WASHINGTON -- The Depression-era agency that protects Americans' bank deposits has such lax security that major losses of money, information and other data are possible, congressional auditors said Friday.
The report by the General Accounting Office, the investigative arm of Congress, said many weaknesses of the Federal Deposit Insurance Corp. result from its lack of a fully established security management program.
The GAO studied 2003 audits of the FDIC's Bank Insurance Fund, Savings Association Fund and Federal Savings and Loan Insurance Corp. Resolution Fund.
Good controls established by an effective security management program are essential to ensuring that financial information is protected from misuse, improper disclosure or destruction, the GAO said. As it operates now, however, the FDIC is unable to ensure that such problems do not occur, the report said.
The FDIC has made significant progress in correcting previously identified glitches in information security, the report said. Still, the agency has not limited access adequately of authorized users or completely secured access to its network against unauthorized use, the GAO said.
Created in 1933 among President Franklin Delano Roosevelt's early New Deal agencies, the FDIC protects bank and thrift depositors from loss caused by bank closures, insuring most deposits up to $100,000. It insures deposits in excess of $3.3 trillion in about 9,200 institutions.
The FDIC relies heavily on computerized systems to handle its financial operations and information storage.
Auditors found that critical financial and sensitive personnel and bank examination information are at risk of unauthorized disclosure, disruption of operations or loss of assets, the GAO report said. The GAO identified instances in which access to sensitive data and programs had not been adequately restricted:
- Many users had unnecessary access to production systems that include financial and bank information.
- Many users had access that allowed them to read user identifications and passwords used to transfer data among FDIC production computer systems.
- The FDIC did not restrict users adequately from viewing sensitive bank information.
The FDIC agreed with the GAO's recommendations on tightening security.
