While the public is used to hearing about Wall Street lobbyists’ siege on financial regulators, a government watchdog has warned the Federal Deposit Insurance Corporation that its lax operational security has for years left it vulnerable to attacks by other malicious actors—especially those from within.
Deficiencies in the federal retail deposit backer’s computer systems have long put sensitive, market-moving information at risk, the Government Accountability Office warned in a report published Thursday.
Particularly vulnerable, it said, is information about collapsed and moribund banks. The corporation isn’t required to record who has viewed marketing strategies of wound-up banks’ assets, and uses an application that holds “loan data for failing financial institution,” which did not reliably “recertify account access.”
The GAO called on the prudential regulator and its chair, Martin Gruenberg, to log access to the system in question through “Executive Action.”
It also directly called on Gruenberg to apply physical access policies to backup data centers, and made five recommendations about sensitive vulnerabilities “with limited distribution.”
The GAO said that improved documentation and internal communications can lower the risk of unnoticed “malicious activity” or the possibility of investigators lacking crucial data after an attack.
In addition to maintaining insufficient oversight over the aforementioned bankruptcy data, the watchdogs also said that three financial processing servers were failing “to transmit security logs to a central system”–an issue that GAO officials have complained about this since the end of December 2013.
GAO investigators also said Thursday that previous suggestions the organization has made have gone unheeded, including incomplete efforts “to address our prior recommendation to apply patches to remediate known vulnerabilities in third-party software.”
“Background reinvestigations” for low-ranking officials also continue to not be performed, despite the fact that GAO raised the issue last year. The FDIC will not be ready to perform them until April 2016.
GAO investigators also found that FDIC managers had failed to carry out a “prior-year recommendation” to ensure the immediate termination of network access to workers who leave the corporation
“Until FDIC takes further steps to mitigate these weaknesses, the corporation’s sensitive financial information and resources will remain unnecessarily exposed to increased risk of inadvertent or deliberate misuse,” the investigation found.
The investigation was overall laudatory of the FDIC, saying it has acted on most past recommendations and that GAO officials do not “consider these weaknesses individually or collectively to be either a material weakness or a significant deficiency for financial reporting purposes.”
But Thursday’s report painted a picture of an agency that has struggled to cope with a world that increasingly exists online. While in 2010 and 2012, it had successfully implemented within a year all but one of the information security recommendations made by GAO, the FDIC left nine items incomplete during each of the past two years.
“Although FDIC had implemented numerous controls in these areas, weaknesses continue to challenge the corporation in ensuring the confidentiality, integrity, and availability of its information and information systems,” the GAO said.
It also found that at the time of its most recent review, there were four “high-risk items” among 25 “remedial action plans….past their expected closure dates by between about 2 weeks and 10 months.”
The type of sensitive information that the FDIC holds beyond material relevant to failed institutions, the GAO notes, includes “a system to calculate and collect FDIC deposit insurance premiums…from insured financial institutions” and “computer programs used to derive the corporation’s estimate of losses from shared loss agreements.”
Because of the weak controls on access, “there is an increased risk that individuals who no longer need access to information systems could accidentally or intentionally damage critical resources,” the watchdog warned–perhaps music to the ears of an investor looking for any advantage, legal or not.
Last December, Congress passed a law that could make information held by the FDIC more valuable. The measure in question allows Wall Street banks to finance certain types of derivatives trades with publicly-insured retail deposits.
