The Office of Inspector General for the Federal Deposit Insurance Corp., in another audit of the regulator's cybersecurity processes, found that the latter took an average of nine months to notify impacted individuals of breaches.
The watchdog's assessment covered 18 of 54 suspected or confirmed breaches at the FDIC from 2015 to 2016, involving personally identifiable information and potentially impacting more than 113,000 individuals.
It found that while the FDIC had processes in place for handling incidents where information is compromised, the regulator did not adequately implement the recommended steps or document its assessments and decisions. Nor did it track metrics identified in its data breach handling guide as key to improving its prevention and response capabilities.
The FDIC also has a process for convening a data breach management team, but has not provided specialized training to team members.
Following the receipt of the watchdog's audit, the FDIC concurred with its recommendations. The regulator has hired a permanent incident response coordinator and intends to hire an information security manager lead.
The FDIC expects to complete all corrective actions by Sept. 30, 2018.