GAO: Bank Risk Analysis Comes Up ShortNew Report Says Regulators Not Doing Enough
Banking regulators are not adequately analyzing risks across institutions' enterprises, and not all IT examiners are well trained, according to new report from the Government Accountability Office about cybersecurity within the U.S. banking industry.
But a new GAO report also notes that not all regulatory agencies have the same oversight authority. In its report, "Cyber Security: Bank and Other Depository Regulators Need Better Data Analytics and Depository Institutions Want More Usable Threat Information," the GAO calls on Congress to take action to address this imbalance.
"Bank regulators directly address the risks posed to their regulated institutions from third-party technology service providers, but the National Credit Union Administration lacks this authority," the GAO notes. "Cyber-risks affecting a depository institution can arise from weaknesses in the security practices of third parties that process information or provide other IT services to the institution. Bank regulators routinely conduct examinations of service providers' information security. Authorizing NCUA to routinely conduct such examinations could help it better ensure that the service providers for credit unions also follow sound information security practices."
The Office of the Comptroller of the Currency, the Federal Deposit Insurance Corp., the Board of Governors of the Federal Reserve System and NCUA are all responsible for regulatory oversight and examination of depository institutions, and all are part of the Federal Financial Institutions Examination Council, which sets examination rules and guidelines.
All of these agencies, except for the NCUA, have the authority to conduct information security examinations of institutions' third-party service providers.
The Consumer Financial Protection Bureau also has authority to examine institutions with more than $10 billion in assets for compliance with consumer protection laws, but the GAO did not review the bureau's activities for report.
NCUA Executive Director Mark Treichel says the agency agrees with the GAO that the credit union regulator should have authority to review third-party service providers for cybersecurity resilience.
"Parity among regulators of depository institutions in oversight authority vis-Ã -vis technology service providers would go far toward preventing third parties from transmitting material cyber risks to their clients," Treichel says.
And NCUA Chairwoman Debbie Matz notes in a statement about the report that this is not the first time that the GAO has recommended Congress grant third-party oversight authority to NCUA.
"In assessing current cybersecurity risks, GAO also references its 1999 and 2003 recommendations to provide NCUA with vendor authority," Matz says. "The 2003 assessment noted that third-party arrangements can help credit unions manage costs, provide expertise and improve services to credit union members, but they also present risks, such as threats to security systems, weakness of processing, availability and integrity of the systems."
Ben Hardaway, an NCUA spokesman, tells Information Security Media Group that the NCUA had temporary vendor examination authority from 1998 until 2001, as part of the nation's response to Y2K.
"Vendor authority is NCUA's top legislative priority," Hardaway says. "Without vendor authority, NCUA cannot accurately assess the actual risk present in the credit union system, and whether current CUSO [Credit Union Service Organization] or third-party vendor risk-mitigation strategies are adequate and can effectively protect the system. The agency will continue to work with members of Congress to ensure the agency has the same legal authority that other federal financial institutions regulators have."
"I am surprised NCUA cannot examine third parties; since bank regulators can do so, it just makes sense that this body should be able to as well," she says. "It takes Congress a long time to get anything done, though, so I wouldn't expect change to happen quickly."
Beyond the NCUA's third-party assessment inadequacies, the GAO also notes that banking regulators across the board are not routinely collecting all appropriate security incident data and documenting cybersecurity deficiencies during examinations. Examiners have also historically failed to classify deficiencies by category, which has made assessing an institution's overall cybersecurity challenging, the GAO finds.
"Regulators generally focused on IT systems at individual institutions, but most lacked readily available information on deficiencies across the banking system," the GAO states. "Having such data would better enable regulators to identify and analyze trends across institutions and use that analysis to better target areas for review at institutions."
Having that kind of information is critical, the GAO notes - a point with which regulatory agencies agree.
In his response to the GAO report, Comptroller of the Currency Thomas Curry says FFIEC agencies already are working to enhance cybersecurity data collection during their IT examinations through use of the new Cybersecurity Assessment Tool.
"This tool will provide the OCC with a repeatable and measurable process for assessing both the level of risk and the maturity of risk management processes within and across OCC-supervised institutions," Curry says. "This data will allow the OCC to monitor industry trends and identify new or emerging weaknesses where additional guidance or supervisory actions may be needed."
Better Examiner Training
Curry says this assessment tool also will provide data that regulatory agencies can use to help them better ensure all IT examiners are adequately trained - another cybersecurity shortcoming the GAO notes.
The GAO says most of the country's largest institutions are usually examined by IT experts. However, mid-sized and smaller institutions are at times reviewed by examiners with little or no IT training, according to the watchdog agency.
"The regulators recognized that some IT training is necessary for all examiners, so each regulator had efforts under way to increase the number of their staff with IT expertise and conduct more training," the report notes.
Curry says the assessment tool will enable regulators to identify and target training needs for examiners, especially those who work with smaller institutions.
"We expect to begin using the Cybersecurity Assessment Tool in selected examinations that commence during the fourth quarter of 2015," he says.