The Federal Deposit Insurance Corporation is making good on its pledge to strengthen its cybersecurity after a series of publicized data breaches.
The agency stopped employees from copying information onto removable hardware, expanded the use of multifactor authentication, and is currently working with Booz Allen Hamilton on an “end-to-end assessment of the FDIC IT security and privacy programs.”
“Information security is critical to the FDIC’s ability to carry out its mission of maintaining stability and public confidence in the nation’s financial system,” the agency stated in a recent online update. “The FDIC will remain alert and continue to adjust our security controls in light of the changing threat landscape.”
FDIC drew criticism earlier this summer after it revealed five “low risk” incidents, in which outgoing employees downloaded customer data to their own removable devices.
At the time of the announcement FDIC promised an end-to-end assessment, as well as a 60-day review, including the implementation of digital rights management software.
An FDIC spokesperson said the agency was exploring the use of DRM technology, which would allow FDIC to know if information removed from its system is ever copied.
“The FDIC has been exploring the use of DRM technology to better protect unstructured information from unauthorized access,” the spokesperson said. “If implemented, DRM would be implemented initially on a small scale to pilot the technology, and expanded and adjusted as we have more experience with the technology. If DRM is implemented, we would ensure it is integrated well with other information protection technologies that already exist at the FDIC.”
FDIC is also working with the Homeland Security Department to deploy a monitoring system that “will help detect and block outside cyber threats.”
On top of those steps, the FDIC also requires employees to take annual security and privacy training, along with occasional phishing tests.
In July, members of the House Committee on Science, Space and Technology advised Chairman Martin Gruenberg to reconsider some of his agency’s ongoing cybersecurity updates and the leadership of the FDIC’s information technology office
“While FDIC has taken some steps to improve its cybersecurity posture, exploitable weaknesses remain, and the FDIC has yet to prove to the American people that their information is secure,” said Rep. Barry Loudermilk (R-Ga.), a member of the committee.
Scott Algeier, executive director of the Information Technology – Information Sharing and Analysis Center, called the steps “reasonable, if not a bit late to the game.”
“But it’s always good to see the federal government improve their cybersecurity posture,” Algeier said in an email to Federal News Radio. “I’m not sure any one of the initiatives is more important than the other. Managing cybersecurity requires both sound policies and effective technologies. The risk can only be managed, and not eliminated. Establishing identity management and access controls are core elements of a comprehensive security policy, so it’s encouraging to see them reviewing and updating their policies on both.”
Lawmakers warn FDIC’s cyber solutions could be adding insult to injury