The FDIC recently underwent an examination performed by The Office of Inspector General (OIG). The objective of the audit was to determine whether the FDIC’s Information Technology Risk Examination (InTREx) program effectively assesses and addresses IT and cyber risks at financial institutions.
The audit was performed from April 2021 to November 2022 in accordance with generally accepted government auditing standards. Pinion has reviewed the results and with nine findings and several recommendations, we have begun to consider changes banks may see with their annual IT exams performed by FDIC.
See below for the findings, our thoughts on the ripple down effect, and what it means for you.
Finding 1: The InTREx program is outdated and does not reflect current Federal guidance and frameworks for three of four InTREx Core Modules.
What Happened: According to the FDIC, updates to InTREx should align with new or updated FFIEC IT Booklets or NIST guidance, however, the program has not been updated to include recent changes.
Ripple Down Effect: We expect the items below will be a heavy focus during your next exam cycle. Don’t worry though, if Pinion has performed your IT assessment over the course of the last 12 months, we considered these items with our testing.
- Version 1 of the NIST cybersecurity framework is dated February 2014, this is the framework used to develop the InTREx program. NIST was since updated in April 2018, however these changes are not reflected in InTREx. The major bone OIG picked here was supply chain risk management activities, think Vendor Management Program. We believe this will be an immense focus during your next exam cycle.
- In August 2021, the FFIEC issued “Authentication and Access to Financial Institution Services and Systems” guidance. The booklet requires that risk management principles and practices be in place and reinforces the need for financial institutions to effectively authenticate users and customers to protect information systems, accounts and data.
- In November 2019, the FFIEC revised the “Business Continuity Planning” IT booklet. Changes here include: principles to address risk related to the availability of critical financial products and services, implementation of an enterprise-wide approach to BC (address technology, business operations, testing and communication strategies) and risks within supply chain management.
- In June 2021, FFIEC updated the “Operations” IT booklet. Changes here include: risks related to Architecture, Infrastructure and Operations, including enterprise-wide planning and design and risks related to emerging technologies (cloud computing, artificial intelligence, zero trust architecture and Internet-of-Things) and cybersecurity considerations.
These are the recent changes, however, the recommendation is that a process for timely updates must be implemented, so it will be imperative that banks keep up on any changes in guidance and quickly meet compliance requirements.
Finding 2: The FDIC did not communicate or provide guidance to its examiners after updates were made to the program.
What Happened: FDIC implemented some changes to InTREx in July 2019 that introduced 58 new procedures for examiners to indicate when Baseline Cybersecurity Statement procedures were not met. The procedures were broken out into a separate checklist, however this change was never communicated out with guidance on how to perform to FDIC testing staff.
Ripple Down Effect: The resulting recommendations could have a positive effect on banks, the testing staff may be better informed of exam procedures, however, this will mean banks need to be better suited to answer tougher questions and provide detailed documentation. Additionally, because incorrect documents, programs and reporting requirements have been used by staff in the past, you may see additional questions, requests or recommendations as a result of a better-informed staff and better communicated process requirements.
Finding 3: FDIC examiners did not complete InTREx examination procedures and decision factors required to support examination findings and URSIT ratings.
What Happened: FDIC examiners did not document the work performed for 70% of the IT examinations reviewed by OIG and 40% of exams had incomplete decision factors used to support URSIT ratings. As a result, the procedures performed and the URSIT scores assigned may be inaccurate.
Ripple Down Effect: With the elevated risk that URSIT component and composite ratings may not be accurate, the CAMELS “management” component rating could be impacted, in turn, impacting the overall composite rating assigned to financial institutions. This rating is often used to determine institution deposit insurance premiums. Much like the effect of Finding 2 above, because a process will be put in place to ensure completion of procedures and decision factors, your bank may need to be prepared to provide information not previously requested or considered.
Finding 4: The FDIC has not employed a supervisory process to review IT workpapers prior to the completion of the examination in order to ensure that findings are sufficiently supported and accurate.
What Happened: In addition to the lack of complete procedures, decision factors and documentation, FDIC also did not perform ANY final review by the assigned Examiner in Charge (EIC) or supervisor prior to issuance.
Ripple Down Effect: The effect here will be similar to that in Finding 2. You will want to be prepared for additional questions, requests or recommendations and as a result of a more senior staff with a more critical eye, there could be additional work and requests after this detailed review. Additionally, because results of Internal Control and Review Sections (ICRS) conducted internally by FDIC will be shared across all supervisory regions, you could start to see national considerations in addition to just regional considerations.
