIG outlined 19 recommendations for the agency to improve the program. Those include:
- Review the InTREx RD Memorandum to identify any updates needed, consistent with InTREx design and purpose;
- Issue revised or updated guidance, as necessary, and communicate these changes to examination staff prior to the changes taking effect;
- Update examiner instructions that address workpaper review roles and responsibilities, and implement any needed changes relative to the finding;
- Continue to provide IT examination training as part of FDIC’s all- staff training, as appropriate; and
- Specify timeframes for uploading IT examination workpapers.
The FDIC expects most of the recommendations to be addressed by the end of the year.