The report from the General Accounting Office identified "new weaknesses" in the FDIC's information systems controls that affect its ability to safeguard electronic access to sensitive data.
"These weaknesses place critical FDIC financial and sensitive personnel and bank examination information at risk of unauthorized disclosure, critical financial operations at risk of disruption, and assets at risk of loss," the report says.
The FDIC's mission is to "maintain stability and public confidence in the nation's financial system" by insuring deposits at virtually all U.S. banks and savings associations. Today, it insures more than $3.2 trillion in deposits for about 10,000 institutions.
As more and more consumers head online to do their banking, financial institutions have placed greater emphasis ontheir systems against attack. But the GAO report indicates that more problems may lie behind the scenes.
The GAO--Congress' investigative arm--reviewed the FDIC's IT controls as part of an annual audit of the corporation's financial statements. The FDIC has made some improvements since an earlier audit, reviewing system software, adding guard service and surveillance to its computer rooms, and determining appropriate levels of security for corporate data, the GAO report said, but hasn't adequately protected itself against new threats.
The FDIC relies "extensively" on computer systems and networks to support its financial operations and has around 5,400 authorized users of its systems, the GAO said. But it isn't adequately keeping track of who has access to what systems, the GAO said.
"Hundreds of users had access privileges that allowed them to modify financial software and read, modify, or copy financial data," the report said, adding that the FDIC was not monitoring these users actions.
Other problems highlighted:
Network software contained configuration weaknesses that could allow users to bypass access controls and gain unauthorized access to FDIC's networks or cause network system failures. For instance, certain network system configuration settings allowed unauthorized users to connect to the network without entering a valid user ID and password combination.
Workers retained access to the center when they shouldn't. They include personnel who had transferred out of computer operations and staffers who no longer worked for the FDIC. The GAO said that, at its request, the FDIC is reducing the number of staff authorized to enter the control center from 270 to 227.
The FDIC lacks a business continuity plan for all its facilities. It has a plan for its Washington facility, but not for its suburban computer center and eight regional offices.
The FDIC has already taken steps to correct some of the issues identified, the agency said in a response to the report. Those steps include establishing "clearly defined roles and responsibilities" for the FDIC's IT managers, developing a risk assessment program, developing technical security standards for all computer platforms, and establishing an ongoing program of tests and evaluations.