Executive Summary
The Federal Deposit Insurance Corporation (FDIC) submits this report on cybersecurity and resilience to the Committee on Financial Services of the House of Representatives and the Senate Committee on Banking, Housing, and Urban Affairs pursuant to Section 108 of the Consolidated Appropriations Act, 2021.
The FDIC is the primary federal regulator of federally insured, state-chartered depository institutions that are not members of the Federal Reserve System (referred to in this report as “FDIC-supervised financial institutions”); serves as the nation’s deposit insurer; acts as receiver for insured depository institutions that fail; and has resolution planning responsibilities (jointly with the Board of Governors of the Federal Reserve System) for large and complex financial companies.
The report first discusses how the FDIC maintains and strengthens its own cybersecurity. The FDIC protects its systems, the sensitive personal and business information it has related to its own operations, and sensitive information it has related to the operations of banks and service providers. The FDIC pursues its own cybersecurity initiatives, achieves government-wide goals, and complies with applicable federal law and regulation to continuously improve its cybersecurity posture. Independent audits of the FDIC’s compliance with the Federal Information Security Modernization Act
of 20142 (FISMA) provide additional information to focus FDIC cybersecurity efforts.
The report next discusses FDIC actions to strengthen cybersecurity in the financial services sector. The FDIC promulgates rules, in coordination with other bank regulators or alone, and enforces those rules and applicable laws and regulations that promote cybersecurity and resilience through the supervision and examination of FDIC-supervised financial institutions and by examining services provided by certain service providers.
More specifically, the FDIC evaluates financial institutions’ cybersecurity practices for safety and soundness; engages in information sharing and technical assistance through guidance, alerts, and advisories; communicates via in-person and virtual meetings with financial institutions and service providers on cybersecurity matters; hires and trains examiners and cybersecurity analysts; maintains examination work programs and other resources; and conducts information technology examinations.
The FDIC also collaborates on cybersecurity matters with other state and federal banking regulators, law enforcement, intelligence, and security agencies, and the private sector. Additionally, the FDIC uses information from independent audits to improve its
supervisory programs and strengthen internal operations.
The fight against malicious actors who use cyberspace to harm others requires constant vigilance and agility. The FDIC will continue to collaborate with stakeholders to maintain a resilient financial system in spite of the evolving cybersecurity threat.
