FDIC lacking in its capacity to share threat information

The FDIC’s Office of Inspector General’s (OIG) latest report findings show that the FDIC has implemented processes for the sharing of threat and vulnerability information with financial institutions. For example, the FDIC established formal procedures to communicate cyber threat and vulnerability information. However, the FDIC can improve the effectiveness of its processes to ensure financial institutions receive actionable and relevant threat and vulnerability information. The OIG determined that:

  • The FDIC can improve its sharing of threat and vulnerability information with financial institutions and other financial sector entities.
  • The FDIC can improve its controls over the recording of computer-security incidents to support threat intelligence operations and sharing activities.
  • The FDIC can mature its threat information sharing program by establishing procedures for sharing non-cyber related threat information and revising the program’s existing threat sharing policies and procedures.
  • The FDIC can enhance its capabilities to identify threat and vulnerability information.

With these improvements, the OIG believes the FDIC will be better positioned to effectively share accurate, complete and relevant threat and vulnerability information with financial institutions.

The report contains 10 recommendations to improve the FDIC’s processes to ensure that financial institutions receive actionable and relevant threat and vulnerability information. 

The OIG recommended that the FDIC share FDIC-developed threat and vulnerability information with financial institutions or other financial sector entities, improve controls over the recording of computer-security incidents reported by banks and service providers and ensure computer-security incident information in Virtual Supervisory Information on the Net (ViSION) and within RMS Incident Reports is complete, appropriate and accurate. 

The OIG also recommended that the FDIC mature its threat intelligence operations by establishing procedures for sharing non-cyber related threat information and revising the program’s existing policies and procedures. In addition, it recommended that the FDIC develop performance measures for its external threat sharing activities and that it enhance its threat intelligence operations by ensuring all data sets within the FDIC containing relevant threat and vulnerability information are assessed to support threat and vulnerability information sharing operations.

The FDIC concurred with all 10 recommendations in this report and plans to complete all corrective actions by March 31, 2024. 

Biz2X ad