Understanding FDICIA IT Requirements

How to bring your network and data into compliance with the Federal Deposit Insurance Corporation Improvement Act

Background

In 1991 during the Savings and Loan Crisis, in an attempt to stabilize the industry, the Senate and House Banking Committee each introduced bills which resulted in the FDICIA. This act requires financial institutions to submit annual reports, which include management’s assertions regarding the effectiveness of internal controls (e.g., risk assessment, control environment, information and communication, control activities, and monitoring) around their financial reports. If the institution has assets over $1 billion, external auditors verify the managers’ assertions.

Who Needs to Comply

Public and private financial institutions must comply with FDICIA.

Under FDICIA, institutions with assets over $500 million require the following:

  • A statement regarding adequate internal controls and procedures for financial reporting
  • A description of management’s responsibility of the institution’s internal controls

Under FDICIA, Institutions with assets over $1 billion require the following:

In addition to the requirements above, management is required to assess and report on the effectiveness of internal controls and external auditors must examine and attest to management’s internal control assertions.

Key IT Requirements

Requirement Description Varonis Product/Feature
MANAGEMENT RESPONSIBILITY FOR INTERNAL CONTROLS Each insured depository institution shall prepare— (A) a statement of the management’s responsibilities for– establishing and maintaining an adequate internal control structure; (B) an assessment, as of the end of the institution’s most recent fiscal year, of– the effectiveness of such internal control structure and procedures; (C) the institution’s compliance with the laws and regulations relating to safety and soundness which are designated by the Corporation and the appropriate Federal banking agency; [Codified to 12 U.S.C. 1831m(b)] FDICIA requires that management is responsible for an adequate internal control (risk assessment, control environment, information and communication, control activities, and monitoring) structure, and an assessment by management of the effectiveness of the control structure, including computerized information system controls and security. This means the institution must have a clear understanding of where data is stored, who owns it, who is responsible for it (steward) and who is authorized to use it.FDICIA also requires that organizations be able to provide evidence that they are compliant. This requires an ongoing effort to document and measure compliance continuously. Varonis provides a comprehensive system for meeting internal control objectives. Varonis DatAdvantage Risk AssessmentVaronis DatAdvantage identifies and prioritizes areas of risk by highlighting where sensitive information is overexposed and at risk, where employees have oversubscribed access, and alerts on abnormal behavior and potential abuse. Control Environment Varonis DatAdvantage also recommends the revocation of permissions to data for users who do not have a business need to the data – this ensures that user access to data is always warranted and driven by least privilege. Information & Communication Varonis DatAdvantage provides data stewards with detailed reports, including: data use (i.e. every user’s every file-touch), user activity on sensitive data, permission changes that affect the access of a given file or folder, a detailed record of permission revocations including the users and the data for which permissions were revoked. Control Activities Varonis DataPrivilege is web-based application that controls, monitors and administers a user’s requests to unstructured data (files, emails, SharePoint, etc.) Monitoring Varonis DatAdvantage monitors every user’s file touch and stores in a searchable format, all aspects of data use for information stored on file servers and Network Attached Storage (NAS) devices. Varonis Data Privilege DataPrivilege makes it possible to transition the responsibility of attestation management from IT to business owners without any infrastructure changes or business disruption. DataPrivilege brings together data owners and data users in a forum for communicating, authorizing and activating entitlements. Varonis DataPrivilege allows you to implement a cohesive data entitlement environment, thereby raising accountability and reducing risk. Upon implementation, DataPrivilege provides: Data protection by reducing errors in entitlement management Business need-to-know access control by enabling data owners to make decisions about access control and acceptable use Access approval rationale capture for refinement and improvement Policy and workflow enforcement for consistency and greater security DataPrivilege provides an automated process structure for managing and attesting access and provides evidence of those processes being followed

Request a demo

Interested in finding out how Varonis can help with your compliance initiatives?

Request a demo

Or contact sales at 877-292-8767