GAO sees room for improvement in bank cyber security exams
July 2, 2015
U.S. banking regulators must hire and train more examiners with technology expertise so they can give more useful cyber security recommendations to small and mid-sized banks, a federal watchdog agency has warned.
A new report from the U.S. Government Accountability Office identified the issue as one of several that banking regulators need to address as cyber security threats become more prevalent and sophisticated.
For example, the names, addresses, phone numbers and email addresses of some 83 million household and small business account holders were exposed last year when computer systems at JPMorgan Chase & Co were compromised by hackers, one of the biggest data breaches in history.
Multiple U.S. regulators, including the Federal Deposit Insurance Corporation (FDIC) and the Federal Reserve, examine banks and other financial institutions that take deposits. Examiners' findings may include how the institutions can improve their cyber security practices.
Each of the regulators employs dozens of examiners with specialized technology expertise, but typically assigns those examiners to the largest banking institutions, the GAO said.
Examiners with "little to no" information technology expertise generally examine small and mid-sized banks. Their findings may not be as "specific or useful" as those from more experienced counterparts, the GAO said.
The various regulators have been trying to improve their oversight of bank technology, the GAO noted. For example, the FDIC imposed a four-course training requirement for examiners in 2010 to boost their technology know-how. Three-quarters of examiners had completed between one and three courses as of the end of 2014.
Among the GAO's other concerns: regulators are not collecting and storing technology exam findings in a way that makes it easy to search industry-wide trends.
The regulators, in letters to the GAO, said they are ramping up their systems for categorizing the data.
Many U.S. credit unions are also vulnerable to cyber threats from outside vendors that help run their businesses because their overseer, the National Credit Union Administration (NCUA) lacks authority to review technology practices of those companies, the GAO said.
The GAO has long been pushing to expand the NCUA's authority. But credit unions themselves and their vendors have been resistant to the idea, calling it a regulatory overreach.
The NCUA is the only federal banking regulator that does not have the power to examine third-party vendors, which range from large companies such as Fiserv or Diebold, to small companies that only serve credit unions.