Federal Deposit Insurance Corporation
Office of Inspector General
Federal Deposit Insurance Corporation - Office of Inspector General

Statement of Acting IG Before the Committee on Science, Space, and Technology Subcommittee on Oversight, U.S. House of Representatives on Cybersecurity Incidents at the FDIC

This is the accessible text file for FDIC OIG Testimony Before the Committee on Science, Space, and Technology, U.S. House of Representatives on May 12, 2016

This text file was formatted by the FDIC OIG to be accessible to users with visual impairments.

We have maintained the structural and data integrity of the original printed product in this text file to the extent possbile. Accessibility features, such as descriptions of tables, footnotes, and the text of the Corporation’s comments, are provided but may not exactly duplicate the presentation or format of the printed version.

The portable document format (PDF) file also posted on our Web site is an exact electronic replica of the printed version.

Testimony

Before the Committee on Science, Space, and Technology Subcommittee on Oversight

U.S. House of Representatives

Cybersecurity Incidents at the Federal Deposit Insurance Corporation

Statement of Fred W. Gibson, Jr. Acting Inspector General Federal Deposit Insurance Corporation

May 12, 2016

Statement of Fred W. Gibson, Jr. Acting Inspector General, Federal Deposit Insurance Corporation

May 12, 2016

House Committee on Science, Space, and Technology Subcommittee on Oversight

Chairman Loudermilk, Ranking Member Beyer, and Members of the Subcommittee,

Thank you for the invitation to speak with the Subcommittee on Oversight today regarding recent cybersecurity incidents at the Federal Deposit Insurance Corporation (FDIC).

The federal government has seen a marked increase in the number of information security incidents affecting the integrity, confidentiality, and availability of government information, systems, and services. We share the Committee’s view that the FDIC needs to ensure that it has proper controls in place to protect the highly sensitive information that it possesses in both its corporate and receivership capacities.

To that end, the FDIC’s Office of Inspector General (OIG) carries out two primary functions that have relevance to the subject matter of today’s hearing. The first is to audit and evaluate the FDIC’s programs and operations, including controls designed to safeguard the Corporation’s data and address and report breaches when they occur. The second function is to investigate suspected criminal activity, including breach incidents where the case‐specific facts lead us to believe that a crime may have occurred.

With respect to our first role, we are currently conducting two relevant audits that we anticipate will be completed in the near future. The first one is examining the FDIC's process for identifying and reporting major security incidents, as required by applicable federal law and related guidance. The second audit is addressing the FDIC’s controls for mitigating the risk of an unauthorized release of sensitive resolution plans submitted by systemically important financial institutions. Because our work is ongoing, I will not be able to discuss conclusions or recommendations that we may offer when these two audits are completed.

However, as you are aware, on February 19, 2016, during the planning phase of the first of our audits, we issued a memorandum to the FDIC’s Chief Information Officer regarding a specific security incident warranting Congressional reporting. Information in that memorandum, although marked privileged and for official use only, became public. I can confirm that in the memorandum, the OIG concluded that the Corporation was required under the Federal Information Security Modernization Act of 2014 and related guidance issued by the Office of Management and Budget (OMB Memorandum M‐16‐03) to report the security breach as a “major incident” to the appropriate Congressional committees. The FDIC ultimately reported the major incident to the appropriate Congressional committees.

With respect to our criminal investigative function, the FDIC OIG participates as a non‐voting member on the FDIC’s Data Breach Management Team (DBMT) for awareness purposes. The DBMT, as its name implies, reviews data breach incidents. Where the facts of a particular incident, which we learn of through our participation in the DBMT or from other sources, appear to point to a crime having been committed, we open an investigation. If the results of our investigation warrant, we make referrals to the Department of Justice. Unfortunately, I cannot discuss the details of open criminal investigations related to such breaches at the FDIC with you today.

I would emphasize that because the facts and circumstances of security incidents vary, grounds do not always exist for pursuing a criminal investigation. Where that threshold is not met, the responsibility lies with the FDIC to pursue the civil and administrative remedies that it deems appropriate.

Thank you again for the opportunity to speak with you today and for understanding the limits on what I am able to discuss at this time. I will be happy to answer any questions.

Print Print
Close