Cybersecurity: Bank and Other Depository Regulators Need Better Data Analytics and Depository Institutions Want More Usable Threat Information
Highlights
What GAO Found
Regulators use a risk-based examination approach to oversee the adequacy of information security at depository institutions—banks, thrifts, and credit unions—but could better target future examinations by analyzing deficiencies across institutions. For information technology (IT) examinations, regulators adjust the level of scrutiny at each institution depending on the information they review, past examination results, and any IT changes. GAO reviewed 15 IT examinations and found that regulators generally reviewed institutions' policies, interviewed staff, and examined audits of information security practices. While the largest institutions were generally examined by IT experts, medium and smaller institutions were sometimes reviewed by examiners with little or no IT training. The regulators recognized that some IT training is necessary for all examiners, so each regulator had efforts under way to increase the number of their staff with IT expertise and conduct more training. GAO identified two areas for improvement:
Data analytics. Regulators generally focused on IT systems at individual institutions but most lacked readily available information on deficiencies across the banking system. Although federal internal control standards call for organizations to have relevant, reliable, and timely information on activities, regulators were not routinely collecting IT security incident reports and examination deficiencies and classifying them by category of deficiency. Having such data would better enable regulators to identify and analyze trends across institutions and use that analysis to better target areas for review at institutions.
Oversight authority. Bank regulators directly address the risks posed to their regulated institutions from third-party technology service providers, but the National Credit Union Administration (NCUA) lacks this authority. Cyber risks affecting a depository institution can arise from weaknesses in the security practices of third parties that process information or provide other IT services to the institution. Bank regulators routinely conduct examinations of service providers' information security. Authorizing NCUA to routinely conduct such examinations could help it better ensure that the service providers for credit unions also follow sound information security practices.
Depository institutions obtain cyber threat information from multiple sources, including federal entities such as the Department of the Treasury (Treasury). Representatives from more than 50 financial institutions told GAO that obtaining adequate information on cyber threats from federal sources was challenging. Information viewed as most helpful for assessing threats and protecting systems included details on attacks other institutions experienced. To help address these needs, Treasury has various efforts under way to obtain such information and confidentially share it with other institutions. The department formed a special group that works with other law enforcement and intelligence agencies to obtain declassified information and share it with financial institutions in a series of circulars. Treasury staff also participate in Department of Homeland Security groups that monitor cyber incidents and work with a center that provides cyber threat information to thousands of financial institutions.
Why GAO Did This Study
Depository institutions experienced cyber attacks in recent years that are estimated to have resulted in hundreds of millions of dollars in losses. Depository institution regulators (the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve, the Federal Deposit Insurance Corporation, and NCUA) oversee information security at these institutions and Treasury coordinates protection of the financial sector.
The objectives of this report include examining (1) how regulators oversee institutions' efforts to mitigate cyber threats, and (2) sources of and efforts by agencies to share cyber threat information. GAO collected and analyzed cyber security studies from private-sector sources. GAO reviewed materials from selected IT examinations (based on regulator, institution size, and risk level). GAO also held three forums with more than 50 members of financial institution industry associations who provided opinions on cyber threat information sharing.
Recommendations
Congress should consider granting NCUA authority to examine third-party technology service providers for credit unions. In addition, regulators should explore ways to better collect and analyze data on trends in IT examination findings across institutions. In written comments on a draft of this report, the four regulators stated that they would take steps responsive to this recommendation.
