FDIC Receives an Exam:

Agency is not probing hard enough on I.T. exams

It may surprise some bankers to learn that the FDIC has an independent office of Inspector General (OIG) that conducts audits, investigations, and other reviews of the FDIC’s programs and operations. The OIG recently prepared a report assessing the FDIC’s efforts to ensure that over 4,000 institutions it supervises, as well as those banks’ major vendors, are prepared for cyberattacks, and to determine whether the agency has sufficient examination resources dedicated to this goal.

The OIG made nine recommendations to the agency, and FDIC management agreed with the findings. FDIC is now in the process of updating its examination programs for banks and is making other substantive changes.

The Wall Street Journal reported, “If JP Morgan can get hacked [with a very large I.T. staff], that puts community banks in a difficult position.” Few of the nation’s banks have the resources to build a 1,000-person cybersecurity center across the street from NSA’s headquarters like JP Morgan did. Instead, most community banks can and do rely heavily on outside vendors to help protect them. Unfortunately, not all of these vendors have appropriate security controls in place, nor are they all currently regulated by bank regulatory agencies.

The OIG recognized this as an issue. As a result, not only banks but also their vendors can expect greater oversight in the future. Banks should take steps now to determine how their vendors will hold up to new regulatory scrutiny by asking such questions as (1) whether existing vendors outsource any of their activities to subcontractors, (2) whether vendors are obtaining independent SSAE 16 audits of their security controls, and (3)whether bank regulators are currently performing examinations of those vendors.

The OIG left open the possibility that it might do a more in-depth follow-up evaluation, including considering how an institution’s I.T. examination results could become a larger component of safety and soundness ratings.

Technology is constantly changing and new I.T. risks are rapidly evolving, but there seems to be one constant theme from regulators—your next I.T. exam will be tougher. BankOnIT has the internal controls, processes and people in place to help community banks every day in reducing I.T. and regulatory risks, leaving you more time to be a banker.