The FDIC was recently audited, which means financial institutions may be more susceptible to cyber-attacks and threats. The Office of Inspector General (OIG) examined the FDIC from April 2021 to November 2022 to understand whether the FDIC effectively assesses and addresses IT risks at financial institutions.

As a result of the audit, we’re seeing enhanced IT exam controls made to the FDIC’s Information Technology Risk Examination (InTREx) program. This will trickle down to community banks, making it critical to examine your IT and cybersecurity strategy, manage risk and keep up to date on compliance changes.

What does that mean on a practical level for community banks? I’ve outlined the four most important findings and recommendations to help protect your business.

Four Things to Know About the FDIC Audit

1. The InTREx program is outdated. It simply does not reflect current federal guidance and frameworks for three of four InTREx Core Modules. According to the FDIC, updates to InTREx should align with new or updated FFIEC IT Booklets or NIST guidance, however, the program has not been updated to include recent changes.
   
   Effect on Banks: The OIG found that the following areas are lacking as related to InTREx: a revised NIST cybersecurity framework, as it applies to supply chain risk management activities; a newly issued FFIEC booklet, “Authentication and Access to Financial Institution Services and Systems” guidance; a revised addition of the FFIEC Business Continuity Planning IT booklet, as it applies to an enterprise-wide approach to BC and risks within supply chain management; and a revised addition of the FFIEC Operations IT booklet, as it relates to enterprise-wide planning and cybersecurity considerations.
   
   What does this mean for banks? I recommend implementing a process for making timely updates and keeping up with any guidance changes.
   
   
2. The FDIC did not communicate or provide guidance to its examiners after updates were made to the program. The FDIC implemented some changes to InTREx in July 2019 that introduced 58 new procedures for examiners to indicate when Baseline Cybersecurity Statement procedures were not met. The procedures were broken out into a separate checklist; however, this change was never communicated with guidance on how to perform to FDIC testing staff.
   
   Effect on Banks: The results could have a positive effect on banks — the testing staff may be better informed of exam procedures, meaning banks need to be well-suited to answer tougher questions and provide detailed documentation.
   
   Additionally, because incorrect documents, programs and reporting requirements have been used by staff in the past, you may see additional questions, requests, or recommendations as a result of a better-informed staff and better-communicated process requirements.
   
   
3. FDIC examiners did not complete InTREx examination procedures and decision factors required to support examination findings and URSIT ratings. FDIC examiners did not document the work performed for 70% of the IT examinations reviewed by OIG, and 40% of exams had incomplete decision factors used to support URSIT ratings. As a result, the procedures performed and the URSIT scores assigned may be inaccurate.
   
   Effect on Banks: With the elevated risk that URSIT component and composite ratings may not be accurate, the CAMELS “management” component rating could be impacted, in turn, impacting the overall composite rating assigned to financial institutions. This rating is often used to determine institution deposit insurance premiums.
   
   
4. The FDIC has not employed a supervisory process to review IT workpapers prior to the completion of the examination. On top of that lack of complete procedures, decision factors and documentation, the FDIC also did not perform any final review by the assigned Examiner in Charge (EIC) or supervisor prior to issuance.
   
   Effect on Banks: Be prepared for additional questions, requests or recommendations. As a result of more senior staff with a more critical eye, there could be additional work and requests after this detailed review.
   
   Additionally, because the results of Internal Control and Review Sections (ICRS) conducted internally by FDIC will be shared across all supervisory regions, you could start to see national considerations in addition to regional considerations.

Other Findings

The examination stirred up several other findings, and though I can’t elaborate on each one, I will address them here:

• The FDIC does not offer training to reinforce InTREx program procedures to promote consistent completion of IT examination procedures and decision factors.
• The FDIC’s examination policy and InTREx procedures were unclear, which led examiners to file IT examination workpapers in an inconsistent and untimely manner.
• The FDIC does not provide guidance to examination staff on reviewing threat information to remain appraised of emerging IT threats and those specific to financial institutions.
• The FDIC is not fully utilizing available data and analytic tools to improve the InTREx program and identify emerging IT risks.
• The FDIC has not established goals and performance metrics to measure its progress in implementing the InTREx program.

Shore Up Your Defenses

Cyber threats have always been a critical risk for banks; however, the FDIC audit places extra urgency on shoring up your IT and cybersecurity defenses. To learn how to implement simple protective measures, visit www.pinionglobal.com/cyber-hygiene/.

Melissa DeDonder is an IT and Cybersecurity consultant at Pinion, a global advisory firm.