July 2 U.S. banking regulators must hire and
train more examiners with technology expertise so they can give
more useful cyber security recommendations to small and
mid-sized banks, a federal watchdog agency has warned.
A new report from the U.S. Government Accountability Office
identified the issue as one of several that banking regulators
need to address as cyber security threats become more prevalent
and sophisticated.
For example, the names, addresses, phone numbers and email
addresses of some 83 million household and small business
account holders were exposed last year when computer systems at
JPMorgan Chase & Co were compromised by hackers, one of
the biggest data breaches in history.
Multiple U.S. regulators, including the Federal Deposit
Insurance Corporation (FDIC) and the Federal Reserve, examine
banks and other financial institutions that take deposits.
Examiners' findings may include how the institutions can improve
their cyber security practices.
Each of the regulators employs dozens of examiners with
specialized technology expertise, but typically assigns those
examiners to the largest banking institutions, the GAO said.
Examiners with "little to no" information technology
expertise generally examine small and mid-sized banks. Their
findings may not be as "specific or useful" as those from more
experienced counterparts, the GAO said.
The various regulators have been trying to improve their
oversight of bank technology, the GAO noted. For example, the
FDIC imposed a four-course training requirement for examiners in
2010 to boost their technology know-how. Three-quarters of
examiners had completed between one and three courses as of the
end of 2014.
Among the GAO's other concerns: regulators are not
collecting and storing technology exam findings in a way that
makes it easy to search industry-wide trends.
The regulators, in letters to the GAO, said they are ramping
up their systems for categorizing the data.
Many U.S. credit unions are also vulnerable to cyber threats
from outside vendors that help run their businesses because
their overseer, the National Credit Union Administration (NCUA)
lacks authority to review technology practices of those
companies, the GAO said.
The GAO has long been pushing to expand the NCUA's
authority. But credit unions themselves and their vendors have
been resistant to the idea, calling it a regulatory overreach.
The NCUA is the only federal banking regulator that does not
have the power to examine third-party vendors, which range from
large companies such as Fiserv or Diebold, to small companies
that only serve credit unions.
