How to Prepare for the FDIC’s Newly Announced Procedures for Information Technology Risk Examination

In September of 2023, the Federal Deposit Insurance Corporation (FDIC) announced updates to its Information Technology Risk Examination (InTREx) procedures. While the new FDIC procedures are intended for those performing examinations, they offer a trove of useful information for banks as well. It shows what areas that examiners will be focusing on. With this information in hand, banks can better prepare for their next exams.

Cybersecurity threats are ever present in our increasingly digital world. Banks are uniquely at risk due to the financial and sensitive information they possess. In order to help ensure that banks take the proper steps to defend themselves against digital adversaries and incursions, the FDIC decided to take action. In 2016, InTREx was released to help enable auditors and examiners to review a bank’s information technology risks during safety and soundness examinations. These procedures apply to all FDIC supervised financial institutions. In the years since its inception, the world of IT and cybersecurity have greatly evolved. The FIDIC decided that InTREx needed to be updated if it was to remain effective.

According to the FDIC, the most significant updates are as follows:

  • The Audit module was reformatted so that the procedures auditors should follow are listed in subsections under the decision factors they relate to. This change was made to make things easier and more efficient for examiners. Additionally, the InTREx document was updated so that any links contained within it direct to current internet locations.
  • The Support and Delivery module was updated to incorporate the Computer Security Incident Notification Rule that went into effect on April 1, 2022. This rule stipulates that banks must notify federal regulators of any computer-security incident that reaches the level of “notification incident” within no less than 36 hours of the incident’s discovery. The FDIC defines a “notification incident” as any incident that disrupts, degrades, or impairs a bank’s ability to conduct banking or business operations.

At the start of the InTREx update, the notification rule is listed as a resource for auditors to consider. The support and delivery module contains a procedure for the evaluation of the incident response plan, which directs the auditor to evaluate if the plan has details of when to contact law enforcement, regulators, and/or customers after a breach, citing the Computer Security Incident Notification Rule as guidance. Furthermore, in the separate Management module, auditors are directed to determine if management notifies regulators when an incident meets the thresholds set in the notification rule.

  • The final significant change to InTREx that the FDIC highlights is that the Management and Support and Delivery modules have been updated to include more specific instructions on the topic of reviewing service provider examination reports. Both modules also list new resources related to the oversight of service providers.

In the Management Module, procedures include the evaluation of whether management is willing to take timely action on service provider reports. It also requires assessment on the oversight of service providers to prevent identity theft and other such crimes. The module also includes a procedure specifically on evaluating if a risk-based vendor management program is in place to oversee service providers. In the Support and Delivery Module, auditors are tasked with determining if service providers are included in business impact analysis.

For more information and specific details on the Information Technology Risk Examination (InTREx) procedures, see the Financial Institution Letter.

Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, investment, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.