Regulators Need to Enhance Cyber Risk Detection, GAO Says

Bank regulators should improve their collection of data on information security incidents at financial institutions and facilitate better information-gathering about industrywide cyber threats, the U.S. Government Accountability Office said Thursday.

The GAO report said although examiners have focused on the information technology systems at individual institutions, most regulators "lacked readily available information on deficiencies across the banking system."

Collecting data on security incidents and examination deficiencies "would better enable regulators to identify and analyze trends across institutions and use that analysis to better target areas for review at institutions," the report said.

The report also specifically called on Congress to authorize the National Credit Union Administration to examine credit unions' third-party technology providers.

The study comes at a time when regulators are intensifying their focus on financial institutions' readiness for cyber-attacks. Earlier this week, the Federal Financial Institutions Examination Council unveiled a guided assessment "tool" for banks and other institutions to gauge their cyber threat and level of readiness.

The GAO said regulators' current risk-based approach to examining institutions for information security flaws could be improved to analyze problems across multiple institutions.

Institution-specific examinations by regulators varied in terms of scrutiny based on the size of the institution and their past performance, the report said. While the largest banks were examined by IT experts, smaller institutions at times were reviewed by examiners with little to no background in IT.

The GAO said that the regulators acknowledged the need for improved IT expertise among staff and had already taken corrective steps. Still, the GAO stressed that having industrywide data would allow regulators to spot trends, which could then lead to more targeted reviews at banks and credit unions.

In responses, officials with the Treasury Department as well as the financial services regulators generally reacted positively to the report and said they were already taking steps to improve monitoring of cyber threats.

Comptroller of the Currency Thomas Curry said in a June 15 letter that the new "cybersecurity assessment tool" will provide his agency "with a repeatable and measurable process for assessing both the level of risk and the maturity of risk management processes within and across … institutions."

For reprint and licensing requests for this article, click here.
Law and regulation Bank technology Cyber security
MORE FROM AMERICAN BANKER