U.S. lawmakers probe Fed cyber breaches, cite ‘serious concerns’

A U.S. congressional committee has launched an investigation into the Federal Reserve’s cyber security practices after a Reuters report revealed more than 50 cyber breaches at the U.S. central bank between 2011 and 2015.

The House Committee on Science, Space and Technology on Friday sent a letter to Federal Reserve Chair Janet Yellen to express “serious concerns” over the central bank’s ability to protect sensitive financial information.

The letter cited the Reuters report, which was based on heavily redacted internal Fed records obtained through a Freedom of Information Act request. The redacted records did not say who hacked the bank’s systems or whether they accessed sensitive information or stole money.

“These reports raise serious concerns about the Federal Reserve’s cyber security posture, including its ability to prevent threats from compromising highly sensitive financial information housed on the agency’s systems,” said the letter, signed by House Science Committee Chairman Lamar Smith, a Texas Republican, and Barry Loudermilk, a Georgia Republican and chairman of the panel’s oversight subcommittee.

A Fed spokesperson said the central bank had received the panel’s letter and “will respond to it.”

The panel asked the Fed’s national cyber security team – the National Incident Response Team – to turn over all cyber incident reports in unredacted form from Jan. 1, 2009, to the present. It also asked for incident reports from the Fed’s local incident response teams.

Global policymakers, regulators and financial institutions have become increasingly concerned about the security of the international banking system after a string of cyber attacks against banks in Bangladesh, Vietnam and elsewhere linked to fraudulent transaction messages sent across the global financial platform SWIFT.

The probe into the Fed’s security practices followed a separate inquiry by the same committee into the Federal Reserve Bank of New York’s handling of the cyber theft of $81 million from one of its accounts held by the central bank of Bangladesh.

The committee said it has jurisdiction over the Fed’s cyber security because the panel is tasked with oversight of the U.S. National Institute of Standards and Technology, an agency responsible for developing federal cyber security standards and guidelines, under a 2014 federal information technology law.

The panel also requested a “detailed description of all confirmed cyber security incidents” from 2009 to the present, all documents and communications referring or relating to “higher impact cases” handled by the Fed’s NIRT team, all documents and communications with the Fed’s Office of Inspector General related to confirmed cyber incidents, and an organizational chart detailing the Fed’s top cyber security personnel.

The Fed’s computer systems hold confidential information on discussions about monetary policy that drives financial markets. The central bank’s staff suspected hackers or spies were behind many of the breaches, the records obtained by Reuters show.

The Fed had declined to comment on the records, which represent only a slice of all cyber attacks on the central bank because they include only cases involving the Washington-based Board of Governors, a federal agency that is subject to public records laws.