Financial institutions should review and prepare for the new InTREx program changes before the next FDIC exam.

Reducing risk

FDIC Updates Financial Institutions’ IT Exam Program

  • 7/22/2016

On July 1, 2016, the Federal Deposit Insurance Corporation (FDIC) replaced the Information Technology Risk Management Program (IT-RMP) with the Information Technology Risk Examination (InTREx) program (FIL-43-2016). This update was made to support the increased regulatory emphasis that financial institutions are placing on identifying and mitigating cybersecurity and operational risks

What has changed? 

The updated procedures in the InTREx Program changed three general areas of the FDIC exam: 

  1. A shorter Information Technology Profile Questionnaire will replace the IT Officer’s Questionnaire, allowing the IT examiner-in-charge to scope the exam and request the necessary documentation.
  2. IT examiners will complete the InTREx Core Modules, the Cybersecurity Workpaper, and the Information Security Standards Workpaper, and document findings and recommendations.
  3. Examiners will include the IT Examination Summary and the Uniform Rating System for Information Technology (URSIT) composite rating on the Examiner Conclusions and Comments page of the Report of Examination (RoE). The IT Assessment page will include the Core Module component ratings, findings, recommendations, and management responses, as well as examiner comments on the financial institution’s cybersecurity preparedness.

Preparing for exam changes 

Your FDIC-regulated financial institution should prepare for these changes prior to the next FDIC exam by: 

How we can help 

Your information security program needs to address all components of the new exam questionnaire. You will also need to complete the FFIEC’s Cybersecurity Assessment Tool and develop an action plan to address any weaknesses identified in your cyber program. We can help you review the InTREx Program and assist with preparation for your upcoming exams, including responding to the IT questionnaire, collection and review of requested documentation, and remediation of any exam findings.