FDIC Cited for Repeated Security Weaknesses
Audit Report Finds Holes in Agency's Internal Security Management PracticesThis is the key finding of a recent report issued by the Government Accountability Office (GAO) in an audit of the banking regulatory agency's 2007 financial statements (See full report: GAO: FDIC Sustains Progress but Needs to Improve Configuration Management of Key Financial Systems). According to Greg Wilshusen, GAO's director of Information Security Issues and author of the report, the FDIC, which examines and supervises about 5,250 U.S. banks, has made "significant progress" correcting 16 of 21 previously identified security weaknesses - including improving the physical security of its computer processing facility and procedures re: internal emails.
But there remain significant vulnerabilities that, in the GAO's estimation, "could limit the corporation's ability to effectively protect the confidentiality, integrity and availability of its financial systems and information."
Among these weaknesses:
"Until FDIC fully performs key information security program activities," Wilshusen writes, "its ability to maintain adequate control over its financial systems and information will be limited."
FDIC 'One of the Better' Agencies
This report is an auxiliary statement to the larger audit completed on the FDIC by the GAO, which is responsible for auditing the financial statements of 24 federal agencies. As part of the audit process, the GAO conducts tests on the information security controls and system controls. "The GAO has the opportunity to follow up and check on their progress every year," Wilshusen says.
Wilshusen didn't want to compare the FDIC to other audited agencies, but says "The control weaknesses we identified at the FDIC did not rise to the level of a significant control deficiency, for the purposes of reporting on our audit report of their financial statements."
He adds that 20 out of the 24 agencies reported "significant deficiencies or weaknesses" in their information security controls. "{The FDIC} would be one of the better organizations in regards to implementing appropriate controls over its financial systems," Wilshusen says.
In response to the report, Ned Goldberg, Chief Information Security Officer of the FDIC, says the agency may disagree "here and there" in terms of the report, "but we take everything they say as something to be dealt with strongly."
Most of the cited weaknesses surround process issues, he says, adding that the FDIC has activities in place for every one of those areas.
As to how seriously the FDIC takes the GAO recommendations, Goldberg says, "Every year we close out most, if not all of GAO's findings or observations. We have a very aggressive information security program at the FDIC."
Each of these weaknesses should be completed before the next audit starts in October, Goldberg says.
Reaction: 'Little Bit Adverse'
Doug Johnson, Vice President and Senior Advisor, Risk Management Policy at the American Bankers Association, sees the GAO report as a "little bit adverse," but notes that it relates to the financial systems, rather than the information security within examination modules.
The FDIC does take its information security program seriously, Johnson says. "What we found is that they really practice what they preach," he explains, adding that the FDIC is responsive to GAO reports and he envisions that they will amend their program "pretty quickly."
Regarding some of the specific findings:
Johnson does see a bright spot in the GAO report: The integrity of the FDIC's financial systems. "There is no indication or implication that somehow the veracity of the numbers associated with the FDIC's financial systems could be in question based on these information security findings," he says. This is important to the industry because the tabulation of those numbers has a direct bottom line impact to financial institutions, as they affect premiums paid to the FDIC by member institutions.
About the FDIC
The FDIC was created in 1933, charged with insuring deposits in banks and thrift institutions in response to the bank failures symptomatic of the Great Depression.
The agency directly examines and supervises its 5,250 institutions in such areas as safety and soundness, trust, information technology and compliance.
Receiving no federal budget, the FDIC is funded entirely by premiums that member institutions pay for deposit insurance coverage and from earnings on investments in U.S. Treasury securities. With an insurance fund totaling more than $49 billion, the FDIC insures more than $3 trillion of deposits in U.S. institutions.
Headquartered in Washington, D.C., the FDIC currently employs about 4,500 people in six regional offices and in field offices around the country.