Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
Financial Institution Letter
Computer Virus Protection
TO: CHIEF EXECUTIVE OFFICER (also of interest to Chief Information Officer) 
SUBJECT: Guidance on Developing an Effective Computer Virus Protection Program 
Summary: The FDIC is issuing guidance to financial institutions about the importance of maintaining an effective computer virus protection program. The guidance provides information on the risks associated with computer viruses and how these risks can be mitigated. 

The Federal Deposit Insurance Corporation (FDIC) has prepared the attached guidance to assist financial institutions in developing an effective computer virus protection program in order to mitigate the risks associated with computer viruses and other types of malicious software codes. Financial institutions rely on the Internet to conduct business transactions and to communicate with customers, vendors and other business partners. Commonly used electronic mail applications are susceptible to computer viruses that may be embedded in e-mails and e-mail file attachments. Therefore, it is important that management understand the risks of computer viruses and take appropriate action to protect computer systems.

Customer information security guidelines require periodic risk assessments and status reports be provided to the Board of Directors. The effectiveness of the institution’s computer virus protection program should be addressed in these periodic assessments and reports. Any control weaknesses should be identified and addressed during the normal course of business.

This guidance is designed to complement the FFIEC Information Security IT Examination Handbook , issued December 2002, and to supplement Financial Institution Letter 68-99, “Risk Assessment Tools and Practices for Information System Security.”

For more information about computer virus protection programs, please contact your FDIC Division of Supervision and Consumer Protection Regional Office or Kathryn M. Weatherby, Examination Specialist, at (202) 898-6793.

For your reference, FDIC Financial Institution Letters may be accessed from the FDIC’s Web site at

Michael J. Zamorski


Division of Supervision and Consumer Protection


FDIC-Supervised Banks (Commercial and Savings)


Paper copies of FDIC financial institution letters may be obtained through the FDIC’s Public Information Center, 801 17th Street, NW, Room 100, Washington, DC 20434 (1-877-275-3342 or (703) 562-2200).

Last Updated: June 7, 2004