Cybersecurity: Bank and Other Depository Regulators Need Better Data Analytics and Depository Institutions Want More Usable Threat Information
Highlights
What GAO Found
Regulators use a risk-based examination approach to oversee the adequacy of information security at depository institutions—banks, thrifts, and credit unions—but could better target future examinations by analyzing deficiencies across institutions. For information technology (IT) examinations, regulators adjust the level of scrutiny at each institution depending on the information they review, past examination results, and any IT changes. GAO reviewed 15 IT examinations and found that regulators generally reviewed institutions' policies, interviewed staff, and examined audits of information security practices. While the largest institutions were generally examined by IT experts, medium and smaller institutions were sometimes reviewed by examiners with little or no IT training. The regulators recognized that some IT training is necessary for all examiners, so each regulator had efforts under way to increase the number of their staff with IT expertise and conduct more training. GAO identified two areas for improvement:
Data analytics. Regulators generally focused on IT systems at individual institutions but most lacked readily available information on deficiencies across the banking system. Although federal internal control standards call for organizations to have relevant, reliable, and timely information on activities, regulators were not routinely collecting IT security incident reports and examination deficiencies and classifying them by category of deficiency. Having such data would better enable regulators to identify and analyze trends across institutions and use that analysis to better target areas for review at institutions.
Oversight authority. Bank regulators directly address the risks posed to their regulated institutions from third-party technology service providers, but the National Credit Union Administration (NCUA) lacks this authority. Cyber risks affecting a depository institution can arise from weaknesses in the security practices of third parties that process information or provide other IT services to the institution. Bank regulators routinely conduct examinations of service providers' information security. Authorizing NCUA to routinely conduct such examinations could help it better ensure that the service providers for credit unions also follow sound information security practices.
Depository institutions obtain cyber threat information from multiple sources, including federal entities such as the Department of the Treasury (Treasury). Representatives from more than 50 financial institutions told GAO that obtaining adequate information on cyber threats from federal sources was challenging. Information viewed as most helpful for assessing threats and protecting systems included details on attacks other institutions experienced. To help address these needs, Treasury has various efforts under way to obtain such information and confidentially share it with other institutions. The department formed a special group that works with other law enforcement and intelligence agencies to obtain declassified information and share it with financial institutions in a series of circulars. Treasury staff also participate in Department of Homeland Security groups that monitor cyber incidents and work with a center that provides cyber threat information to thousands of financial institutions.
Why GAO Did This Study
Depository institutions experienced cyber attacks in recent years that are estimated to have resulted in hundreds of millions of dollars in losses. Depository institution regulators (the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve, the Federal Deposit Insurance Corporation, and NCUA) oversee information security at these institutions and Treasury coordinates protection of the financial sector.
The objectives of this report include examining (1) how regulators oversee institutions' efforts to mitigate cyber threats, and (2) sources of and efforts by agencies to share cyber threat information. GAO collected and analyzed cyber security studies from private-sector sources. GAO reviewed materials from selected IT examinations (based on regulator, institution size, and risk level). GAO also held three forums with more than 50 members of financial institution industry associations who provided opinions on cyber threat information sharing.
Recommendations
Congress should consider granting NCUA authority to examine third-party technology service providers for credit unions. In addition, regulators should explore ways to better collect and analyze data on trends in IT examination findings across institutions. In written comments on a draft of this report, the four regulators stated that they would take steps responsive to this recommendation.
