Audit: FDIC fell short in establishing process for gathering, using actionable threat information

Effective processes to acquire, analyze, disseminate, and use relevant and actionable threat information to guide the supervision of financial institutions were not established by the federal insurer of bank deposits, according to an audit report issued Wednesday.

The report, issued by the Federal Deposit Insurance Corp.’s (FDIC) Office of Inspector General (OIG), acknowledges that the agency acquired and analyzed “certain information pertaining to threats against FDIC-supervised financial institutions and disseminated this information to supervisory personnel in its Headquarters, Regional, and Field Offices.”

However, the report adds, the audit identified gaps in the “threat sharing framework” (the method the agency uses for acquiring and sharing information about threats to financial institutions). Those gaps, the report stated, included that the FDIC did not:

  • Establish a written governance structure to guide its threat information sharing activities;
  • Complete, approve, and implement a governance charter that established a common understanding of the role for the Intelligence Support Program or defined an overall strategy and requirements for it;
  • Develop goals, objectives, or measures to guide the performance of its Intelligence Support Program;
  • Establish adequate policies and procedures that defined roles and responsibilities for key stakeholders involved in the threat information sharing program and activities; and
  • Fully consider the risks discussed in this report for its Enterprise Risk Inventory and Risk Profile.

Among the 25 recommendations that the report made were that the agency “establish and implement a Charter, goals, objectives, and measures” to govern its Intelligence Support Program. The report also recommends that the FDIC establish and implement policies and procedures that define roles and responsibilities for acquiring, analyzing, and disseminating threat information managed by the Intelligence Support Program and its Risk Management Supervision (RMS) Operational Risk group.

In addition, the report also recommends that the FDIC Enterprise Risk Inventory and Risk Profile fully consider the threat information sharing risks identified in the report.

The agency said it plans to complete all corrective actions by late this year (Dec. 16, 2022).

Sharing of Threat Information to Guide the Supervision of Financial Institutions