There is no more pressing problem facing business organizations today, of all types, than cybersecurity threats. For a highly regulated industry like banking, regulators are watching closely to see how the IT governance structure at a bank can manage this risk.

Recently, the Federal Financial Institutions Examination Council, which coordinates the examination process at all of the federal banking agencies, issued a new “management booklet” on IT risk management examinations, replacing one that had not been updated since 2004.

Perhaps not surprisingly, given how many well-publicized hacks have occurred in the past decade, particularly in the last year, the new booklet incorporates cybersecurity concepts as part of IT risk management for banks:

  • Board Role.  Starting at the top of the bank, the new guidance requires that the board of directors set the tone and direction for an institution’s use of IT, and says that the board should approve the IT strategic plan, as well as its information security program “to protect the institution from ongoing and emerging threats, including those related to cybersecurity.”
  • IT Steering Committee.  Another cybersecurity requirement in the new booklet is for the board, or a “steering committee” tasked by the board to oversee IT risk management, and to review and determine the adequacy cybersecurity training for staff.
  • CISO.  The “Chief Information Security Officer” is required to inform the board, management and staff of information security and cybersecurity risks and the role of staff in protecting information, and to “champion” a security awareness and training program.

Banks can expect their examiners immediately to begin using this new examination booklet, and therefore would be well-advised to determine compliance with its requirements as far in advance as possible of the next examination.

The new Information Technology Examination Handbook can be found here.

For additional information, please contact Brad Neighbors at