The head of a U.S. banking regulator on Thursday said he was unaware of any efforts by his staff to cover up hacking of the agency’s computers by a foreign government in 2010 and 2011, as outlined by a congressional report.
Federal Deposit Insurance Corporation Chairman Martin Gruenberg told a hearing of the committee that published the report that he first learned of the security breach in 2011 when he was the FDIC’s acting chairman.
Lawmakers questioned Gruenberg about his knowledge of what the report described as a cover-up by a senior FDIC executive who ordered staff not to disclose the hacks for fear of endangering Gruenberg’s confirmation to the chairman’s post by the U.S. Senate.
“I can’t speak to the accuracy” of those allegations, Gruenberg said. He said repeatedly he did not know of staff efforts to conceal the intrusions.
The House of Representatives Committee on Science, Space and Technology report issued on Wednesday said the Chinese government appeared likely to have been behind the hacks. It cited an investigation by an internal watchdog of the FDIC, which is a major banking regulator that keeps confidential data on U.S. banks.
Gruenberg said he made personnel changes after receiving a report in 2013 informing him that he was not fully briefed about the hacks.
The Republican-led committee has been critical in recent months of the FDIC’s handling of cyber security incidents under Gruenberg, who was nominated by President Barack Obama and confirmed by the Senate in 2012.
“There is a culture of concealment at the FDIC,” said Lamar Smith, a Republican from Texas who heads the committee.
Asked what damage a foreign government could do with stolen FDIC information, the regulator’s inspector general pointed to details on bank contingency plans for bankruptcy, known as living wills, which could be used against U.S. financial institutions.
“That information could be extremely valued by an adversary,” FDIC Inspector General Fred Gibson told the hearing.
Gruenberg said the FDIC was updating cyber security policies after a subsequent 2015 data breach in which a former employee kept copies of living will information after leaving the regulator. Neither the FDIC nor lawmakers have said the hack by the foreign government was connected to the data breach involving the former employee.
Gruenberg said policy changes were being taken to address such “insider threats” with a governance structure to be finalized by Oct. 28.