Inspector General Report Points to Banks’ Cybersecurity Risks and Dwindling FDIC ‘IT Expertise’

A deep dive into Federal Deposit Insurance Corp.’s (FDIC) Office of Inspector General’s latest audit and report on the agency reveals key risks to banks:

They face threats from cyberattacks and from vulnerabilities in third-party relationships. As the number of problem banks remains elevated, the FDIC is also facing the prospect of skilled examiners with IT expertise — the very experts who uncover those risks — walking out the door.

The 191-page report, released Thursday (March 20), took note of the fact that in the latest fiscal year, which ended in September, the number of “problem institutions” for “safety and soundness” concerns stood at 66, with total assets on hand of $87.3 billion. Those figures are up sharply from the 44 similarly defined institutions with $54.5 billion in assets seen in the previous year.

Banks are placed on this list when a range of issues are identified, including operational risks. As can be seen here in the examination guidelines, which exists as a separate document, information technology, anti-money laundering (AML) compliance and other technological processes are sources of information in measuring an examined bank’s safety and soundness.

Elsewhere in the audit, the FDIC examiners made supervisory recommendations — including matters requiring banks’ board attention — in 104 cases tied to risk management and 90 cases tied to information technology.

“IT examinations identify areas in which a financial institution is exposed to IT and cyber-related risks and evaluate bank management’s ability to identify these risks and maintain appropriate compensating controls,” the report stated.

But there are pressures looming: “Currently the FDIC faces risks in ensuring that it has examiners with the requisite skillsets to perform IT examinations using existing examination procedures.”

Call it a staffing shortage on the horizon. The audit detailed that a total of 53% of examiners classified as “advanced IT subject matter experts were eligible to retire in 2024 with retirement eligibility rising to 63% for this population in 2028.” Those examiners qualified as having “intermediate IT expertise” have commensurate retirement eligibility rates of 16% last year and 27% in 2028.

“Accurate assessment of IT risks is important as it may affect a bank’s safety and soundness rating, which impacts the FDIC’s supervisory strategies,” the report said. “It is critical that the FDIC maps the interconnections of banks and their third parties to understand and examine potential operational points of failure and possible cyber intrusion and contagion.”

There are several cases, said the auditors, where multiple banks rely on the same third parties, and “an operational issue at one such third party has the potential to affect many banks.” PYMNTS Intelligence has tracked the rising wave of bank-FinTech collaborations, where roughly two-thirds of financial institutions have struck partnerships with the digital-only players.

The “increasing use of third-party service providers for compliance with Bank Secrecy Act (BSA) and Anti Money Laundering (AML) and sanctions requirements may require different examination processes or examiners with different skillsets,” said the report.

Separate PYMNTS data indicates that about 40% of banks have indicated growing losses as a result of fraudulent transactions. A report last summer by the OCC indicated that 11 of the 22 large banks it oversees have “insufficient” or “weak” management of so-called operational risk, including cyberattacks.

Even the federal agencies, including those tasked with financial system oversight, are not immune to these pressures. The audit stated that more than information security incidents were reported by federal agencies in Fiscal Year 2023 (the most recently reported year), which was a 9.9% increase from the previous year.

The inspector’s findings also stated: “Although the FDIC and other banking regulators had identified risks with banks’ involvement in crypto-asset activities, the FDIC had not conducted risk assessments to determine the significance of crypto-asset activity risks. Moreover, the FDIC’s process for providing supervisory feedback to FDIC-supervised institutions’ crypto-related activities was unclear.”

The post Inspector General Report Points to Banks’ Cybersecurity Risks and Dwindling FDIC ‘IT Expertise’ appeared first on PYMNTS.com.