Examining the Examiner: What the OIG Has to Say About the FDIC

Your regulator may seem like an all-powerful force, but everyone answers to somebody. In the case of the FDIC it’s the Office of the Inspector General (OIG).

The OIG is responsible for regularly assessing the FDIC’s performance, noting where it’s strong and where improvements are needed. The results of its most recent Assessment of the Management and Performance Challenges Facing the FDIC are included in the FDIC’s 2017 annual report.

While the FDIC had an overall strong report card, there were a few areas that needed additional work, according to the OIG. They include:

Protecting Sensitive Data

A September 2017 OIG report found the FDIC’s processes to notify and provide services to individuals in the event of a data breach needed to improve. It took more than nine months after a breach was discovered to notify those affected. The OIG said the agency needed more resources to keep up with an increase in breach investigations and staff needed more training.

Security Control Weaknesses

An October 2017 report found “security control weaknesses that limited the effectiveness of the FDIC’s information security program and practices and placed the confidentiality, integrity, and availability of the FDIC’s information systems and data at risk.”

Examples, as quoted from the report, include:

• Contingency Planning. The FDIC’s IT restoration capabilities were limited, and the agency had not taken timely action to address known limitations with respect to its ability to maintain or restore critical IT systems and applications during a disaster.
• Information Security Risk Management. The FDIC established the Information Security Risk Advisory Council (“the Council”) in 2015.  However, the Council did not fulfill several of its key responsibilities as defined in FDIC policy.
• Enterprise Security Architecture. The FDIC had not established an enterprise security architecture that (i) describes the FDIC’s current and desired state of security and (ii) defines a plan for transitioning between the two.  The lack of an enterprise security architecture increased the risk that the FDIC’s information systems would be developed with inconsistent security controls that are costly to maintain.
• Technology Obsolescence. The FDIC was using certain software in its server operating environment that was at the end of its useful life and for which the vendor was not providing support to the FDIC.
• Information Security Strategic Plan. The FDIC had drafted, but not yet finalized, an information security strategic plan.
• Patch Management. We noted instances in which patches addressing high-risk vulnerabilities were not installed on servers, desktop computers, and laptop computers within the timeframes established by FDIC policy.
• Credentialed Scanning. We found instances in which network IT devices were not subject to a “credentialed” scan—a thorough type of scan that involves logging into the IT device to inspect for vulnerabilities.
• Security Information and Event Management (“SIEM”) Tool. The FDIC had not developed a process to ensure that all servers on the FDIC’s network routed log data to the FDIC’s SIEM tool.

Other issues include not consistently following some policies and procedures and a “significant deficiency” in internal controls that could have allowed systems engineers access to a privileged account that made it hard to tell apart authorized and unauthorized activity.

Third-Party Contractors

The FDIC didn’t always review contractors’ network activity to prevent data loss when they left the agency. The agency also couldn’t find the clearance records for almost half of contractors and didn’t maintain the up-to-date personal information necessary to provide and revoke cards for accessing FDIC facilities and networks, the OIG said.

Turnover in Cybersecurity Staff

Frequent turnover, including seven chief information officers (CIOs) over seven years, meant resources were wasted on at least one initiative, a plan to move data to the cloud, that was later abandoned.

Privacy

The OIG would like to see the CIO function separated from the chief privacy officer role, an Office of Budget Management best practice.

Third-Party Vendors

A March 2017 OIG report found shortcoming in contractor oversight that contributed to delays and cost overruns in a 10-year project to transition management of failed financial institution data to a new vendor. These occurred because the FDIC didn’t clearly define contract requirements because it didn’t fully understand or communicate them, had difficulty coordinating agency staff and contractors, and didn’t establish clear expectations and implementation milestones in the contract.

This report is a reminder that risk management is a complicated task no matter who you are. Even when you are doing many things correctly, it’s easy for a few oversights to sneak in.
The FDIC is actively working to improve in these areas, as should anyone who has uncovered weaknesses. Meanwhile, the OIG will continue to watch over the agency. In the future, the OIG says it’s planning to evaluate examiner staffing, including IT examination resources, at the agency.