Background of the FDIC IT Exam
The banking industry has undergone significant transformations in recent years, and technology has played a pivotal role in the way financial institutions operate. As the industry evolves, so do the risks associated with information technology and cybersecurity. To address these challenges, the Federal Deposit Insurance Corporation (FDIC) introduced the Information Technology Risk Examination (InTREx) Program. However, the effectiveness of this program has recently come into question following an audit by the Office of Inspector General (OIG). Below, we will detail what the program is and the recommendations aimed at enhancing the program that may have implications for financial institutions.
What is InTREx?
The InTREx Program was implemented on July 1, 2016, and changed the approach to IT examinations within FDIC-supervised financial institutions. This enhanced program introduced a more efficient and risk-focused approach that incorporated a cybersecurity preparedness assessment and disclosed more detailed examination results using component ratings. The aim was to ensure that financial institution management promptly identified and effectively addressed IT and cybersecurity risks. The key highlights of the InTREx Program include:
- A uniform rating system for information technology (URSIT): Component and composite ratings assigned at each IT examination were included in the Risk Management Report of Examination, providing a comprehensive view of a financial institution’s IT risk.
- A cybersecurity preparedness assessment: An assessment of a financial institution’s cybersecurity preparedness was included in every Risk Management Report of Examination.
- A streamlined IT profile: Financial institutions completed an IT profile in advance of examinations, replacing the cumbersome IT Officer’s Questionnaire (ITOQ). The IT profile provided examiners with more focused insights, while reducing the number of questions.
- An enhanced pre-examination process: The pre-examination scoping process was revised to focus on emerging risks and technologies, ensuring a more targeted examination.
- Examination procedures: Examiners followed the InTREx core modules, cybersecurity workpapers, and information security standard workpapers to assess risk, and document examination procedures, findings, and recommendations.
- A report presentation: The Risk Management Report of Examination included a summary of the IT function, component ratings, examination findings, recommendations, and management’s responses, including timeframes for corrective action.
Audit Results and Recommendations
The recent OIG audit of the InTREx Program identified several areas that require attention and improvement. These recommendations, while aimed at enhancing the program, also raise questions about their potential positive and negative impacts on financial institutions. Below, we break down the details and implications to consider.
- Recommendation 1: Update and implement the InTREx Program to reflect current IT and cyber risks and guidance.
- Recommendation 2: Work with the InTREx Interagency Committee to develop and implement procedures to govern the process to update the InTREx Program.
- Positive impact: Staying current ensures that the program aligns with the ever-evolving landscape of IT and cybersecurity. This can lead to more effective risk assessments and a better understanding of emerging threats.
- Negative impact: Frequent updates may introduce uncertainty and additional workload for financial institutions, potentially leading to compliance and resource challenges.
- Recommendation 3: Communicate InTREx Program updates to examiners in a timely manner prior to implementation.
- Positive impact: Timely updates equip examiners with the latest knowledge, allowing them to conduct more informed examinations.
- Negative impact: Financial institutions might need to adapt quickly to changes, which could be disruptive and potentially increase the cost of compliance.
- Recommendation 4: Issue revised or updated guidance to examiners to address the InTREx Program’s updates.
- Positive impact: Clear and updated guidance benefits examiners and financial institutions. It facilitates efficient examinations and ensures consistent understanding and that examiners are updating the inTREx Programs in a timely manner. This is critical since the IT security landscape is rapidly changing.
- Recommendation 5: Develop and implement control mechanisms to ensure that examiners complete examination procedures and decision factors.
- Recommendation 6: Review the sampled examinations in which examination procedures and decision factors were not completed in order to determine whether the ratings are accurate.
- Positive impact: Ensuring that examiners follow established procedures leads to a fair and more standardized examination process.
- Negative impact: The increased scrutiny may add pressure on examiners, potentially affecting the speed and efficiency of examinations. This may also result in increased scrutiny by examiners and a higher number of findings in regulatory exams.
- Recommendation 7: Take corrective actions to address any inaccuracies identified as a result of the review recommended above.
- Positive impact: Continuous improvement ensures that the examination process becomes increasingly accurate and fair. This will also provide more accurate report ratings for financial institutions to gain a better picture of their security posture.
- Recommendation 8: Update and implement the examination policy and InTREx procedures to require IT examination workpapers to be reviewed for adequacy and that workpapers sufficiently support examination conclusions prior to the issuance of the Report of Examination (ROE).
- Positive impact: Emphasizing comprehensive documentation benefits both examiners and financial institutions and ensures that workpapers meet necessary standards.
- Negative impact: This could delay the issuance of final reports. Banks may need to rely on draft findings to begin their remediation efforts timely.
- Recommendation 9: Share the results of ICRS Regional Reviews with all supervisory regions.
- Recommendation 10: Provide refresher training to reinforce the InTREx Program procedures, such as the completion of all examination procedures and decision factors, and address updates and changes to the InTREx Program.
- Positive impact: Enhanced communication and well-trained examiners lead to a more cohesive approach to IT examinations, which reduces regional disparities.
The following items relate primarily to internal processes and procedures within the FDIC’s organization:
- Recommendation 11: Develop and implement examination policy and procedures to designate the roles and responsibilities for filing and maintaining IT examination workpapers in RADD.
- Recommendation 12: Develop and implement procedures and controls to ensure that workpapers are properly filed in RADD in accordance with the FDIC’s examination policy and procedures.
- Recommendation 13: Establish and document the timeframe for uploading IT examination workpapers to RADD.
- Recommendation 14: Establish and implement procedures that define responsibilities for reviewing and applying threat information during IT examinations.
- Recommendation 15: Provide training for applying threat information during IT examinations.
- Recommendation 16: Conduct a review to determine areas in which the AlphaRex tool could be utilized to identify areas of improvement for the InTREx Program, and emerging IT risks and trends at financial institutions.
- Recommendation 17: Develop and implement defined, objective, quantifiable, and measurable goals related to the InTREx Program.
- Recommendation 18: Develop and implement a process to collect and analyze relevant data regarding the InTREx Program.
- Recommendation 19: Develop and implement metrics and indicators, including outcome measures to assess the effectiveness of the InTREx Program and determine if the program is achieving its desired results and outcomes.
- Positive impact: Recommendations 11 to 19 revolve around internal program improvement, data collection, and setting measurable goals for the InTREx Program, leading to the improvement of the program over time. This will ensure the program stays up-to-date and relevant as the IT security landscape changes. Therefore, financial institutions can expect a more robust and effective InTREx program that continually evolves to address emerging IT risks and trends.
While the InTREx Program may not have been as effective as it could have been, a more robust oversight process will ensure that the program is improved and up to date with the current IT security landscape. The OIG audit’s findings and the subsequent recommendations underscore the FDIC’s commitment to enhancing the InTREx Program, which is crucial for safeguarding the banking system’s IT and cybersecurity landscape. While these changes may introduce challenges, such as new recommendations during examinations and the need for increased financial or staffing resources, the overall impact is balanced.
Financial institutions stand to benefit from more relevant and up-to-date examinations, clearer guidance, well-informed examiners, and an examination process that becomes increasingly accurate and fair over time. These improvements ultimately serve the goal of enhancing the security and stability of the U.S. banking system, benefiting both financial institutions and their clients.
If you have any questions regarding the FDIC’s InTREx Program and how it might impact you, please reach out to a member of our team.