news.cuna.org/articles/106662-gao-how-regulators-could-provide-better-data-threat-info

GAO: How regulators could provide better data-threat info

July 7, 2015

WASHINGTON (7/7/15)--The U.S. Government Accountability Office (GAO) has released a report on how financial institution regulators analyze data gathered at regulated institutions, and what the regulators could do to provide depository institutions with more usable data-threat information, which they crave.

For the report released last week, the GAO reviewed 15 information technology (IT) examinations and found that the risk-based examination approach used by regulators could serve institutions better if it analyzed deficiencies across institutions.

“While the largest institutions were generally examined by IT experts, medium and smaller institutions were sometimes reviewed by examiners with little or no IT training,” the report reads. “The regulators recognized that some IT training is necessary for all examiners, so each regulator had efforts under way to increase the number of their staff with IT expertise and conduct more training.”

The GAO identified two areas of improvement in the report:

  • Having information on deficiencies across the banking system would better enable regulators to identify and analyze trends across institutions and use that analysis to better target areas for review at institutions; and
     
  • Authorizing the National Credit Union Administration to routinely conduct examinations of third-party technology service providers could help it better ensure that the service providers for credit unions also follow sound information security practices.

CUNA opposes new statutory authority for the NCUA to regulate and supervise directly third-party entities that provide products and services to credit unions.  

NCUA Chair Debbie Matz said in a statement Monday that the agency needs “to close this regulatory blind spot and better protect the credit union system" by providing NCUA with the power to examine and take enforcement actions at third-party technology service providers.