Matter for Congressional Consideration
| Matter | Status | Comments |
|---|---|---|
| To ensure that NCUA has adequate authority to determine the safety and soundness of credit unions, Congress should consider modifying the Federal Credit Union Act to grant NCUA authority to examine technology service providers of credit unions. | In July 2015, we suggested that Congress modify the Federal Credit Union Act to grant NCUA authority to examine technology service providers of credit unions. Legislation has been proposed that that would address GAO's suggested action if enacted. H.R. 7036, the Strengthening Cybersecurity for the Financial Sector Act of 2024, was introduced in January 2024. The bill would provide authority for NCUA to examine the performance of services for insured credit unions or credit union organizations that are regularly subject to examination. S. 3554, the Financial Artificial Intelligence Risk Reduction Act, was introduced in December 2023. The bill would provide that if a credit union that is subject to examination by NCUA delegates the performance of certain activities and services, the delegation must be disclosed and is subject to regulation and examination by NCUA. As of February 2025, there has been no further action on these bills. |
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Office of the Comptroller of the Currency | To improve their ability to assess the adequacy of the information security practices at medium and small institutions, the heads of Federal Deposit Insurance Corporation, the Federal Reserve, Office of the Comptroller of the Currency, and NCUA should routinely categorize IT examination findings and analyze this information to identify trends that can guide areas of review across institutions. |
In July 2015, we recommended that the Office of the Comptroller of the Currency (OCC) and other federal financial institution regulators conduct trend analysis of their IT examination findings to improve their ability to assess the adequacy of information security practices at medium and small institutions. In April 2018, OCC stated that it took two actions to respond to our recommendation. First, the agency integrated the Cybersecurity Assessment Tool (CAT), developed by OCC and other federal financial institution regulators, into OCC's ongoing IT examinations of national banks and federal savings associations using a risk-based approach. Officials believe that CAT will provide OCC with a repeatable and measurable process for assessing both the level of risk and the maturity of risk management processes within and across OCC-supervised institutions. Also, officials believe that data gathered in this process will allow OCC to monitor industry trends and identify new or emerging weaknesses where additional guidance or supervisory actions may be needed. Furthermore, CAT will help OCC allocate examiner resources and better target examiner training. Second, OCC stated that it enhanced its guidance and procedures for examiners to identify and aggregate supervisory concerns into matters requiring attention (MRAs), which are the mechanism OCC uses to communicate supervisory concerns to bank management and directors. OCC believes that the aggregate MRA data, including when correlated to the CAT data, has improved OCC supervision of IT security practices at medium and small institutions to provide focus on thematic observations in information security (access controls, patch management, asset inventories, third party connections, business continuity, etc.) that OCC is seeing across the OCC-supervised population of entities. OCC also stated that it allows for risk-based examination of areas of concern at specific institutions (i.e., MRA follow-up). OCC uses this data to help inform where resources should be allocated for the most effective supervision, both from an examination area and institution perspective. We believe that OCC's actions are responsive to our recommendation. OCC has implemented the CAT to help categorize IT examination findings. OCC has also begun to assess aggregate MRA data (including MRAs related to IT examinations) to identify trends from an examination area and institution perspective. Therefore, we are closing this recommendation as implemented.
|
| Federal Deposit Insurance Corporation | To improve their ability to assess the adequacy of the information security practices at medium and small institutions, the heads of Federal Deposit Insurance Corporation, the Federal Reserve, Office of the Comptroller of the Currency, and NCUA should routinely categorize IT examination findings and analyze this information to identify trends that can guide areas of review across institutions. |
In July 2015, we recommended that the Federal Deposit Insurance Corporation (FDIC) and other federal financial institution regulators conduct trend analysis of their IT examination findings to improve their ability to assess the adequacy of information security practices at medium and small institutions. In May 2017, FDIC provided information on a number of actions taken to address the recommendation. First, FDIC developed (in conjunction with the Federal Reserve) and implemented in July 2016 the Information Technology Risk Examination (InTREx) work program, which should help FDIC standardize IT examination findings for improved trend analysis and ensure that identified risks are effectively addressed by bank management. Second, FDIC stated that it implemented the Cyber Incident Response Plan (CIRP) in 2016 to provide operational procedures for staff in the event of a cyber threat or incident. CIRP should assist in trend analysis by helping to standardize terminology through cyber incident classification. Third, FDIC participated in the creation of the Federal Financial Institution Examination Council's "Crisis Communication Protocols," which was revised in January 2016 and establishes a framework for coordinating among the federal banking regulators and external groups, thereby assisting trend analysis across industry. Lastly, FDIC deployed the Technology Incident Reporting System (TIRS) for voluntary reporting and tracking of technology incidents, and has since implemented several iterations of TIRS. FDIC began summarizing TIRS data on a quarterly basis for FDIC senior management in 2012. The quarterly report identifies trends across all reported incident types. Review of the June 2016 quarterly report indicates that FDIC-supervised institutions have seen declines in account takeovers, total estimated losses, and average losses from the prior quarter. As a result of these actions, we believe that FDIC will be better positioned to conduct trend analysis of IT examination findings and assess the adequacy of information security practices at depository institutions it supervises. Therefore, FDIC has been responsive to our recommendation.
