OIG Flags Deficiencies in FDIC’s Threat Sharing Framework

A recent audit conducted by the FDIC’s Office of the Inspector General found that the agency “did not establish effective processes to acquire, analyze, disseminate and use relevant and actionable threat information to guide the supervision of financial institutions,” and identified several gaps in its threat sharing framework. The OIG’s audit was focused specifically on the FDIC’s internal processes for sharing threat information on things like cyberattacks, money laundering, terrorist financing, pandemics and natural disasters with personnel in its headquarters, regional and field offices.

Specifically, the OIG found that the FDIC did not: establish a written governance structure to guide its threat information sharing activities; implement a charter governing its intelligence support program, or develop associated goals and objectives to measure program performance; establish policies and procedures defining roles and responsibilities for key stakeholders involved in threat information sharing programs and activities; and ensure it had fully considered relevant risks for its enterprise risk inventory and risk profile.

Additionally, the OIG found gaps in the FDIC’s processes for “acquiring, analyzing and disseminating threat information, and in its processes for obtaining feedback from stakeholders regarding how the use of threat information can be improved.” The report recommended 25 corrective actions, most of which have either already been completed or are expected to be completed this year.