On June 30, the FDIC announced that it updated its information technology and operations risk (IT) examination procedures in order to help ensure that the management teams at FDIC-supervised financial institutions efficiently address IT and cybersecurity risks. The newly-enhanced program also provides a cybersecurity preparedness assessment and discloses more detailed examination results using component ratings. The program will apply to all FDIC-supervised institutions.
An assessment of the financial institution’s cybersecurity preparedness will be included on the Information Technology and Operations Risk Assessment Page of every Risk Management Report of Examination.
The InTREx Program’s features include:
- A streamlined IT Profile. The IT Profile is a questionnaire that financial institutions will complete in advance of examinations in order to provide examination staff with more focused insight on a financial institution’s IT environment. The IT examiner-in-charge will risk-focus the IT examination based on responses to the IT Profile and other available information (e.g., prior examination reports, new products or services, etc.).
- A work program based on the Uniform Rating System for Information Technology (URSIT) and Core Modules for the Audit, Management, Development and Acquisition, and Support and Delivery component ratings. The Core Modules incorporate procedures to assess cybersecurity preparedness and compliance with Appendix B to Part 364 of the “Interagency Guidelines Establishing Information Security Standards.” The results of these assessments will be included in the Risk Management Report of Examination.
- Risk-focused examination procedures. Examiners will complete the various Core Modules, the Cybersecurity Workpaper, and the Information Security Standards Workpaper in order to assess risk and to document examination procedures, findings, and recommendations. Examiners can use expanded examination procedures for financial institutions with higher IT profiles.
- A report presentation. A summary assessment of an institution’s IT function will be included. The Information Technology Assessment page of the report will document URSIT component ratings, examination findings, recommendations, management’s responses, timeframes for corrective action, and suggestions for cybersecurity preparedness and compliance with information security standards.