FDIC needs to sharpen its cyberthreat sharing with financial institutions, OIG says

Though the Federal Deposit Insurance Corporation has taken steps to improve its cyberthreat information-sharing with financial institutions, a recent inspector general report has found at least three agency resources have not yet deployed with industry partners. 

The partially-redacted report, released Wednesday, details efforts made by the FDIC — which insures designated levels of deposits in the nation’s commercial and savings banks — to establish effective cyber information-sharing practices with industry, following a critical January 2022 OIG report. 

But while enhancements have been made, such as the creation of its central Intelligence and Threat Sharing Unit, Wednesday’s report found that the FDIC had internal threat-sharing information resources that it hadn’t shared with industry partners.

This included a horizontal analysis of ransomware incidents at FDIC-supervised banks conducted by the agency’s Division of Risk Management Supervision, relevant information on threat and vulnerability trends identified during bank supervision activities and another category of information that was entirely redacted from the report.

The OIG went onto note that while FDIC officials did present a summary of the agency’s 2022 Ransomware Horizontal Review at several forums over the past year, “RMS has not formally shared the results of this review more broadly with financial institutions or published the final 2022 Ransomware Horizontal Review since it was completed in December 2022.”

The ransomware report includes the attack vectors, ransomware variants and top mitigation controls deployed at FDIC-supervised banks.

OIG officials also surveyed member financial institutions on what FDIC information would benefit their threat intelligence programs, with benchmarking sector threat information, more insight on successful mitigations, industry-specific data and trending elements and trend analysis of bank-reported cybersecurity incidents among the top issues.

The report also said that while RMS examination staff record all financial institutions’ reported computer-security incidents in the FDIC’s Virtual Supervisory Information on the Net — or ViSION — system, its controls were not effective in ensuring complete and accurate incident reports. 

Among the issues related to the ViSION challenges was a lack of incident reports in certain regions because the incidents were not deemed significant at the time or were associated with a service provider and not the affected bank. To correct those issues, FDIC crafted supplemental guidance in October 2022 to expand the range of incident information that examiners record.

The report also touched on the FDIC’s successful use of natural language processing to help identify financial institutions with vulnerabilities during cyberattacks — ranging from Spectre and Meltdown to SolarWinds and Log4j — and why that process hadn’t been expanded to threat information trending and analysis beyond those zero-day attacks. 

FDIC officials told the OIG that resources and contractor support for these efforts were inconsistent due to fluctuating budgets and turnover in contractor support resources. However, the report went on to conclude that expanded NLP use may not only identify threats and trends, but also relevant information on whistleblower allegations or allegations of weak bank information systems within FDIC’s unstructured datasets. 

The OIG made 10 recommendations, including that FDIC share agency-developed threat and vulnerability information with financial institutions, improve controls over recording cyber incidents and assess datasets containing relevant threat and vulnerability information with NLP or other tools, among others. 

FDIC officials concurred with the recommendations and plan to complete corrective actions by March 31, 2024.