American banking regulators are sending staffers with "little or no" tech training to carry out IT examinations at smaller institutions, according to a report from the US Government Accountability Office (GAO).
With depositary institutions facing an ever-growing cyber threat that has seen them lose hundreds of millions of dollars, the GAO carried out a review of how four regulators (the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve, the Federal Deposit Insurance Corporation, and the National Credit Union Administration) oversee efforts to combat the problem.
While IT examinations at big banks are carried out by experts, the same is not true of small and medium-sized institutions. The GAO says that regulators do recognise that "some IT training is necessary for all examiners" and are working to improve the situation.
The study also found problems with the collection and analysis of data. Regulators tend to focus on IT systems at individual institutions without being able to see trends across the banking system because they are not routinely collecting security incident reports and examination deficiencies and classifying them by category.
A specific problem with the credit union regulator's powers is also identified in the study. Unlike the other watchdogs, the NCUA does not have the authority to examine third party technology vendors, a situation that Congress should address, says the GAO.
Meanwhile, the institutions being regulated say that getting information on cyber threats from federal sources is "challenging". The GAO says this is being tackled by Treasury which is working on ways to share information on attacks confidentially.
Read the full report:
Download the document now 5.3 mb (PDF File)