FDIC Promises to 'Adjust' Cybersecurity Controls

WASHINGTON — In the midst of a monthslong congressional inquiry into its cybersecurity practices, the Federal Deposit Insurance Corp. has issued a public statement outlining a slate of new data protection measures.

"Information security is critical to the FDIC's ability to carry out its mission of maintaining stability and public confidence in the nation's financial system," the agency said in a new web page published Friday. "The FDIC will remain alert and continue to adjust our security controls in light of the changing threat landscape."

In the post, the FDIC lists a series of new efforts, ranging from the expansion of multifactor authentication; a ban on downloads onto CDs, DVDs and thumb drives; and new controls on documents sent to the printer.

The agency also said it had taken steps to join a Department of Homeland Security data monitoring program for federal agencies called Einstein. The $3 billion system helps detect breaches and protect agencies as they occur, while pooling data on the attacks.

The FDIC's cybersecurity troubles were made public after it disclosed a series of cybersecurity breaches to Congress, which all involved former employees who had downloaded sensitive software onto a thumb drive.

After charging that the FDIC had failed to notify Congress of the incidents fast enough, a group of lawmakers in the House Science, Space and Technology Committee launched an investigation in the agency's cybersecurity practices.

In the course of their probe, lawmakers publicly revealed the FDIC had been subject in 2010 to a malware attack by believed to have originated from China.

The hackers eventually managed to infiltrate the workstation of former FDIC Chair Sheila Bair, among other top officials.

In at least one other incident, a former FDIC employee took off with portions of the living wills of several systemically important financial institutions.

Testifying to the committee in July, FDIC Chairman Martin Gruenberg acknowledged that the agency "failed to provide adequate context when reporting to Congress" on one breach in which a departing employee stole a trove of data that included tens of thousands of customer records.

"An effective FDIC information security and privacy program is critical to our mission of maintaining stability and public confidence in the nation's financial system," Gruenberg said in prepared remarks to the panel.

An FDIC spokeswoman said the agency is committed to "protecting sensitive information and is seeking to ensure the public is aware of the steps we are taking on cybersecurity."

For reprint and licensing requests for this article, click here.
Law and regulation
MORE FROM AMERICAN BANKER