Finding 5: The FDIC does not offer training to reinforce InTREx program procedures to promote consistent completion of IT examination procedures and decision factors.
What Happened: FDIC IT examiners are required to complete only two training courses and a 90-day IT exam rotation to obtain on-the-job experience. No ongoing education is required or offered. As a result, 42% of staff identified insufficient education as a material challenge to conducting IT examinations and 90% of IT exams reviewed did not comply with InTREx procedures.
Ripple Down Effect: Additional InTREx-related education would help to reduce errors and reinforce InTREx guidance and updates. This may provide consistency for you on a year-to-year basis, no matter which examiner performs the testing, the process and procedures should be the same. See the Ripple Down Effect in Finding 2 for additional considerations on how you may be impacted.
Finding 6: The FDIC’s examination policy and InTREx procedures were unclear, which led examiners to file IT examination workpapers in an inconsistent and untimely manner.
What Happened: FDIC is not appropriately retaining relevant workpapers to document scoping and rating results. The most serious of issues arising from this lack of document storage and retention is: 40% of examinations tested did not include the documents that record the bank’s risk indicators and determine the InTREx complexity. If the ratings are not supported then it could be that the incorrect IT EIC was assigned or the exam as a whole was incorrectly scoped.
Ripple Down Effect: These workpapers are used to assign resources to the particular exam. If there are not complete and timely workpapers, the ability to manage, oversee and audit the exam process is limited. The effect for this finding mirrors that for Findings 2 and 3 above.
Finding 7: FDIC does not provide guidance to examination staff on reviewing threat information to remain appraised of emerging IT threats and those specific to financial institutions.
What Happened: Examiners are not aware or do not regularly review the threat information guidance posted to the FDIC’s collaborative platform. This guidance includes analyzed information about threats that can affect financial institutions. It comes from external sources, such as government agencies, including the DHS, the Federal Bureau of Investigation, and the Department of Treasury. It also includes internal information developed by FDIC experts on the subject.
Ripple Down Effect: The FDIC has committed in their corrective actions to guide staff on the use of threat information in support of IT exams and to review the curriculum to determine that training adequately highlights threat information availability. With the increasing number and types of IT and cyber threats to banks, this commitment could cause testing to look different from year to year. This continuing education provided to staff will bring the ever-changing threat landscape of IT controls to the forefront and exam procedures will need to adjust with the specific risks identified.
Finding 8: FDIC is not fully utilizing available data and analytic tools to improve the InTREx program and identify emerging IT risks.
What Happened: FDIC is not aggregating and analyzing data from across the banking sector and there are no standardized methods for collecting exam data that would allow industry trends to be identified. FDIC has developed a tool, AlphaRex to conduct analysis of unstructured data, but it is not being used effectively or regularly.
Ripple Down Effect: Additional use of these analytical tools could improve the INTREx program and identify emerging trends, threats and IT risks by ingesting and analyzing additional data sources. This would allow the FDIC to share trend analysis data with banks and even allow them to contact susceptible institutions and help ensure their systems and networks are patched in response to new threats. Some banks may find this beneficial as a benchmarking tool, threat knowledge or for best practice due diligence.
Finding 9: FDIC has not established goals and performance metrics to measure its progress in implementing the InTREx program.
What Happened: FDIC creates internal performance goals annually; these goals have not traditionally considered IT supervision activities and did not address the performance of IT exams or of the effectiveness of the INTREx program.
Ripple Down Effect: The FDIC only partially concurs with this finding and OIG has stated that the FDIC’s proposed corrective action does not fully satisfy the recommendations. The expectation then would be that performance goals, objectives and metrics will need to continue to be built out and will directly correlate with INTREx. This could result in more frequent changes to INTREx, testing procedures and other IT exam activities.
There you have it. A look into our crystal ball. One thing, however, can be said with certainty – there will be additional or enhanced IT exam controls made to INTREx. OIG states that until FDIC addresses these weaknesses, there is a risk that IT and cyber risks at banks will not be identified or adequately mitigated or addressed. As a result, financial institutions may be more susceptible to cyber attacks and threats.
For questions regarding cybersecurity controls, frameworks, incident remediation and best practices for prevention and detection, contact a Pinion technology advisor.