Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
Financial Institution Letter
TO: CHIEF EXECUTIVE OFFICER (also of interest to Chief Information Officer) 
SUBJECT: Guidance on Developing an Effective Software Patch Management Program 
Summary: The FDIC is providing guidance to financial institutions about the importance of maintaining an effective computer software patch management program. This guidance provides institutions with background information on the risks associated with software vulnerabilities and how they can be mitigated through an effective patch management program. 

The Federal Deposit Insurance Corporation (FDIC) has prepared the attached guidance to assist financial institutions in developing an effective computer software patch management program in order to mitigate risks associated with commercial software vulnerabilities.

Many financial institutions rely on commercially developed software to support business processes and to provide an information technology (IT) infrastructure. Common types of software include operating systems, core processing systems, business applications (e.g., word processing programs), and system services (e.g., anti-virus programs). Commercially developed software may contain flaws that create security and performance vulnerabilities. Although software vendors often develop an update - or a "patch" - to correct identified weaknesses, it is the software user's responsibility to update systems or install patches in a timely manner.

Software vulnerabilities can cause system unavailability, create security weaknesses, or corrupt critical system components or data. During the past year, many companies, including some financial institutions, have experienced security breaches that could have been prevented through the timely identification and patching of software vulnerabilities.

For more information about computer software patch management, please contact your FDIC Division of Supervision and Consumer Protection Regional Office.

For your reference, FDIC Financial Institution Letters may be accessed from the FDIC's Web site at

Michael J. Zamorski



Attachment: Guidance on Developing an Information System Patch Management Program to Address Software Vulnerabilities 

Distribution: FDIC-Supervised Banks (Commercial and Savings)

NOTE: Paper copies of FDIC financial institution letters may be obtained through the FDIC's Public Information Center, 801 17th Street, NW, Room 100, Washington, DC 20434 (1-877-275-3342, option 5, or (703) 562-2200).

Last Updated: May 29, 2003