Matter for Congressional Consideration
| Matter | Status | Comments |
|---|---|---|
| To ensure that NCUA has adequate authority to determine the safety and soundness of credit unions, Congress should consider modifying the Federal Credit Union Act to grant NCUA authority to examine technology service providers of credit unions. | In July 2015, we suggested that Congress modify the Federal Credit Union Act to grant NCUA authority to examine technology service providers of credit unions. Legislation has been proposed that that would address GAO's suggested action if enacted. H.R. 7036, the Strengthening Cybersecurity for the Financial Sector Act of 2024, was introduced in January 2024. The bill would provide authority for NCUA to examine the performance of services for insured credit unions or credit union organizations that are regularly subject to examination. S. 3554, the Financial Artificial Intelligence Risk Reduction Act, was introduced in December 2023. The bill would provide that if a credit union that is subject to examination by NCUA delegates the performance of certain activities and services, the delegation must be disclosed and is subject to regulation and examination by NCUA. As of February 2025, there has been no further action on these bills. |
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Office of the Comptroller of the Currency | To improve their ability to assess the adequacy of the information security practices at medium and small institutions, the heads of Federal Deposit Insurance Corporation, the Federal Reserve, Office of the Comptroller of the Currency, and NCUA should routinely categorize IT examination findings and analyze this information to identify trends that can guide areas of review across institutions. | In July 2015, we recommended that the Office of the Comptroller of the Currency (OCC) and other federal financial institution regulators conduct trend analysis of their IT examination findings to improve their ability to assess the adequacy of information security practices at medium and small institutions. In April 2018, OCC stated that it took two actions to respond to our recommendation. First, the agency integrated the Cybersecurity Assessment Tool (CAT), developed by OCC and other federal financial institution regulators, into OCC's ongoing IT examinations of national banks and federal savings associations using a risk-based approach. Officials believe that CAT will provide OCC with...
|
| Federal Deposit Insurance Corporation | To improve their ability to assess the adequacy of the information security practices at medium and small institutions, the heads of Federal Deposit Insurance Corporation, the Federal Reserve, Office of the Comptroller of the Currency, and NCUA should routinely categorize IT examination findings and analyze this information to identify trends that can guide areas of review across institutions. | In July 2015, we recommended that the Federal Deposit Insurance Corporation (FDIC) and other federal financial institution regulators conduct trend analysis of their IT examination findings to improve their ability to assess the adequacy of information security practices at medium and small institutions. In May 2017, FDIC provided information on a number of actions taken to address the recommendation. First, FDIC developed (in conjunction with the Federal Reserve) and implemented in July 2016 the Information Technology Risk Examination (InTREx) work program, which should help FDIC standardize IT examination findings for improved trend analysis and ensure that identified risks are...
|
| Federal Reserve System | To improve their ability to assess the adequacy of the information security practices at medium and small institutions, the heads of Federal Deposit Insurance Corporation, the Federal Reserve, Office of the Comptroller of the Currency, and NCUA should routinely categorize IT examination findings and analyze this information to identify trends that can guide areas of review across institutions. | In December 2018, the Federal Reserve provided detailed descriptions and supporting information concerning its efforts to enhance its processes and capabilities to categorize and analyze IT examination findings that responds to our recommendation. Specifically, Federal Reserve staff stated that they (1) collaborated with FDIC to improve the implementation of the Information Technology Risk Examination (InTREx) program; (2) conducted horizontal cybersecurity examinations; and (3) improved collection, analysis, and reporting capability of cyber events. According to Federal Reserve staff, the InTREx program provides a consistent approach for examiners to assess institutions aggregate IT and...
|
| National Credit Union Administration | To improve their ability to assess the adequacy of the information security practices at medium and small institutions, the heads of Federal Deposit Insurance Corporation, the Federal Reserve, Office of the Comptroller of the Currency, and NCUA should routinely categorize IT examination findings and analyze this information to identify trends that can guide areas of review across institutions. | In July 2015, we recommended that the National Credit Union Administration (NCUA) and other federal financial institution regulators conduct trend analysis of their IT examination findings to improve their ability to assess the adequacy of information security practices at medium and small institutions. In April 2018, NCUA told us that it was implementing the Automated Cybersecurity Examination Tool (ACET), which is aligned with the FFIEC's Cybersecurity Assessment Tool, and it had begun to collect and aggregate data from the pool of 2018 examinations. NCUA stated that it was identifying common gaps which would inform future supervision plans. In May 2019, NCUA told us that in 2018 it...
|