FDIC Updates Financial Institutions’ IT Exam Program
On July 1, 2016, the Federal Deposit Insurance Corporation (FDIC) replaced the Information Technology Risk Management Program (IT-RMP) with the Information Technology Risk Examination (InTREx) program (FIL-43-2016). This update was made to support the increased regulatory emphasis that financial institutions are placing on identifying and mitigating cybersecurity and operational risks.
What has changed?
The updated procedures in the InTREx Program changed three general areas of the FDIC exam:
- A shorter Information Technology Profile Questionnaire will replace the IT Officer’s Questionnaire, allowing the IT examiner-in-charge to scope the exam and request the necessary documentation.
- IT examiners will complete the InTREx Core Modules, the Cybersecurity Workpaper, and the Information Security Standards Workpaper, and document findings and recommendations.
- Examiners will include the IT Examination Summary and the Uniform Rating System for Information Technology (URSIT) composite rating on the Examiner Conclusions and Comments page of the Report of Examination (RoE). The IT Assessment page will include the Core Module component ratings, findings, recommendations, and management responses, as well as examiner comments on the financial institution’s cybersecurity preparedness.
Preparing for exam changes
Your FDIC-regulated financial institution should prepare for these changes prior to the next FDIC exam by:
- Reviewing the InTREx Program information
- Reviewing and completing the FFIEC Cybersecurity Assessment Tool
- Discussing the IT examination process changes with your senior management and Board of Directors, and assign responsibility for addressing the changes
How we can help
Your information security program needs to address all components of the new exam questionnaire. You will also need to complete the FFIEC’s Cybersecurity Assessment Tool and develop an action plan to address any weaknesses identified in your cyber program. We can help you review the InTREx Program and assist with preparation for your upcoming exams, including responding to the IT questionnaire, collection and review of requested documentation, and remediation of any exam findings.