Cybersecurity:

Bank and Other Depository Regulators Need Better Data Analytics and Depository Institutions Want More Usable Threat Information

GAO-15-509: Published: Jul 2, 2015. Publicly Released: Jul 2, 2015.

Additional Materials:

Contact:

Lawrance Evans
(202) 512-8678
evansl@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

Regulators use a risk-based examination approach to oversee the adequacy of information security at depository institutions—banks, thrifts, and credit unions—but could better target future examinations by analyzing deficiencies across institutions. For information technology (IT) examinations, regulators adjust the level of scrutiny at each institution depending on the information they review, past examination results, and any IT changes. GAO reviewed 15 IT examinations and found that regulators generally reviewed institutions' policies, interviewed staff, and examined audits of information security practices. While the largest institutions were generally examined by IT experts, medium and smaller institutions were sometimes reviewed by examiners with little or no IT training. The regulators recognized that some IT training is necessary for all examiners, so each regulator had efforts under way to increase the number of their staff with IT expertise and conduct more training. GAO identified two areas for improvement:

Data analytics. Regulators generally focused on IT systems at individual institutions but most lacked readily available information on deficiencies across the banking system. Although federal internal control standards call for organizations to have relevant, reliable, and timely information on activities, regulators were not routinely collecting IT security incident reports and examination deficiencies and classifying them by category of deficiency. Having such data would better enable regulators to identify and analyze trends across institutions and use that analysis to better target areas for review at institutions.

Oversight authority. Bank regulators directly address the risks posed to their regulated institutions from third-party technology service providers, but the National Credit Union Administration (NCUA) lacks this authority. Cyber risks affecting a depository institution can arise from weaknesses in the security practices of third parties that process information or provide other IT services to the institution. Bank regulators routinely conduct examinations of service providers' information security. Authorizing NCUA to routinely conduct such examinations could help it better ensure that the service providers for credit unions also follow sound information security practices.

Depository institutions obtain cyber threat information from multiple sources, including federal entities such as the Department of the Treasury (Treasury). Representatives from more than 50 financial institutions told GAO that obtaining adequate information on cyber threats from federal sources was challenging. Information viewed as most helpful for assessing threats and protecting systems included details on attacks other institutions experienced. To help address these needs, Treasury has various efforts under way to obtain such information and confidentially share it with other institutions. The department formed a special group that works with other law enforcement and intelligence agencies to obtain declassified information and share it with financial institutions in a series of circulars. Treasury staff also participate in Department of Homeland Security groups that monitor cyber incidents and work with a center that provides cyber threat information to thousands of financial institutions.

Why GAO Did This Study

Depository institutions experienced cyber attacks in recent years that are estimated to have resulted in hundreds of millions of dollars in losses. Depository institution regulators (the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve, the Federal Deposit Insurance Corporation, and NCUA) oversee information security at these institutions and Treasury coordinates protection of the financial sector.

The objectives of this report include examining (1) how regulators oversee institutions' efforts to mitigate cyber threats, and (2) sources of and efforts by agencies to share cyber threat information. GAO collected and analyzed cyber security studies from private-sector sources. GAO reviewed materials from selected IT examinations (based on regulator, institution size, and risk level). GAO also held three forums with more than 50 members of financial institution industry associations who provided opinions on cyber threat information sharing.

What GAO Recommends

Congress should consider granting NCUA authority to examine third-party technology service providers for credit unions. In addition, regulators should explore ways to better collect and analyze data on trends in IT examination findings across institutions. In written comments on a draft of this report, the four regulators stated that they would take steps responsive to this recommendation.

For more information, contact Lawrance Evans, (202) 512-8678, or evansl@gao.gov

Matter for Congressional Consideration

  1. Status: Open

    Comments: In July 2015, we suggested that Congress modify the Federal Credit Union Act to grant NCUA authority to examine technology service providers of credit unions. As of April 2018, Congress had not granted NCUA this authority.

    Matter: To ensure that NCUA has adequate authority to determine the safety and soundness of credit unions, Congress should consider modifying the Federal Credit Union Act to grant NCUA authority to examine technology service providers of credit unions.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In July 2015, we recommended that the Office of the Comptroller of the Currency (OCC) and other federal financial institution regulators conduct trend analysis of their IT examination findings to improve their ability to assess the adequacy of information security practices at medium and small institutions. In April 2018, OCC stated that it took two actions to respond to our recommendation. First, the agency integrated the Cybersecurity Assessment Tool (CAT), developed by OCC and other federal financial institution regulators, into OCC's ongoing IT examinations of national banks and federal savings associations using a risk-based approach. Officials believe that CAT will provide OCC with a repeatable and measurable process for assessing both the level of risk and the maturity of risk management processes within and across OCC-supervised institutions. Also, officials believe that data gathered in this process will allow OCC to monitor industry trends and identify new or emerging weaknesses where additional guidance or supervisory actions may be needed. Furthermore, CAT will help OCC allocate examiner resources and better target examiner training. Second, OCC stated that it enhanced its guidance and procedures for examiners to identify and aggregate supervisory concerns into matters requiring attention (MRAs), which are the mechanism OCC uses to communicate supervisory concerns to bank management and directors. OCC believes that the aggregate MRA data, including when correlated to the CAT data, has improved OCC supervision of IT security practices at medium and small institutions to provide focus on thematic observations in information security (access controls, patch management, asset inventories, third party connections, business continuity, etc.) that OCC is seeing across the OCC-supervised population of entities. OCC also stated that it allows for risk-based examination of areas of concern at specific institutions (i.e., MRA follow-up). OCC uses this data to help inform where resources should be allocated for the most effective supervision, both from an examination area and institution perspective. We believe that OCC's actions are responsive to our recommendation. OCC has implemented the CAT to help categorize IT examination findings. OCC has also begun to assess aggregate MRA data (including MRAs related to IT examinations) to identify trends from an examination area and institution perspective. Therefore, we are closing this recommendation as implemented.

