Is the FDIC’s IT Exam Effective?

Community banks may be in for a surprise the next time their information technology and cybersecurity systems are examined by the Federal Deposit Insurance Corp.

The agency is undertaking a number of changes to the exam it uses to assess IT systems and controls at supervised banks, after a report from the agency’s Office of the Inspector General in January found weaknesses that could miss or underestimate risk at examined institutions. Advisors and the OIG have warned that FDIC-examined banks might need better protections beyond what the FDIC’s IT exam requires.

“Until the FDIC addresses these weaknesses, there is a risk that IT and cyber risks at banks will not be identified or adequately mitigated or addressed. As a result, financial institutions may be more susceptible to [cyberattacks] and threats,” the OIG wrote.

FDIC’s IT exam, called the IT Risk Examination or InTREx, was implemented in 2016 and updated in 2019. The ratings a bank receives on this exam feed into the management component of the CAMELS rating, which stands for capital, asset quality, management, earnings, liquidity and sensitivity to market risk. The CAMELS rating carries a number of implications for banks, including determining their deposit insurance assessment.

The FDIC’s OIG found that the InTREx program is outdated: It doesn’t reflect current or updated federal guidance and frameworks in three of the exam’s four core modules. For example, InTREx was developed using a cybersecurity framework from the National Institute of Standards and Technology (NIST) that came out in 2014. That framework was updated in 2018, but those changes aren’t reflected in the program, according to the OIG.

“The evolving nature of IT and cyber risks underscores the need for timely updates to examination procedures for the InTREx program. Without an effective process to update the InTREx program, the FDIC cannot ensure that its examiners are applying current IT guidance to assess all significant risks,” the OIG wrote. “The lack of an effective process also increases the potential that banks may be operating in IT environments with unidentified and unmanaged risks.”

The OIG also audited a sample of exam findings and found instances where examiners didn’t complete the InTREx exam procedures and decision factors required to support their findings and subsequent ratings. The office wrote that these shortcomings indicate that examiners may not be making accurate assessments of bank IT risks, or that banks may not be receiving accurate or fully documented exam findings or composite ratings.

Small banks that use their exam findings to direct IT investments may be surprised if the FDIC updates the exam. They can’t rely on the exam to be the only “trustworthy rudder” that guides their programs, says Joshua Sitta, CIO and founder of cybersecurity firm Sittadel. And an updated InTREx program could lead to examiner findings that could adversely impact a bank’s management score in their CAMELS rating.

“If you feel like your bank is operating within your risk appetite and you’re using the InTREX score to evaluate that, you’re running a bank [with risk] that is much higher than your risk appetite,” he says.

The OIG audit contains 19 recommendations for the FDIC, including updating the program, ensuring examiners follow the procedures as intended and reviewing and applying new threat information regularly. The FDIC concurred with the majority of the OIG’s recommendations and proposed corrective action that should be completed by the end of the year. However, the OIG determined that on five recommendations, the FDIC’s proposed actions didn’t satisfy the recommendations. The FDIC didn’t return requests for comment for this article.

The OIG’s report led audit and consulting firm Plante Moran to issue guidance this spring that encouraged banks to be proactive in testing for cybersecurity threats and to keep up with the changing IT landscape.

But that can even create challenges during InTREx exams. Colin Taggert, a principal at Plante Moran who provides cybersecurity consulting and authored the spring client notice, has heard of “pain points” from bank clients with systems that are more robust, modern or updated in certain areas beyond the scope of InTREx, but receive feedback based on the older exam materials.

That tension also came up in banker feedback to the FDIC’s ombudsman, according to the 2022 annual report: “Some bankers reported that examiners did not sufficiently understand the processes, risks, and controls related to their bank’s technology programs. In the bankers’ opinions, this led to unwarranted criticisms and inappropriate supervisory recommendations,” the ombudsman wrote.

Cybersecurity is a perennial focus of risks for banks, with 83% of respondents to Bank Director’s 2023 Risk Survey saying their cybersecurity risk concerns increased somewhat or significantly year-over-year. Almost 90% say their bank had conducted a cybersecurity assessment in the past 12 months; the median budget for cybersecurity in 2023 was $250,000.

This focus on cybersecurity underlines that banks are responsible for making sure they have safe and sound practices. Taggart and Sitta both recommend that FDIC-examined banks work with third parties to assess their IT frameworks and cybersecurity. Taggart recommends banks pay special attention to systems that have undergone changes in the last 5 to 7 years, including digital channels, wireless networks and policies around employees using personal devices for work, among others.

Banks should also consider incorporating guidance from organizations like the Federal Financial Institutions Examination Council and NIST that has been updated in the years since InTREX was created. Several resources that the OIG, Taggart and Sitta reference include:

• The FFIEC guidance from August 2021 on “Authentication and Access to Financial Institution Services and Systems.”
• The FFIEC IT booklet from November 2019 on “Business Continuity Planning.”
• The FFIEC’s June 2021 “Operations” IT booklet.
• NIST’s special publication 800-171 on technical control mapping and cybersecurity best practices, currently in its second version.
• NIST’s special publication 800-53, which addresses security and privacy controls for information systems and organization and is currently on its fifth version.