3. FDIC examiners did not complete InTREx examination procedures and decision factors required to support examination findings and URSIT ratings. FDIC examiners did not document the work performed for 70% of the IT examinations reviewed by OIG, and 40% of exams had incomplete decision factors used to support URSIT ratings. As a result, the procedures performed and the URSIT scores assigned may be inaccurate. Effect on Banks: With the elevated risk that URSIT component and composite ratings may not be accurate, the CAMELS “management” component rating could be impacted, in turn, impacting the overall composite rating assigned to financial institutions. This rating is often used to determine institution deposit insurance premiums. 4. The FDIC has not employed a supervisory process to review IT workpapers prior to the completion of the examination. On top of that lack of complete procedures, decision factors and documentation, the FDIC also did not perform any final review by the assigned Examiner in Charge (EIC) or supervisor prior to issuance. Effect on Banks: Be prepared for additional questions, requests or recommendations. As a result of more senior staff with a more critical eye, there could be additional work and requests after this detailed review. Additionally, because the results of Internal Control and Review Sections (ICRS) conducted internally by FDIC will be shared across all supervisory regions, you could start to see national considerations in addition to regional considerations. OTHER FINDINGS The examination stirred up several other findings, and though I can’t elaborate on each one, I will address them here: • The FDIC does not offer training to reinforce InTREx program procedures to promote consistent completion of IT examination procedures and decision factors. • The FDIC’s examination policy and InTREx procedures were unclear, which led examiners to file IT examination workpapers in an inconsistent and untimely manner. • The FDIC does not provide guidance to examination staff on reviewing threat information to remain appraised of emerging IT threats and those specific to financial institutions. • The FDIC is not fully utilizing available data and analytic tools to improve the InTREx program and identify emerging IT risks. • The FDIC has not established goals and performance metrics to measure its progress in implementing the InTREx program. SHORE UP YOUR DEFENSES Cyber threats have always been a critical risk for banks; however, the FDIC audit places extra urgency on shoring up your IT and cybersecurity defenses. To learn how to implement simple protective measures, visit www.pinionglobal.com/cyber-hygiene/. Melissa DeDonder is an IT and Cybersecurity consultant at Pinion, a global advisory firm. 28 Community Banker
RkJQdWJsaXNoZXIy MTg3NDExNQ==