    Recommendation: To improve their ability to assess the adequacy of the information security practices at medium and small institutions, the heads of Federal Deposit Insurance Corporation, the Federal Reserve, Office of the Comptroller of the Currency, and NCUA should routinely categorize IT examination findings and analyze this information to identify trends that can guide areas of review across institutions.

    Agency Affected: Department of the Treasury: Office of the Comptroller of the Currency

  2. Status: Closed - Implemented

    Comments: In July 2015, we recommended that the Federal Deposit Insurance Corporation (FDIC) and other federal financial institution regulators conduct trend analysis of their IT examination findings to improve their ability to assess the adequacy of information security practices at medium and small institutions. In May 2017, FDIC provided information on a number of actions taken to address the recommendation. First, FDIC developed (in conjunction with the Federal Reserve) and implemented in July 2016 the Information Technology Risk Examination (InTREx) work program, which should help FDIC standardize IT examination findings for improved trend analysis and ensure that identified risks are effectively addressed by bank management. Second, FDIC stated that it implemented the Cyber Incident Response Plan (CIRP) in 2016 to provide operational procedures for staff in the event of a cyber threat or incident. CIRP should assist in trend analysis by helping to standardize terminology through cyber incident classification. Third, FDIC participated in the creation of the Federal Financial Institution Examination Council's "Crisis Communication Protocols," which was revised in January 2016 and establishes a framework for coordinating among the federal banking regulators and external groups, thereby assisting trend analysis across industry. Lastly, FDIC deployed the Technology Incident Reporting System (TIRS) for voluntary reporting and tracking of technology incidents, and has since implemented several iterations of TIRS. FDIC began summarizing TIRS data on a quarterly basis for FDIC senior management in 2012. The quarterly report identifies trends across all reported incident types. Review of the June 2016 quarterly report indicates that FDIC-supervised institutions have seen declines in account takeovers, total estimated losses, and average losses from the prior quarter. As a result of these actions, we believe that FDIC will be better positioned to conduct trend analysis of IT examination findings and assess the adequacy of information security practices at depository institutions it supervises. Therefore, FDIC has been responsive to our recommendation.

    Recommendation: To improve their ability to assess the adequacy of the information security practices at medium and small institutions, the heads of Federal Deposit Insurance Corporation, the Federal Reserve, Office of the Comptroller of the Currency, and NCUA should routinely categorize IT examination findings and analyze this information to identify trends that can guide areas of review across institutions.

    Agency Affected: Federal Deposit Insurance Corporation

  3. Status: Open

    Comments: In July 2015, we recommended that the Board of Governors of the Federal Reserve System (Board) and other federal financial institution regulators conduct trend analysis of their IT examination findings to improve their ability to assess the adequacy of information security practices at medium and small institutions. As of October 2016, the Board had not provided an update on its efforts to address this recommendation. In March 2018, we sought additional information on the status of efforts to implement this recommendation from agency officials and will update this status after we receive and review any new developments.

    Recommendation: To improve their ability to assess the adequacy of the information security practices at medium and small institutions, the heads of Federal Deposit Insurance Corporation, the Federal Reserve, Office of the Comptroller of the Currency, and NCUA should routinely categorize IT examination findings and analyze this information to identify trends that can guide areas of review across institutions.

    Agency Affected: Federal Reserve System

  4. Status: Open

    Comments: In July 2015, we recommended that the National Credit Union Administration (NCUA) and other federal financial institution regulators conduct trend analysis of their IT examination findings to improve their ability to assess the adequacy of information security practices at medium and small institutions. In April 2018, NCUA told us that it implemented an examination tool with a limited rollout in 2018. Specifically, NCUA developed the Automated Cybersecurity Examination Tool (ACET), which is fully aligned with the FFIEC's Cybersecurity Assessment Tool, and developed associated reference and support materials for staff. NCUA initiated work on ACET in late 2016 and completed initial release in August 2017. ACET was tested and refined in the 4th quarter of 2017 and deployed for initial implementation in all institutions with assets exceeding $1 billion for the 2018 examination cycle. Results from initial testing warranted further research and refinement for smaller institutions to improve the effectiveness of the examination summary. NCUA believes that the tool will allow them to more fully identify gaps and vulnerabilities. They have begun to collect and aggregate data from the pool of 2018 selected institutions. This work is helping NCUA refine the tool for full exam program integration in the 2019 examination cycle and, while it is still too early to draw conclusions from the initial data collection, NCUA is identifying common gaps which will inform future supervision plans. NCUA expects further refinements to ACET as they sample and test the examination protocol against small institutions during the second half of 2018. We will continue to monitor NCUA's progress with this program and revisit our recommendation in early 2019.

    Recommendation: To improve their ability to assess the adequacy of the information security practices at medium and small institutions, the heads of Federal Deposit Insurance Corporation, the Federal Reserve, Office of the Comptroller of the Currency, and NCUA should routinely categorize IT examination findings and analyze this information to identify trends that can guide areas of review across institutions.

    Agency Affected: National Credit Union Administration

 

Explore the full database of GAO's Open Recommendations »

Jun 14, 2018

May 14, 2018

Apr 24, 2018

Mar 7, 2018

Feb 6, 2018

Sep 28, 2017

Aug 3, 2017

Jul 27, 2017

Jul 26, 2017

May 31, 2017

Looking for more? Browse all our products here