House Lawmakers Turn Up Heat on FDIC Over Cybersecurity
WASHINGTON—An investigation by House lawmakers turned up “significant shortfalls” in a U.S. bank regulator’s cybersecurity policies, leaving it susceptible to stolen private information and regulatory data, House Republicans said Tuesday.
Following a subcommittee hearing earlier this month on seven cybersecurity breaches at the Federal Deposit Insurance Corp., new information obtained by the House Committee on Science, Space, and Technology indicates the agency may have misrepresented cybersecurity policies, hid information from lawmakers, and has a culture of obstructing whistleblowers.
“This information raises serious concerns about whether additional data breaches have occurred without detection due to inherent weaknesses in the FDIC’s system used to monitor data breaches,” Reps. Lamar Smith (R., Texas), chairman of the House Committee on Science, Space and Technology, and Barry Loudermilk (R., Ga.), chairman of the subcommittee on oversight, wrote in a joint letter Tuesday to FDIC Chairman Martin Gruenberg seen by The Wall Street Journal.
At the earlier hearing, the agency’s chief information officer and chief privacy officer, Lawrence Gross, testified that the FDIC has a “strong information security program to identify events that could signal a data security incident.” But the committee’s GOP leaders said evidence suggests the agency doesn’t monitor current employees’ computer activities, including whether they download sensitive information on portable devices.
“This leaves important information, including personally identifiable banking information for millions of Americans and banks’ living wills vulnerable to data breaches by FDIC employees, who currently have access to sensitive information at the agency,” Mr. Loudermilk wrote, referencing bank documents that explain how a bank could go through bankruptcy without relying on taxpayer money.
The committee asked Mr. Gruenberg to testify on July 14 and sought more documents and transcribed interviews with individuals who have been involved with the agency’s production of requested materials.
A spokeswoman for the FDIC declined to comment on the letter, which wasn’t the first sent to the agency by the House committee. Last Thursday, the committee sent a letter to Mr. Gross regarding his testimony during this month’s hearing.
Since October 2015, the FDIC has disclosed to Congress seven breaches that occurred as employees left the agency, taking sensitive data with them. The incidents potentially exposed private personal information of nearly 160,000 Americans. At the May hearing, Mr. Gross testified it was a coincidence that all of the events reported to Congress in the last three months involved employees leaving the FDIC.
The inspector generals of both the Federal Reserve and the FDIC are conducting a separate investigation into leaked information tied to the results of banks so-called living wills.
Mr. Gross said the agency is taking steps to better defend itself against cyberattacks, including eliminating the use of portable storage devices like flash drives or CDs by employees. The agency is also upgrading software to better protect sensitive information and is undertaking a review of all security policies for all departing employees, he said.
Cybersecurity increasingly has been an issue for financial regulators. Earlier this month, the agency’s inspector general released a 2013 report showing that cybercriminals hacked into nearly 100 computers at the FDIC, stealing bank customers’ personal information. The breaches, which occurred between 2010 and 2011, included a dozen computers used by FDIC executives, including Sheila Bair, who was the agency’s chairwoman at the time.
The bank regulator doesn’t keep tabs on current employees, according to the committee’s investigation. That is in part because the program used to oversee such activities is “incapable” of detecting if an employee copies, downloads, or otherwise transfers encrypted FDIC information, the committee learned.
Mr. Loudermilk’s letter also echoed a criticism made by Republican lawmakers during the May 12 hearing. The FDIC, he wrote, has “repeatedly” tried to keep information from Congress, pointing to heavily redacted documents in response to the committee’s request for information. Information that was cut included identifying the employee responsible for the October 2015 security breach in Florida.
In its letter, the committee requested all documents be “preserved” to ensure a “full and complete record” could be made available in the event of future document requests. Among other things, it asked the FDIC to keep emails, electronic documents, handwritten notes, and data created since Jan. 1, 2009.
Information obtained by the committee shows the agency instructed employees “to avoid placing things in writing, including information related to the agency’s data breaches.”
“If true, these allegations raise serious concerns about whether the agency is attempting to circumvent federal records requirements, diminish the universe of information that could be responsive to congressional requests, and ultimately hide the truth from congressional overseers,” according to Mr. Loudermilk’s letter.
The committee also asked the agency to notify former employees who may have access to such electronic records to halt any practice to destroy or alter such electronic records.
The committee also requested interviews with nine employees at the agency who had been tapped to procure materials tied to the security breach. They include Roberta McInerney, deputy general counsel for consumer and legislation, Andy Jiminez, director of legislative affairs, and Roderick Toms, acting chief information security officer, information security and privacy staff.