FDIC Chairman Martin Gruenberg has said the U.S. Federal Deposit Insurance Corporation is updating cybersecurity policies after a 2015 data breach in which a former employee kept copies of sensitive information on how banks would handle bankruptcy. Gruenberg was referencing the state of Information Security at the FDIC.

Gruenberg made the remarks today in prepared remarks for a hearing of the Committee on Science, Space, and Technology; U.S. House of Representatives. The Committee on Wednesday said in a report that the FDIC covered up 2010-2011 hacks, which the panel said also occurred in 2013, and were likely orchestrated by the Chinese government.

Gruenberg said that on September 29, 2015, the FDIC had determined, through use of its DLP software, that an employee who had previously worked for the FDIC’s Office of Complex Financial Institutions (OCFI) had transferred copies of sensitive resolution plans from the internal network onto an unencrypted removable storage device – in this case, a thumb drive.

The former FDIC employee had copied a large quantity of sensitive FDIC information, including personally identifiable information of bank customers, to the removable media, and took the information when he left the FDIC on October 15, 2015. 

This activity violated OCFI policy, which prohibits the storage of resolution plans on removable media, and occurred immediately before the employee’s resignation.

The FDIC notified the Office of Inspector General (OIG) of the incident on September 29, and law enforcement officials later recovered the thumb drive containing the resolution plans, as well as a non-public executive summary of a resolution plan, from the former employee.

On November 19, 2015, and December 2, 2015, the FDIC said it “had contact” with the employee who was initially resistant but ultimately returned the device on December 8, 2015.

During this time period, on October 30, 2015, OMB issued its Memorandum M-16-03, which provides federal agencies with guidance on the reporting of “major incidents.”  Although OMB Memorandum M-16-03 was received after the incident occurred, the guidance nonetheless was considered and applied as part of the FDIC’s ongoing response to the incident.

In initially assessing the application of this new guidance, and consistent with existing FDIC policy and procedure, the CIO considered the incident’s risk of harm and reached the conclusion that although it was a breach, it did not rise to the level of a “major incident.”

As a result of this incident, the OIG commenced an audit, the objectives of which were to determine the factors that contributed to this security incident and to assess the adequacy of mitigating controls established following the incident.

OIG’s Findings

The OIG report notes that FDIC incident response policies, procedures, and guidelines did not address major incidents and recommends that the CIO revise the FDIC’s incident response policies, procedures, and guidelines to address major incidents.

  • The FDIC’s DLP tool can be better leveraged to identify major incidents.
  • The FDIC did not properly apply OMB guidelines in its evaluation and reporting of the Florida Incident.
  • The FDIC congressional notifications did not accurately portray the extent of risk associated with the Florida Incident.
  • The management of incident investigative records and related documentation needs improvement.

To Establish Insider Threat Program

According to Gruenberg, in 2014 and 2015, the FDIC began to take steps toward establishing a formal insider threat program by developing draft governance, policy, and procedures, and by initiating interdivisional discussions on the topic.  However, as of October 2015, the insider threat program had not been implemented.

The OIG recommended that the FDIC establish an agency-wide insider threat program that is consistent with NIST-recommended practices and applicable laws, executive orders, national strategies, directives, regulations, policies, standards, and guidelines. 

“In response, we have committed to fully implement such an insider threat program, building significantly on certain elements that are already in place,” said Gruenberg.

 “A team of executive-level staff will finalize the FDIC’s insider threat program policy statement and governance structure by October 28, 2016; an insider threat working group is being established to carry out the program by October 28, 2016; and appropriate employee awareness and training efforts will be completed by December 30, 2016.”