FDIC Cybersecurity and Resilience Report 2025

Keypoints

• Typical structure: title and table of contents; Executive Summary outlining statutory basis and high-level findings; FDIC Cybersecurity section (policies & procedures, implementation, controls, incident statistics); Financial Services Sector Cybersecurity section (rules, guidance, incident reporting, advisories, technical assistance, examinations, examiners, training, work programs); Threats section (tactical and strategic threats); Conclusion and appendices/references.
• Executive Summary purpose: describe FDIC mission roles, summarize agency self-protection measures, and summarize supervisory and sector outreach activities to strengthen resilience across FDIC‑supervised institutions and service providers.
• Policies & procedures: inventory of FDIC directives and updates (e.g., Directive 1360.01, 1360.09, 1320.04), alignment with FISMA, OMB, NIST SP 800‑37, adoption of Zero Trust principles, cloud hardening, and CDM program integration.
• Implementation focus: FDIC actions to implement EO 14028 and related OMB memoranda (M‑22‑09, M‑22‑01, M‑21‑31, M‑24‑04, M‑24‑10, M‑24‑15, M‑24‑18), including EDR adoption, logging and log retention improvements, SCRM processes, and enhanced incident response capabilities.
• FDIC self-assessment and audit results: OIG rated FDIC Information Security Program maturity at Level 4 (Managed and Measurable) for 2024, noting program strengths but identifying residual control weaknesses (POA&M management, audit logging, privileged account management, role-based training).
• Operational metrics: 539 security events reported to FDIC’s Security Response Team during Oct 1, 2023–Sept 30, 2024; 137 incidents reported to CISA under federal notification guidelines, including 41 breaches; none rose to OMB “major incident” criteria.
• Supervisory activity: FDIC conducted 1,205 IT examinations in 2024 and uses InTREx and FFIEC IT Handbook booklets (including updated Development/Acquisition/Maintenance guidance) to evaluate institutions and service providers.
• Workforce and resourcing: Division of Risk Management Supervision employed ~2,654 staff (majority examiners) with 314 specialists supporting IT/cyber examinations as of Dec 31, 2024; FDIC continues examiner training and advanced credentialing for IT subject matter experts.
• Controls emphasized: layered defenses against ransomware and malware—phishing simulations, email scanning and domain blocking, network segmentation, egress filtering, centralized logging and SIEM capabilities, enterprise penetration testing, updated incident response plans, and ICAM centralization.
• Incident reporting and harmonization: FDIC enforces the Computer-Security Incident Notification Rule (36‑hour reporting) and participates in the Cyber Incident Reporting Council (CIRC) to harmonize federal reporting and reduce duplication with CIRCIA rulemaking efforts.
• CISA directives compliance: FDIC fully complied with CISA ED 24‑01 and its supplemental directions addressing Ivanti Connect/Policy Secure vulnerabilities, ED 24‑02 addressing the Microsoft corporate email compromise by the actor “Midnight Blizzard,” and is implementing BOD 25‑01 secure cloud baselines.
• Threat landscape — tactical trends: ransomware remains a dominant near-term threat with extortion, double- and triple‑extortion variants and RaaS models; supply‑chain compromises and third‑party/service provider attacks continue to cause broad impact (MOVEit and vendor-targeted incidents highlighted).
• Threat data points: industry surveys cited in the report show ~65% of financial services organizations experienced ransomware in 2024 with mean recovery cost ~$2.58 million; Verizon DBIR attributed ~15% of breaches to supply‑chain attacks.
• Strategic threats: rising use of generative AI by adversaries for phishing, malware development, social engineering and synthetic identity fraud; quantum computing risk (“harvest now, decrypt later”) poses long‑term cryptographic threats and drives post‑quantum planning.
• Recurring themes: convergence of nation‑state and criminal actors, increasing exploitation of cloud and managed service configurations, persistent supply‑chain targeting of software and service providers, and continuous evolution of ransomware tactics.
• Sector coordination: FDIC engages FFIEC, FS‑ISAC, FBIIC, FSSCC, U.S. Treasury CSSG, CISA, law enforcement, and international bodies (BCBS) to share intelligence, harmonize guidance, and coordinate supervisory responses and exercises (e.g., Hamilton series).
• Guidance and outreach: FDIC issues joint guidance and resources (third‑party risk management guide for community banks, FFIEC authentication guidance, FFIEC Cybersecurity Resources Guide), runs webinars, director/banker colleges, Threat $potlight bulletins, and targeted technical assistance for MDIs/CDFIs.
• Third‑party and cloud risk emphasis: supervisory focus on vendor risk management, FedRAMP/Fed authorization for cloud providers, CISA SCuBA baselines under BOD 25‑01, and ongoing work on shared lexicon/terminology and coordinated examinations of significant service providers.
• Examination program evolution: updates to InTREx (Sept 29, 2023) improved audit module usability, clarified Computer‑Security Incident Notification compliance steps, and refined review of service provider reports; horizontal reviews target privileged access, identity controls, and quantum preparedness.
• Education and examiner challenges: OIG identified examiner skill gaps and the need to map interconnections between banks and third parties; FDIC continues advanced training, FFIEC professional development, and IT/cyber summits to build examiner expertise.
• Policy shifts: sunsetting of the FFIEC Cybersecurity Assessment Tool (CAT) by Aug 31, 2025 in favor of newer government resources (NIST CSF v2.0, CISA Cybersecurity Performance Goals) and industry profiles (CRI updates, Sheltered Harbor adoption, Global Resilience Federation frameworks).
• Implementation gaps and priorities: agency must further mature supply chain risk management, audit logging, POA&M processes, privileged account controls, and role-based training compliance to reduce residual risks.
• Impactful takeaways: institutions should prioritize Zero Trust, EDR/EDR integration, robust logging and detection, third‑party risk governance, ransomware preparedness and recovery planning, AI/machine‑assisted fraud defenses, and migration toward post‑quantum‑resistant cryptography.
• Actionable supervisory signals: expect continued emphasis on incident reporting timeliness, cloud secure baselines, supply‑chain diligence, examiner staffing and skills, and participation in sector information‑sharing mechanisms to strengthen collective defense.