Pages

Sunday, 12 March 2017

A guide to FDIC and Cybersecurity Examinations – What should you focus on?

By Stanley Epstein

FDIC – what is does and how it operates

The United States “Federal Deposit Insurance Corporation” (FDIC) plays a very important role in the preservation and promotion of public confidence in the U.S. financial system by insuring deposits in banks and thrift institutions; by identifying, monitoring and addressing risks to the deposit insurance funds; and by limiting the effect on the U.S. economy and the financial system when a bank or thrift fails.

The FDIC was created in 1933, as an independent agency of the federal government. This was a response to the thousands of bank failures that occurred during the 1920s and early 1930s.

The FDIC receives no government funds - it is backed by premiums that banks and thrifts pay for deposit insurance coverage and from earnings on investments in U.S. Treasury securities. About $9 trillion of deposits in U.S. banks and thrifts are insured by FDIC.

The FDIC also directly examines and supervises more than 4,500 banks and savings banks for operational safety and soundness, more than half of the institutions in the U.S. banking system.

Why doesn’t the FDIC cover all U.S. banks? Well, this is dependent on whether banks have been chartered by states or by the federal government. Banks chartered by states also have the choice of whether to join the Federal Reserve System. The FDIC is the main federal regulator of banks that are chartered by the states that do not join the Federal Reserve System. The FDIC is also the back-up supervisor for the remaining insured banks and thrifts.

The FDIC also has a major role in compliance; it examines banks for compliance with consumer protection laws, which include the Fair Credit Billing Act, the Fair Credit Reporting Act, the Truth-In-Lending Act, and the Fair Debt Collection Practices Act, among others. The FDIC also examines banks for compliance with the Community Reinvestment Act (CRA) which requires banks to help meet the credit needs of the communities they were chartered to serve.

When a bank or thrift fails the FDIC responds immediately to protect insured depositors. The failed institution is generally closed by its chartering authority - the state regulator, or the Office of the Comptroller of the Currency. While the FDIC has several options for resolving institution failures, the one used most often is to sell the deposits and loans of the failed institution to another institution. Customers of the failed institution automatically become customers of the assuming institution. Most of the time, from the customer's point of view the transition is seamless.

FDIC Examinations

FDIC bank examinations generally focus on the IT systems of banks with a particular focus on information security. The federal banking agencies issued Interagency Guidelines Establishing Information Security Standards (“Interagency Guidelines”) in 2001. In 2005, the FDIC developed the Information Technology—Risk Management Program (IT-RMP), which is based largely on the Interagency Guidelines, as a risk-based approach for conducting IT examinations at FDIC-supervised banks. The FDIC also uses work programs developed by the Federal Financial Institutions Examination Council (FFIEC) to conduct IT examinations of service providers.

The examination process relies on bank management attestations regarding the extent to which IT risks are being managed and controlled. Examiners focus their efforts on management-identified weaknesses and may confirm selected safeguards described by management as adequate. Nonetheless, reports by the Office of the Inspector General within the FDIC indicate that examiners may not be consistent in their review of bank compliance with the Interagency Guidelines and do not regularly provide a clear statement of adequacy on intrusion detection programs and incident response plans.

The following provides a snapshot of information concerning FDIC IT examinations.
  • Currently about 2,300 IT examinations at financial institutions and technology service providers are conducted by FDIC in a year.
  • IT examinations at a financial institution that is found to have adequate security takes between 8 – 10 days to complete.
  • IT examinations at a financial institution that is found to have some degree of supervisory concern take a while longer –15 to 20 days on average. 
Being prepared for an FDIC examination  
 
As IT examinations are a regular feature of the FDIC’s work, the boards of banks and bank directors should be adequately prepared for these. The question is where should their focus be when making such preparations?

Below are 10 key points that need to be take into account when such preparations are made;
  1. Is bank management properly qualified to manage all aspects of the bank’s IT operations? Does this include compliance with all the relative data security laws and regulations? Is the bank’s Board happy with the qualification of bank management to handle this?
  2. Does the bank have a designated “Vendor Management Coordinator”? Does she/he have the appropriate level of due diligence and vendor risk modeling experience that matches the type and quality of the bank’s IT services?
  3. Do the bank Directors have a clear understanding of what services are outsourced? Does the banks Vendor Management Program meet the requirements and guidance of the FFIEC IT Examination Handbook, “Outsourcing Technology Services”?
  4. What about the bank’s “Business Continuity Planning/Disaster Recovery Plan”? Does it adequately address the sudden loss of IT services?
  5. When was the last time that your senior management reviewed the “Incident Response” section of your BCP/DR plan?
  6. Has your bank carried out a strategic test of your “Incident Response” plan (e.g. a tabletop simulation)?
  7. Has your bank carried out an operational test of your “Incident Response” plan (e.g. breach simulation)?
  8. Does your bank have a plan regarding how you would communicate news of a breach to bank customers, regulators and law enforcement?
  9. Does your bank have cyber insurance coverage? Does your management understand what is and is not covered under this policy?
  10. Does your bank have the necessary external resources identified and contractually bound to give you assistance and support in the event of a security incident?