OIG Report: FDIC cyber risk examination program riddled with flaws

A federal program to assess IT and cyber risks at financial institutions has several significant flaws that could prevent it from working as intended, and as a result, may affect the insurance premiums paid by those institutions, the Office of Inspector General concluded in a report released Tuesday.

The FDIC’s IT Risk Examination program, or InTREx, was implemented in 2016 to ensure that financial institutions were properly addressing their IT and cyber vulnerabilities. However, an OIG audit of the program found multiple shortcomings. The InTREx program is outdated and does not reflect current federal guidance, the OIG said. The FDIC did not communicate with examiners after updates were made to the program, nor has it employed a supervisory process to review IT workpapers before the completion of an examination to ensure that findings are sufficiently supported. FDIC also does not offer training to reinforce InTREx program procedures, and examination policy and procedures were unclear, leading to examiners filing workpapers in an inconsistent and untimely manner.

The ratings InTREx examiners assign ultimately factor into a financial institution’s CAMELS rating, the report said. “Such inaccuracies, in turn, could affect the CAMELS ‘management’ component rating and the overall composite rating assigned to financial institutions. These ratings are used to determine the insurance premiums paid by the financial institutions.”

The OIG issued 19 recommendations for improving InTREx. The FDIC proposed corrective actions for 14 of the recommendations that the OIG found sufficient to address the problems raised; the other five proposed corrective actions were judged insufficient.