The House Science, Space and Technology Committee (the "Committee") released an interim staff report containing preliminary findings of an investigation into the cybersecurity posture of the FDIC. The Committee held a hearing titled: "Evaluating FDIC's Response to Major Data Breaches: Is the FDIC Safeguarding Consumers' Banking Information?" to explore the implications of these findings.

The majority report concluded that:

  • the FDIC Chief Information Officer created a "toxic work environment, misled Congress and retaliated against whistleblowers";
  • the FDIC "deliberately evaded Congressional oversight"; and
  • historically, the FDIC "experienced deficiencies related to its cybersecurity posture," and these deficiencies have been ongoing.

The Committee focused on a 2013 report by the FDIC Office of Inspector General ("OIG") revealing that the "FDIC computer system – even the former Chair's computer – had been hacked by a foreign government, likely the Chinese." In particular, the staff report referred to witness testimony that "former [FDIC] Chief Information Officer Russ Pittman instructed employees not to discuss or proliferate information about this foreign government penetration of the FDIC's network in order to avoid affecting the outcome of [FDIC] Chairman Gruenberg's confirmation by the U.S. Senate." According to the witness, "there was a concern that if news got out about the foreign government hack, Mr. Gruenberg's confirmation to the position of Chairman may be jeopardized."

The Committee expressed concerns about the failure of FDIC management to address cybersecurity issues and the level of the FDIC's cooperation with the Committee's inquiries. The Committee stated:  

The Committee remains concerned about the FDIC's weak cybersecurity posture and its ability to prevent further breaches. Further, the FDIC's repeated unwillingness to be open and transparent with the Committee's investigation raises serious concerns about whether the agency is still attempting to shield information from production to Congress.

Responding to concerns raised by the Committee report, FDIC Chair Martin J. Gruenberg outlined the agency's responses to the security incidents, as well as to related audits by the OIG. Mr. Gruenberg explained that in the first audit, the OIG made six recommendations for FDIC controls in order to mitigate the risk of an unauthorized release of sensitive resolution plans. Mr. Gruenberg asserted that these recommendations will be "diligently complete[d]" by the end of 2016. In response to recommendations from the OIG in the audit concerning the FDIC's process for identifying and reporting major incidents, Mr. Gruenberg stated that the FDIC will finish reviewing and updating various policies and procedures by the end of September 2016. He also emphasized that the FDIC has "discontinued individuals' ability to copy information on removable media such as external hard drives, flash drives, and CDs or DVDs to prevent these types of incidents from occurring in the future."

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.