Is the FDIC’s IT Risk Program Unfit for Purpose?

A federal risk program aimed at overseeing IT security at banks and other financial institutions is “outdated” and risks missing “significant IT and cyber risks”, according to an audit of the system.

The Federal Deposit Insurance Corporation’s (FDIC) IT Risk Examination program, known as InTREx, was not being properly implemented by the organization’s examiners and “did not reflect current federal guidance”, according to the FDIC’s Office of Inspector General.

The internal audit report also found that the FDIC had not properly communicated InTREx updates to its examiners, had failed to provide proper training on IT risks, and had no way of measuring the progress it had made with implementation of InTREx.

“The weaknesses… collectively demonstrate the need for the FDIC to take actions to ensure that its examiners effectively assess and address IT and cyber risks during IT examinations,” the Inspector General wrote.

“Without effective implementation of the InTREx program, significant IT and cyber risks may not be identified by examiners and addressed by financial institutions.”

Poor risk assessments could also negatively affect the corporation’s supervisory work and lead to banks and other federally insured institutions paying the wrong premiums, the report warned.

The report’s verdict comes after a survey of bank risk chiefs found that cybersecurity was their top risk management priority for 2023. EY reported that many chief risk officers felt their banks’ inability to manage cybersecurity issues was a top strategic risk over the next three years.

The FDIC joined other federal regulators at the start of this year in warning that crypto-assets were a potential source of contagion risk for the financial sector, and pledged to “closely monitor” banks’ exposures to the sector.