FDIC Issues Cybersecurity Guidance for Banks

Privacy & Cybersecurity Update

Date: February 10, 2016

Banks have been prime targets for cyber criminals, with breaches reported at many financial institutions, including some of the nation’s largest. In addition to large banks, there are over 6,000 community banks in the country, holding $3.8 trillion in assets, $3.0 trillion in deposits and $2.5 trillion in loans to customers, according to the Independent Community Bankers of America®. Cybersecurity at all banks, large and small, has been a focus of government regulators.

On February 1, 2016, the Federal Deposit Insurance Corporation published an article, “A Framework for Cybersecurity,” in the Winter 2015 edition of its Supervisory Insights newsletter. The article details the continuing cybersecurity threat to financial institutions, including community banks, and provides a framework for a robust cybersecurity program. It also summarizes prior government efforts to assist financial institutions in developing cybersecurity programs and contains references to many free cybersecurity resources available.

A key theme of the article is that bank board members and management must be involved in implementing a cybersecurity program. The article’s conclusion states that “Cyber risk is a substantial business risk. A bank’s board and senior management must understand the seriousness of the threat environment and create a cybersecurity culture throughout the organization. The effective identification and mitigation of cyber risk must be grounded in a strong governance structure with the full support of the board and senior management.”


For more information, please contact:

Roy E. Hadley, Jr.

John L. Watkins

Thomas F. Zych

This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgement of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.

This document may be considered attorney advertising in some jurisdictions.