The Federal Deposit Insurance Corporation (FDIC) has prepared the attached guidance to assist financial institutions in developing an effective computer software patch management program in order to mitigate risks associated with commercial software vulnerabilities.

Many financial institutions rely on commercially developed software to support business processes and to provide an information technology (IT) infrastructure. Common types of software include operating systems, core processing systems, business applications (e.g., word processing programs), and system services (e.g., anti-virus programs). Commercially developed software may contain flaws that create security and performance vulnerabilities. Although software vendors often develop an update - or a "patch" - to correct identified weaknesses, it is the software user's responsibility to update systems or install patches in a timely manner.

Software vulnerabilities can cause system unavailability, create security weaknesses, or corrupt critical system components or data. During the past year, many companies, including some financial institutions, have experienced security breaches that could have been prevented through the timely identification and patching of software vulnerabilities.

For more information about computer software patch management, please contact your FDIC Division of Supervision and Consumer Protection Regional Office.

For your reference, FDIC Financial Institution Letters may be accessed from the FDIC's Web site at http://www.fdic.gov/news/financial-institution-letters/2003/index.html.

Michael J. Zamorski

Director

Attachment: Guidance on Developing an Information System Patch Management Program to Address Software Vulnerabilities 

Distribution: FDIC-Supervised Banks (Commercial and Savings)

NOTE: Paper copies of FDIC financial institution letters may be obtained through the FDIC's Public Information Center, 801 17th Street, NW, Room 100, Washington, DC 20434 (1-877-275-3342, option 5, or (703) 562-2200).