Federal Insider: FDIC chief damages effort at damage control

Americans don’t worry about the protection of their bank accounts because the Federal Deposit Insurance Corp. (FDIC) inspires confidence.

Unfortunately, FDIC doesn’t do the same when it comes to protecting sensitive agency data.

Even in the context of a plethora of cyber breaches in and out of government and taking into account the partisan tinge at a House hearing Thursday, FDIC seemed an unsteady guardian of critical information.

It didn’t help when FDIC’s boss couldn’t even say if the agency has an employee handbook.

FDIC insures bank accounts, meaning individual deposits are safe, up to $250,000, even if a bank closes. It also examines financial institutions for “safety and soundness and consumer protection.”

Yet, it has failed to protect its own information. Stories of cyber breaches and agency stumbling dominated the latest in a series of House Science, Space and Technology Committee hearings. Summing up the situation, Chairman Lamar Smith (R-Tex.) said “the FDIC has historically experienced deficiencies related to its cybersecurity posture, and those deficiencies continue to be present.”

The committee’s majority Republicans issued a critical report this week that asked: “Is the FDIC Safeguarding Consumers’ Banking Information?”

If the answer had been yes, they wouldn’t have released the report.

While Republicans seemed intent on demonstrating that the agency and its chief information officer (CIO) had deliberately misled, if not lied to Congress, Democrats also were critical of the agency’s response to its many troubles.

“The agency failed to notify Congress of seven major data breaches within the seven-day timeframe that OMB (Office of Management and Budget) requires from October 2015 through February 2016,” said Rep. Eddie Bernice Johnson (D-Tex.), the top Democrat on the panel. She cited testimony in May from CIO Lawrence Gross, whom she said described the breaches as “inadvertent” and without “malicious intent,” then noted evidence gathered by the FDIC inspector general’s office that “clearly shows that in at least one of the seven breaches the data was not taken accidentally.”

“I think it’s fair to say that our May hearing yielded bipartisan agreement that the FDIC’s interpretation of the OMB guidance was flawed,” she said. “It is also clear that FDIC did not initially provide all documents responsive to the Committee’s requests.”

So Thursday was a day for FDIC damage control. Unfortunately, there is so much damage that FDIC Chairman Martin Gruenberg could not control it all. In fact, he added to it with responses that did not project certitude.

He tried to paint an improving picture, saying “an effective FDIC information security and privacy program is critical to our mission of maintaining stability and public confidence in the nation’s financial system.” He outlined a “cybersecurity framework” with five prongs: identify, protect, detect, respond, and recover.

It sounded right, yet had the ring of cliché compared to problems, certainly not all of FDIC’s doing, that plague the agency’s cybersecurity efforts.