WASHINGTON – U.S. House Science, Space, and Technology Committee Chairman Lamar Smith (R-Texas) and Oversight Subcommittee Chairman Barry Loudermilk (R-Ga.) today sent a letter to Federal Deposit Insurance Corporation (FDIC) Chairman Martin Gruenberg, requesting an explanation of actions Chairman Gruenberg will immediately take to fulfill his commitment to report incidents in a timely manner to the committee. Today’s request follows a notification from Chairman Gruenberg about an additional breach, involving the compromise of over 400 FDIC employees’ documents, including 27 Office of Inspector General (OIG) field agents, due to improper permissions set for the agency’s “Search+” tool. All FDIC employees and contractors were able to view these individuals’ materials, including Suspicious Activity Reports, Grand Jury materials, ongoing OIG investigative materials, and OIG deliberative materials. The FDIC learned about this breach as early as Aug. 9, but did not notify Congress of the breach for over two months.
“This recent incident, coupled with the agency’s slow-moving response, raises significant concerns about confusion at the FDIC on how to manage cybersecurity incidents, as well as a lack of leadership within the agency on cybersecurity issues,” today’s letter states.
The committee is concerned that the FDIC’s Data Breach Management Team (DBMT) chose not to classify this incident as major, therefore not triggering a formal notification to Congress. It appears that the FDIC never intended to inform Congress of the incident, which is not the first time the FDIC has decided to conceal a breach from Congress or has failed to report a breach to Congress in a timely manner.
“The FDIC’s lackluster response to cybersecurity incidents, evidenced by its response thus far to the “Search+” breach, raises significant questions about the FDIC’s cybersecurity posture as a whole under your leadership, as well as your testimony before the Committee during its July 14, 2016, hearing,” the letter continues.
The committee expects Chairman Gruenberg to follow through on his commitments made under oath to the committee to enact substantive changes to the cybersecurity culture at the FDIC to ensure incidents are reported timely to Congress.
Today’s letter can be found here.
Background
On August 30, the committee sent a letter, along with the House Financial Services Oversight Subcommittee, on an advanced persistent threat at the FDIC, dating back to 2010.
On July 14 the committee held a hearing titled “Evaluating FDIC’s Response to Major Data Breaches: Is the FDIC Safeguarding Consumers’ Banking Information?” At the hearing Chairman Gruenberg testified that the FDIC is incorporating policies and procedures to ensure that any incidents are reported in a timely manner.
On July 13, the committee released an interim report on FDIC cybersecurity.
On May 24, Chairmen Smith and Loudermilk sent a letter to FDIC requesting transcribed interviews of nine FDIC employees following the FDIC’s discreditable performance at an Oversight Subcommittee May 12 hearing, along with their obstruction and concealment of facts and documents.
On May 19, Chairmen Smith and Loudermilk sent a letter to the FDIC outlining numerous inconsistencies in CIO Larry Gross’s testimony at the May 12 hearing.
On May 10, allegations of the FDIC withholding documents led Chairman Smith to write a letter to the IG requesting all documents not produced.
On April 20, Chairman Smith wrote the FIDC requesting information related to unreported breaches.
On April 8, Chairman Smith sent a letter to FDIC Chairman Martin Gruenberg requesting documents, information, and a briefing from the agency after noticing anomalies in FDIC’s annual FISMA report.