Washington, D.C. – Science, Space, and Technology Committee Chairman Lamar Smith (R-Texas) and Oversight Subcommittee Chairman Barry Loudermilk today sent a letter to Federal Deposit Insurance Corporation (FDIC) Chairman Martin Gruenberg as part of the Committee’s continued oversight of cybersecurity events at the FDIC. The Committee has sent several letters to the FDIC requesting documents and communications on recent cybersecurity breaches, as well as the FDIC’s attempts to circumvent providing full and complete responses to the Committee’s requests.
Today’s letter addresses concerns that the FDIC’s search for responsive materials yielded a substantial amount of internal Office of Inspector General (OIG) communications. FDIC’s gathering and review of internal OIG communications is deeply troublesome as the independence of OIGs is not only mandated by the Inspector General Act of 1978, but it is imperative to facilitating the OIG’s work. The letter also raises concerns about the FDIC failing to inform Congress of the improper access and review of internal OIG materials.
“Although the Committee was led to believe that the agency would comply with the Committee’s requests after enjoying an extra two months to identify and produce all responsive materials, the Committee learned from the OIG that during the agency’s search for materials, it gathered a substantial set of internal OIG communications. This information raises serious concerns about the FDIC OIG’s ability to conduct its work in an independent manner, as mandated by the Inspector General Act of 1978 (IG Act),” the letter states.
“Also troublesome is the fact that your staff has not been forthcoming with informing the Committee that the agency’s search for documents yielded a substantial number of internal OIG documents. The agency’s continued lack of transparency and responsiveness to the Committee raises serious concerns about whether the agency is attempting to skirt congressional oversight and avoid answering questions not only about its cybersecurity posture, but about its willingness to ensure that internal OIG communications, as well as communications by those within the agency that may communicate with the OIG are kept confidential,” the letter continues.
The letter requests that the FDIC inform the Committee of what actions are being taken to protect internal OIG communications and what actions are being taken to protect communications exchanged between OIG officials and agency employees.
On April 8th, the Committee wrote a letter to FDIC Chairman Gruenberg after learning about a security breach involving an employee who obtained sensitive data for 44,000 individuals prior to separating from employment at the agency. The Committee followed up with a letter on April 20th after learning that the FDIC withheld reporting a security incident to Congress as required by the Federal Information Security Modernization Act (FISMA). In May, the Committee held a hearing to examine the recent pattern of significant data breaches at the FDIC. At the hearing, several of FDIC Chief Information Officer and Chief Privacy Officer Lawrence Gross’ responses to questions posed by Members were false and misleading. On May 24th, the Committee requested transcribed interviews with nine FDIC officials.