Report examines shortcomings in FDIC information security, reporting systems (including to Congress)

A report making recommendations to address systemic issues associated with the federal deposit insurer’s information security incident response and reporting – particularly to members of Congress – was released Monday by the agency’s office of inspector general.

The report, “The FDIC’s Response, Reporting, and Interactions with Congress Concerning Information Security Incidents and Breaches (OIG Report No. OIG-18-001),” was requested by Federal Deposit Insurance Corp. (FDIC) Board Chairman Martin Gruenberg as a “special inquiry.” According to the report, he requested it on behalf of Sen. Richard Shelby (R-Ala.), former chairman of the Senate Committee on Banking, Housing, and Urban Affairs.

The report states that the OIG determined “certain systemic weaknesses” hindering the agency’s ability to handle multiple information security incidents and breaches efficiently and effectively. The report also noted that the weaknesses contributed to untimely, inaccurate, and imprecise reporting of information to Congress; and led to document productions that did not fully comply with congressional document requests.

“We also identified shortcomings in the performance of certain individuals in key leadership positions as they handled the incidents and related activities, namely the former Chief Information Officer/Chief Privacy Officer, the Director of the Office of Legislative Affairs, and the former Deputy General Counsel,” the report states.

The 231-page report notes that the FDIC has completed corrective actions for two of the recommendations and plans to take corrective actions to address the remaining 11 between June 2018 and December 2018.

The recommendations completed are:

  1. Clarify legal hold policies and processes to ensure that all relevant personnel and sources of documents and information are included in the scope of legal holds;
  2. Ensure that congressional communications policies, procedures, and guidelines establish a single office that has accountability and authority for providing timely responses compliant with Congressional requests and communicating with Congressional staff regarding those requests.

According to the report, during late 2015 and early 2016, the FDIC experienced eight information security incidents as departing employees improperly took sensitive information shortly before leaving the FDIC. Seven of the eight incidents involved Personally Identifiable Information (“PII”), including Social Security Numbers, and thus constituted breaches.

The agency said in the eighth incident, the departing employee took highly sensitive components of resolution plans submitted by certain large systemically important financial institutions without authorization.

The report states that In April and May 2016, the House Committee on Science, Space, and Technology examined the FDIC’s handling of these incidents, its data security policies, and reporting of the “major incidents.” As part of its investigation, the committee requested pertinent documents from the FDIC about the incidents.

The committee then held two hearings in May and July 2016 about the incidents at the FDIC and issued an interim report on the matter. During the hearings and in its interim report, as well in correspondence with the FDIC, the report states, the committee expressed concerns about the FDIC’s information security program, the accuracy of certain FDIC statements, and the completeness of the FDIC’s document productions.

In June 2016, Banking Committee Chairman Shelby requested that the agency’s OIG examine issues at the FDIC related to data security, incident reporting, and policies, as well as the representations made by FDIC officials.

The FDIC’s Response, Reporting, and Interactions with Congress Concerning Information Security Incidents and Breaches