WASHINGTON–A new report from the GAO has found deficiencies in how regulators are examining cybersecurity at financial institutions, and its recommendations include providing NCUA with the authority to oversee third-party vendors.
The agency has been seeking such third-party oversight, but that expanded examination authority has been strongly opposed by vendors themselves.
“Regulators use a risk-based examination approach to oversee the adequacy of information security at depository institutions—banks, thrifts, and credit unions—but could better target future examinations by analyzing deficiencies across institutions,” said GAO in the report, issued July 2. “For information technology (IT) examinations, regulators adjust the level of scrutiny at each institution depending on the information they review, past examination results, and any IT changes.”
GAO said it reviewed 15 IT examinations and found that regulators generally reviewed institutions' policies, interviewed staff, and examined audits of information security practices. “While the largest institutions were generally examined by IT experts, medium and smaller institutions were sometimes reviewed by examiners with little or no IT training,” GAO said. “The regulators recognized that some IT training is necessary for all examiners, so each regulator had efforts under way to increase the number of their staff with IT expertise and conduct more training.”
GAO said it identified two areas for improvement:
- Data analytics. Regulators generally focused on IT systems at individual institutions but most lacked readily available information on deficiencies across the banking system, according to GAO. “Although federal internal control standards call for organizations to have relevant, reliable, and timely information on activities, regulators were not routinely collecting IT security incident reports and examination deficiencies and classifying them by category of deficiency. Having such data would better enable regulators to identify and analyze trends across institutions and use that analysis to better target areas for review at institutions.”
- Oversight authority. Bank regulators directly address the risks posed to their regulated institutions from third-party technology service providers, but the National Credit Union Administration lacks this authority. “Cyber risks affecting a depository institution can arise from weaknesses in the security practices of third parties that process information or provide other IT services to the institution. Bank regulators routinely conduct examinations of service providers' information security. Authorizing NCUA to routinely conduct such examinations could help it better ensure that the service providers for credit unions also follow sound information security practices,” GAO said.
Obtaining Information Was a 'Challenge'
The GAO noted that depository institutions obtain cyber threat information from multiple sources, including federal entities such as the Department of the Treasury. The GAO said that representatives from more than 50 financial institutions told it that obtaining adequate information on cyber threats from federal sources was challenging.
“Information viewed as most helpful for assessing threats and protecting systems included details on attacks other institutions experienced,” GAO said in the report. “To help address these needs, Treasury has various efforts under way to obtain such information and confidentially share it with other institutions. The department formed a special group that works with other law enforcement and intelligence agencies to obtain declassified information and share it with financial institutions in a series of circulars. Treasury staff also participate in Department of Homeland Security groups that monitor cyber incidents and work with a center that provides cyber threat information to thousands of financial institutions.”
In its recommendations, GAO states specifically that “Congress should consider granting NCUA authority to examine third-party technology service providers for credit unions. In addition, regulators should explore ways to better collect and analyze data on trends in IT examination findings across institutions.”