Changing Regulatory Landscape:

What “Material Financial Risk” Means for IT and Cybersecurity

Late in 2025, all three federal banking regulatory agencies released notices announcing a renewed focus on “material financial risks.” I understand why. Resources are limited. Agencies have to prioritize. They are focusing on the things that can actually move the needle financially at a bank.

But, this is not the time to take a vacation from good IT and cybersecurity risk management practices. As the Federal Reserve put it: “It’s not about narrowing our focus, it’s about sharpening it.” 

I had the opportunity to moderate a panel session in January with representatives from the Federal Reserve, OCC, FDIC, and state DFI. When the topic of “material financial risk” in IT and cybersecurity came up, I heard five recurring themes.
Here’s what they’re sharpening their focus on.

Risk Assessment and Risk Management

This one is foundational. A weak or poorly executed risk assessment is a material financial risk.
Your risk assessment drives your control strategy, your budget, your audit scope, your vendor oversight, everything. Yet I still see two common mistakes:

1. It isn’t detailed enough.
2. It doesn’t produce actionable remediation items that actually move the program forward.

You can have mature pieces of a cybersecurity program, but if your risk assessment doesn’t clearly identify inherent risk, evaluate controls, and generate meaningful action plans, you are flying blind.

Preventative Cyber Controls

Examiners were very direct on this one. Preventative controls matter and that’s where they will be focusing their attention.

A great example of this is Multi-factor authentication (MFA). It works to prevent access. Monitoring for suspicious account activity, on the other hand, is a detective control. What’s the difference?

I like to use a simple analogy: Would you rather have strong locks on every exterior door of your house, or an alarm that goes off after someone is already ten feet inside?

If you’re anything like me, you want strong locks.

While monitoring is important, you want to make sure you have the controls in place to prevent the attack to begin with.

Resilience

One quote from the panel was blunt: “You better believe that a disruption to your business is a material financial risk.”
Resilience includes business continuity planning, disaster recovery, and incident response.

If your operations are disrupted, whether by natural disaster, human error, system failure, or cyberattack, the financial impact can be immediate.

Plans must be updated at least annually, tested at least annually, and reflect your actual environment.

Service Provider Oversight

This one feels like a broken record, but for good reason.

Our environments have changed. Data is hosted externally. Critical systems are cloud-based. Core operations depend on vendors. The reliance on third-party providers is greater than ever, and it’s not going away. 

We’ve seen breaches tied directly to weak controls at third parties — resulting in real expense and customer harm.
Examiners will continue to scrutinize vendor criticality assessments, control reviews, ongoing oversight, and follow-up on control exceptions. If a third party presents material financial risks to your institution, they will receive attention.

Independent Audit Program

Just because agencies may spend less time onsite does not mean audit expectations are lower.

If anything, it means they will rely more heavily on your independent audits.

You should have outside parties reviewing your key controls and conduct appropriate internal and external penetration testing annually.

Final Thought

When regulators say they are sharpening their focus on material financial risk, they are not lowering expectations. This is not the time to ease up. Instead, you need to make sure your fundamentals are strong.

If you have questions about how to sharpen your focus in IT and cybersecurity at your financial institution, let us help.  Just reach out via email to: support@bedelsecurity.com