WASHINGTON – Federal Deposit Insurance Corp. Chairman Martin Gruenberg was contrite during a House cybersecurity hearing Thursday, acknowledging that the agency failed to protect key bank data.
The hearing by the House Committee on Science, Space, and Technology is likely to be contentious, as Republican lawmakers fiercely criticized the FDIC in a report released Wednesday.
But in his opening testimony, Gruenberg sought to defuse some of the criticism by admitting mistakes, including that the agency failed to protect living-will data from a departing employee who had previously displayed troubling behavior. The employee, revealed by American Banker sources as Allison Aytes, resigned from the agency in September and took off with several systemically important institutions' resolution plans, downloaded on a portable media device.
"The FDIC controls intended to protect resolution plans did not work with regard to the incident in question," Gruenberg said. "This is a serious matter that must be addressed so that it does not happen again."
Gruenberg said that the agency had ended the use of removable media, including external hard drives, flash drives or CDs, "to prevent these types of incidents from occurring in the future." Exceptions were made for Government Accountability Office employees, Office of Inspector General staff, and some members of the FDIC's legal team, he said.
Gruenberg also pledged that the agency would comply with a set of recommendations made by its inspector general in a pair of stinging reports last week.
"An effective FDIC information security and privacy program is critical to our mission of maintaining stability and public confidence in the nation's financial system," Gruenberg said. "We concur with the OIG's findings and recommendations, and expect to complete implementation of all of our responsive actions by the end of 2016."
Gruenberg also addressed a series of cyberattacks that have been linked to Chinese hackers in an FDIC memo. The attacks, which began in 2010, infected the computer of then-Chairwoman Sheila Bair, among other officials.
But at the time the attacks were revealed, the FDIC's information technology team failed to "fully inform" Gruenberg of the gravity of the incident, as the agency's inspector general found in an earlier investigation.
In response to the report, the FDIC hired an independent cybersecurity firm and made "personnel changes," Gruenberg said.
Gruenberg also acknowledged that one 2015 incident – where a departing employee downloaded tens of thousands of pieces of personally identifiable information on U.S. taxpayers onto a flash drive – had been wrongly categorized by the agency.
The FDIC, he said, failed to report it to Congress as a "major" incident.
"In retrospect, and in light of the OIG's report findings, we should not have considered what we believed to be mitigating factors" in determining the incident's level of gravity, he said.
Gruenberg also said the agency would move forward with an "insider threat" program that was initiated in 2014 but never implemented.
The program, he added, was developed by "executive-level" FDIC officials and rolled out through a policy statement by Oct. 28.