FDIC Updates Its Information Technology Risk Examination Program

Emily Antonico, Risk & Business Advisory Manager
September 2016

The FDIC recently updated its information technology and operations risk (IT) examination procedures to include an integrated assessment of an institution’s cybersecurity preparedness. The procedures, which are contained in the Information Technology Risk Examination (InTREx) Program, allow for an enhanced, risk-based approach for conducting IT examinations. The Cybersecurity principles and standards contained within the updated program are not stand-alone, independent principles and standards. Rather, they are part of the overall information security and technology oversight function, with each of the InTREx modules containing embedded cybersecurity examination procedures.

To help in the planning of the IT examination, institutions are required to complete an Information Technology profile (ITP) prior to the examination. The ITP replaces the former IT Officer’s Questionnaire, and has been developed to ensure that appropriate resources are allocated to the IT examination and contains questions relating to:

  • Core Processing
  • Network
  • Online Banking
  • Development and Programming
  • Software and Services
  • Other

The ultimate goal of the updated program is to ensure that financial institution management is able to identify and address IT and cybersecurity risks in a timely and appropriate manner. As such, the program allows for more detailed examination results with Uniform Rating System for Information Technology (URSIT) component and composite ratings included within the examination report.

Additional details of the InTREx Program can be found here.

Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.