A commitment to employees, clients and community: The Bonadio Group’s response to COVID-19. View Here

FDIC boosts examinations for Cybersecurity

On July 1, 2016, the Federal Deposit Insurance Corporation (FDIC) updated its information technology and operations risk (IT) examination procedures. By implementing the Information Technology Risk Examination (InTREx) program, the FDIC now has an enhanced, risk-based approach for performing IT examinations and helps to ensure that IT and cybersecurity risks are identified and addressed effectively by financial institution management.

As part of the InTREx Program, the FDIC implemented a more effective Information Technology Profile (ITP) that replaced the previous IT Officer’s Questionnaire. This shortened questionnaire allows the IT examiner to focus on emerging risks and technologies for each financial institution, and to rank these risks accordingly. The following are key points of the updated program.

InTREx Program Overview

  • The ITP replaced the IT Officer’s Questionnaire (ITOQ) and includes 65 percent fewer questions.
  • Ninety days prior to the IT examination, financial institutions will receive the ITP questionnaire to be completed and returned to the FDIC.
  • The ITP pre-exam phase includes the following six sections:

o Core Processing (four questions)

o Network (six questions)

o Online Banking (four questions)

o Development and Programming (one question)

o Software and Services (two questions)

o Other (nine questions)

  • The onsite program uses the Uniform Rating System for Information Technology (URSIT) and includes component audit ratings for the following Core Modules:

o Audit

o Management

o Development and Acquisition

o Support and Delivery

  • Cybersecurity and GLBA Information Security Standards are assessed throughout the Core Modules.
  • Examiners will assign a 1 to 5 rating score to each component, and then assign an overall composite score.

Based on the completed ITP, the IT examiner takes a risk based approach to the examination. At least 45 days prior to the examination, a request list will be sent to the institution based on the results from the ITP. The institution will then prepare the requested items and the examiners will proceed with the performance of the IT audit. Results of the procedures noted above are included within the Risk Management Report of Examination.

This new format is designed to allow for a more granular assessment. This requires the examiner to perform a deeper analysis of each area, which, in turn, puts a greater burden on the financial institution. Proper documentation is critical, now more than ever, to receiving a satisfactory score. Financial institutions should review the InTREx Program prior to it being provided by the FDIC to ensure that supporting documentation is formally in place, especially for those items within the procedure that are marked with “Control Test” or “Cyber.”

Overall, the InTREx Program should permit more consistent examination experiences for financial institutions by removing subjectivity of examiner interpretation and provide banks with more meaningful examination results.

Carl Cadregari is an executive vice president based out of our Rochester, NY office.

This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.