FDIC OIG highlights crypto, cybersecurity challenges

One hundred thirty-six Federal Deposit Insurance Corp.-insured banks have “ongoing or planned crypto asset-related activities,” the FDIC’s Office of Inspector General said in a report this month.

Additionally, about 52 million Americans have invested in crypto, according to the report, which highlights the agency’s top management and performance challenges.

“The risks associated with digital assets and emerging technologies require a whole-of-government response,” the OIG wrote in its report, adding that policies and procedures for examinations and the FDIC guidance on digital assets for banks should be consistent with those of other regulators.

The FDIC issued a joint statement last month alongside the Federal Reserve and the Office of the Comptroller of the Currency, warning financial institutions of the risks they are exposed to when dabbling in cryptocurrencies. The regulators followed that up last week with a “reminder” on crypto liquidity risk.

To highlight that, the OIG cited Silvergate Bank, which saw its deposits plummet 68% in last year’s fourth quarter as customers withdrew billions of dollars worth of crypto assets. The bank sold $5.2 billion in debt securities to recover — at a loss of $718 million.

The November collapse of crypto exchange FTX revealed that 11 banks were doing business with the platfom and suffer by association, the OIG report noted.

The FDIC, for its part, sent cease-and-desist letters to five crypto firms, alleging they falsely claimed on their websites and social media accounts that certain crypto products held in brokerage accounts were FDIC-insured.

The OIG, in its report, emphasized that the FDIC must have enough information to make data-driven policies and assess risks across the banking sector. Examiners, meanwhile, must have appropriate training and skills to assess crypto-related risks, the OIG wrote.

Digital assets comprised just one of nine areas of concern for the FDIC. Others included crisis preparation, cybersecurity risks and the move to foster financial inclusion.

Cybersecurity risks

An annual report last year from the Financial Stability Oversight Council found the “financial sector is vulnerable to malicious cyber incidents, including ransomware, denial-of-service attacks, data breaches, and non-malicious cyber incidents.”

U.S. banks reported 1,251 ransomware-related incidents in 2021 with a total value of $886 million, a 68% increase from 2020, the Financial Crimes Enforcement Network found in November.

Further, 74% of the bank leaders surveyed said their institution faced one or more ransomware attacks while 63% of the institutions paid the demand, according to VMware, the report said.

The OIG evaluation showed weaknesses in the FDIC’s Information Technology Risk Examination Program, limiting examiners’ ability to assess and address the cyber risks at banks and third-party providers.

Between May and July, banks reported 41 cybersecurity incidents under the 36-hour reporting rule, according to FDIC data.

The FDIC is required to report the information to law enforcement, including the OIG, for further investigation, but at the time the report was written, the FDIC had not, the OIG wrote.

“[T]he FDIC should have effective processes for the intake and assessment of banks’ reporting of cybersecurity incidents, including follow-up to ensure their mitigation,” the OIG wrote.