House Republicans Blast FDIC's Gruenberg Over Cyber Lapses

WASHINGTON — House Republicans raked Federal Deposit Insurance Corp. Chairman Martin Gruenberg over the coals during a hearing on Thursday, repeatedly calling into question his knowledge of the agency's cybersecurity problems and the handling of them.

Rep. Lamar Smith, R-Texas, the chairman of the House Science, Space, and Technology Committee, reiterated allegations that the FDIC has not been forthright with Congress about a 2015 incident in which a former employee in Florida took data containing tens of thousands of customer records.

"This has been the overreaching theme of the committee's dealings with the FDIC," he said. "We're not getting the whole story."

Gruenberg acknowledged the accusations in his testimony, saying that "we also failed to provide adequate context when reporting to Congress on the Florida incident and should have notified the potentially affected individuals when the notice to Congress was given in February."

The committee also accused the FDIC of covering up a cyberattack believed to have originated in China in order to secure Gruenberg's confirmation as chairman.

"Are you aware that [an] FDIC employee attempted to cover up that a foreign nation hacked into the FDIC's system in an effort not to jeopardize your confirmation as chairman by the U.S. Senate?" asked Rep. Gary Palmer, R-Ala.

Gruenberg replied that he had only learned of the allegation from a report released by the committee on Wednesday.

Lawmakers also attacked the FDIC Chief Information Officer Lawrence Gross for allegedly misleading the committee when he testified in May. During the hearing, Gross said the former employee who took the data did not purposely steal it, but was not technically proficient.

The committee later revealed that the former employee held a master's degree in information technology.

"I don't know if he intended to lie to Congress, but what he said was not true and he knew it wasn't true," said Rep. Barry Loudermilk, R-Ga.

Gruenberg repeatedly defended Gross' intentions. "He may have gotten it wrong," the chairman said, but "I don't know that he was aware of that at the time."

Members of the panel also said Gross had been accused by several current and former FDIC employees of making wrongheaded cybersecurity decisions and retaliating against those who disagreed with him.

"It is clear that CIO Larry Gross is fast tracking a number of initiatives," said Rep. Randy Neugebauer, R-Texas. But, he added, "it appears that some of these initiatives … are not the fixes needed."

Lawmakers were particularly skeptical about Gross' plan to replace desktop computers of FDIC employees with laptops — a move that could cost upward of $5 million, according to the committee's investigation.

"I would think that you would want to make it more difficult for employees to take data out," Loudermilk said. "Maybe you should invest in a set of chains and locks instead of laptops."

Gruenberg said the plan could ensure that teleworking employees would be operating on a more secure device.

"The use of laptops will enhance both the mobility and continuity challenge," the FDIC chairman said. "Government-furnished equipment such as a laptop may be a more secure way to achieve that."

Lawmakers also questioned the independence of the agency's chief information security officer position, which is currently unfilled. In its report, the committee accused Gross of pushing out former Chief Information Security Officer Chris Farrow because of disagreements over the laptop plan.

The Office of Inspector General is conducting an inquiry into the information security chief's independence in the agency.

"We believe that the chief information security officer as a matter of principle should be in a position to speak up," said Fred Gibson, the acting inspector general, who also testified at the hearing. Gibson added that his office would assess whether "it's a position that should be organizationally and from a governance standpoint be separated so that there's a degree of independence."

Asked if any of the breaches investigated by the committee could lead to criminal charges, Gibson responded that his agency was still investigating them.

"We also have open criminal investigations relating to several of these matters, which have not reached a stage where further public discussion would be appropriate," he said.

For reprint and licensing requests for this article, click here.
Law and regulation
MORE FROM AMERICAN BANKER