FDIC Issues Audit Report on Financial Institutions’ Oversight of TSPs
The FDIC’s Information Technology Risk Management Program (IT-RMP), used by FDIC examiners in the examination process of financial institutions, will be looking more closely at the way financial institutions choose, oversee, and document their technology service providers and how those technology service providers protect sensitive customer information, according to a new audit report from the FDIC’s Office of Inspector General (OIG).Last year more than half of the 213 information security breaches reported by financial institutions to the FDIC involved technology service providers (TSP). These breaches included TSPs providing services to institutions for Internet banking, debit and credit cards, ATMs and network operating systems. This finding was in the audit report issued last week by the OIG; the report recommended that the FDIC revise its IT-RMP guidance so that examiners sufficiently assess financial institution compliance with guidelines on the oversight of TSPs.
The Office of the Inspector General’s audit report sampled 12 IT-RMP examinations from 2006, and they showed that the financial institutions provided at least some coverage of the key controls in the interagency guidelines. But the documentation for 10 of the 12 didn’t have enough written support showing examiners had fully assessed the institutions’ compliance with interagency guidelines the oversight of the TSP protection of sensitive customer information.
The audit report recommended the FDIC take action on two things: revise the IT-RMP guidance to make sure that examiners are adequately assessing financial institution compliance with the TSP guidelines; and that the FDIC reemphasize need for examiners to clearly document their decisions and supporting logic for their approach used in assessing compliance with the TSP interagency guidelines.
The interagency guidelines referred to are Part 364 of the FDIC’s Rule and Regulations, and notes “that each bank shall exercise due diligence in selecting TSPs and have contractual agreements with their TSPs that require appropriate measures to safeguard customer information, and also provide ongoing monitoring of TSPs to ensure they have satisfied their contractual obligations.â€
The FDIC Division of Supervision and Consumer Protection’s (DSC) response to the audit report is included in the report, and further action by the DSC on the findings will be issued by March 30. Click to the report: https://www.bankinfosecurity.com/regulations.php?reg_id=403.