The FDIC’s Response, Reporting, and Interactions with Congress…
April 24, 2018 / Source: FDICIG
The FDIC’s Response, Reporting, and Interactions with Congress Concerning Information Security Incidents and Breaches
On April 16, 2018, the Office of Inspector General (OIG) of the Federal Deposit Insurance Corporation (FDIC) issued a Special Inquiry report in response to a request from the former Chairman of the Senate Committee on Banking, Housing, and Urban Affairs. This report examines the circumstances surrounding eight information security incidents that the FDIC experienced during late 2015 and early 2016, as departing employees improperly took sensitive information shortly before leaving the FDIC. Specifically, our report examines issues at the FDIC related to data security, incident reporting, and policies, as well as the representations made by FDIC officials to Congress regarding the incidents.
The Committee on Science, Space, and Technology of the House of Representatives had examined the FDIC’s handling of these incidents, held two hearings in May and July 2016, and expressed concerns about the FDIC’s information security program, the accuracy of certain FDIC statements, and the completeness of the FDIC’s document productions in connection with the incidents.
Our Special Inquiry revealed certain systemic weaknesses that hindered the FDIC’s ability to handle multiple information security incidents and breaches efficiently and effectively. For example:
- The FDIC had not taken sufficient steps to ensure that it had a comprehensive incident response program and plan for information security incidents and breaches.
- The FDIC did not have timely guidance pertaining to the statutory reporting requirements under Federal Information Security Modernization Act of 2014 for major incidents and related implementing guidance.
- FDIC risk assessments of the incidents and related decisions were not clearly documented, and therefore could not ensure that there was consistent treatment of incidents.
- The FDIC relied on post-employment statements from employees, and these statements did not fully protect the FDIC’s interests.
- The FDIC did not consider the full range of impacts that the incidents could have on consumers. As a result, FDIC notifications to the affected consumers were delayed, and in some cases, occurred more than a year after the FDIC first discovered the incidents.
- The FDIC’s reporting of the “major” incidents to Congress was not timely. The FDIC’s characterizations were sometimes inaccurate and imprecise, and the FDIC failed to correct the record on these points, despite several opportunities to do so.
- The FDIC’s document productions did not fully comply with Congressional document requests.
- Initially the FDIC did not impose a legal hold on certain individuals who had direct and relevant knowledge of the facts.
- The FDIC also did not initially conduct searches of the email vault to identify responsive records.
- The FDIC was not clear in its communications with Congress as to its approach and progress in complying with document production requests.
- Only after Congress requested that the FDIC specifically preserve all pertinent documents did the FDIC take action to more fully comply with the document requests.
We made 13 recommendations in this Special Inquiry report to address the systemic issues associated with the FDIC’s incident response and reporting and interactions with Congress. We also identified shortcomings in the performance of certain individuals in key leadership positions as they handled the incidents and related activities, and we requested that the FDIC review the performance issues we identified.
The FDIC concurred with all of the recommendations and committed to implement corrective actions. The FDIC also agreed to advise the OIG of actions undertaken to address the performance issues we identified in our report.
[PDF icon] OIG-18-001.pdf