The Office of Inspector General (OIG) of the Federal Deposit Insurance Corporation (FDIC) issued its report on Sharing of Threat and Vulnerability Information with Financial Institutions.
Financial institutions face a wide range of significant and persistent threats to their operations. Whether man-made or natural, these threats can disrupt the delivery of financial services and inflict financial harm on consumers and businesses. The interconnected nature of the financial services industry further elevates the potential impact that threats can have on financial institutions. For example, many insured financial institutions rely on third-party service providers to provide critical banking services. An incident at a large service provider could have a cascading impact on a large number of financial institutions. If widespread, the impact could ultimately diminish public confidence and threaten the stability of the United States financial system.
Our Office conducted an evaluation to determine whether the FDIC has implemented effective processes to ensure that financial institutions receive actionable and relevant threat and vulnerability information. We determined the FDIC has implemented processes for the sharing of threat and vulnerability information with financial institutions. For example, the FDIC established formal procedures to communicate cyber threat and vulnerability information. However, the FDIC can improve the effectiveness of its processes to ensure financial institutions receive actionable and relevant threat and vulnerability information. We determined that:
- The FDIC can improve its sharing of threat and vulnerability information with financial institutions and other financial sector entities;
- The FDIC can improve its controls over the recording of computer-security incidents to support threat intelligence operations and sharing activities;
- The FDIC can mature its threat information sharing program by establishing procedures for sharing non-cyber related threat information and revising the program’s existing threat sharing policies and procedures; and
- The FDIC can enhance its capabilities to identify threat and vulnerability information.
We made 10 recommendations to the FDIC to address the findings in our report. The FDIC concurred with all of our recommendations and plans to complete corrective actions by March 31, 2024.