Pub. 11 2023 Issue 3

THE FDIC WAS AUDITED. WHAT DOES THAT MEAN FOR COMMUNITY BANKS? FOUR THINGS TO KNOW ABOUT THE FDIC AUDIT BY MELISSA DeDONDER, PINION The FDIC was recently audited, which means financial institutions may be more susceptible to cyber-attacks and threats. The Office of Inspector General (OIG) examined the FDIC from April 2021 to November 2022 to understand whether the FDIC effectively assesses and addresses IT risks at financial institutions. As a result of the audit, we’re seeing enhanced IT exam controls made to the FDIC’s Information Technology Risk Examination (InTREx) program. This will trickle down to community banks, making it critical to examine your IT and cybersecurity strategy, manage risk and keep up to date on compliance changes. What does that mean on a practical level for community banks? I’ve outlined the four most important findings and recommendations to help protect your business. FOUR THINGS TO KNOW ABOUT THE FDIC AUDIT 1. The InTREx program is outdated. It simply does not reflect current federal guidance and frameworks for three of four InTREx Core Modules. According to the FDIC, updates to InTREx should align with new or updated FFIEC IT Booklets or NIST guidance, however, the program has not been updated to include recent changes. Effect on Banks: The OIG found that the following areas are lacking as related to InTREx: a revised NIST cybersecurity framework, as it applies to supply chain risk management activities; a newly issued FFIEC booklet, “Authentication and Access to Financial Institution Services and Systems” guidance; a revised addition of the FFIEC Business Continuity Planning IT booklet, as it applies to an enterprise-wide approach to BC and risks within supply chain management; and a revised addition of the FFIEC Operations IT booklet, as it relates to enterprise-wide planning and cybersecurity considerations. What does this mean for banks? I recommend implementing a process for making timely updates and keeping up with any guidance changes. 2. The FDIC did not communicate or provide guidance to its examiners after updates were made to the program. The FDIC implemented some changes to InTREx in July 2019 that introduced 58 new procedures for examiners to indicate when Baseline Cybersecurity Statement procedures were not met. The procedures were broken out into a separate checklist; however, this change was never communicated with guidance on how to perform to FDIC testing staff. Effect on Banks: The results could have a positive effect on banks — the testing staff may be better informed of exam procedures, meaning banks need to be well-suited to answer tougher questions and provide detailed documentation. Additionally, because incorrect documents, programs and reporting requirements have been used by staff in the past, you may see additional questions, requests, or recommendations as a result of a better-informed staff and bettercommunicated process requirements. GUEST ARTICLE Community Banker 27

RkJQdWJsaXNoZXIy MTg3NDExNQ==