|
| Federal Reserve System | To improve their ability to assess the adequacy of the information security practices at medium and small institutions, the heads of Federal Deposit Insurance Corporation, the Federal Reserve, Office of the Comptroller of the Currency, and NCUA should routinely categorize IT examination findings and analyze this information to identify trends that can guide areas of review across institutions. |
In December 2018, the Federal Reserve provided detailed descriptions and supporting information concerning its efforts to enhance its processes and capabilities to categorize and analyze IT examination findings that responds to our recommendation. Specifically, Federal Reserve staff stated that they (1) collaborated with FDIC to improve the implementation of the Information Technology Risk Examination (InTREx) program; (2) conducted horizontal cybersecurity examinations; and (3) improved collection, analysis, and reporting capability of cyber events. According to Federal Reserve staff, the InTREx program provides a consistent approach for examiners to assess institutions aggregate IT and cybersecurity risk. The Federal Reserve has also prepared internal guidance for use by their examiners for this program. The Federal Reserve staff also stated that examiners conduct horizontal cybersecurity examinations that are based on supervisory themes identified in the previous year's work and awareness of current and relevant events affecting the sector. The Federal Reserve staff stated that they have continually worked to improve this process, and our review showed evidence of examiners applying these procedures. The Federal Reserve staff also told us that they developed and implemented an application to track cyber event reporting and improve the collection and analysis of cyber events, including developing internal guidance describing the application and the use of such data by examiners. Our review of the latest report produced by this application showed evidence of trend analysis based on IT examination findings.
|
| National Credit Union Administration | To improve their ability to assess the adequacy of the information security practices at medium and small institutions, the heads of Federal Deposit Insurance Corporation, the Federal Reserve, Office of the Comptroller of the Currency, and NCUA should routinely categorize IT examination findings and analyze this information to identify trends that can guide areas of review across institutions. |
In July 2015, we recommended that the National Credit Union Administration (NCUA) and other federal financial institution regulators conduct trend analysis of their IT examination findings to improve their ability to assess the adequacy of information security practices at medium and small institutions. In April 2018, NCUA told us that it was implementing the Automated Cybersecurity Examination Tool (ACET), which is aligned with the FFIEC's Cybersecurity Assessment Tool, and it had begun to collect and aggregate data from the pool of 2018 examinations. NCUA stated that it was identifying common gaps which would inform future supervision plans. In May 2019, NCUA told us that in 2018 it had applied ACET to examinations of institutions with assets over $1 billion and shared the results with supervisory staff and fellow state regulators. NCUA said it has now completed integration of ACET into examinations of all institutions under its supervision through a multiyear plan. To confirm NCUA's statements, we reviewed its letter to credit unions on supervisory priorities for 2019. NCUA wrote that examiners would use ACET to assess credit unions with over $250 million in assets that have not previously received an assessment. The letter identified two additional areas of supervisory focus for 2019: assessment of credit union IT risk management, and oversight of service provider arrangements. NCUA stated that these areas of focus were established as a result of historical examination analysis, emerging threat trends, and sample results of ACET maturity assessments to date. Given that NCUA is incorporating ACET into IT examinations, categorizing IT examination findings, analyzing the information to identify trends, and using those trends to identify areas of review across institutions, NCUA has implemented this recommendation.
|