When it comes to judging a bank's system security method,examiners depend excessively on bank testimonials due tounderstaffing and the IT expertise necessary to make riskassessments.

That's according to a new report, “The FDIC's Supervisory Approach to Cyberattack Risks,”conducted by the FDIC Office of Inspector General, an independentunit that conducts audits, investigations and other reviews of FDICprograms and operations.

In the study, OIG reported most financial institutions relyheavily on information technology systems, external technologyservice providers (TSPs), and Internet-connected applications toprovide or enable key banking functions.

The report also asserted that FDIC and FFIEC IT examination workprograms focus on security controls at a broad program level,which, if they operate effectively, help institutions protectagainst and respond to cyberattacks. However, the work programs donot explicitly address cyberattack risk, could be updated andstrengthened, and could better specify desired characteristics forkey program-level controls, according to the report.

The OIG framed its recommendations to complement the Division ofRisk Management Supervision's efforts to assess financialinstitutions and TSPs' information security programs and compliancewith the Interagency Guidelines – efforts associated with updatingexamination and institution guidance, addressing resource andtraining challenges, and enhancing information collection andsharing initiatives.

The office concluded that the FDIC could be more assured thatfinancial institutions and TSPs are adequately prepared by takingthe following actions:

• Update and expand IT examination procedures
• Provide consistency and transparency to the IT examinationscope and procedures performed
• Ensure that examiners consistently conclude on financialinstitution/TSP program level controls and consider the scope ofvendors' third-party reviews
• Make efforts to estimate examiner resource and competencyneeds, and ensure those involved in reviewing IT examinationreports receive sufficient and current training
• Continue to enhance information-sharing associated with cyberrisks

The OIG also determined examiners frequently determined theadequacy of risk assessment and audit programs, but were far lesslikely to have documented their review and/or provided a clearstatement of adequacy on intrusion detection programs and incidentresponse plans.

“With respect to vendor management, although financialinstitutions and IT risk management programs rely on periodicthird-party reviews and audits of vendors' IT controls and riskmanagement practices, we observed that vendors frequently obtainedthird-party reviews that provided lower levels of assurance,” thereport stated.

The study also observed the average hours spent conductingindividual IT-RMP examinations increased by about 21% since 2006.In 2013, the FDIC conducted 2,323 IT examinations at financialinstitutions and TSPs. In 2013, RMS spent an average of eight to 10days to perform an IT examination at financial institutions withadequate or better IT security programs, and 15 to 20 days for FIsexhibiting some degree of supervisory concern. The total number ofIT examination staff increased by about 36% since 2008. However,much of the increase occurred in non-commissioned IT examinationanalyst positions, many of whom are term employees who will beleaving the FDIC soon.