The Bedel Security Blog

The FDIC Is Pointing Banks Back to Cybersecurity Fundamentals.

Written by Trisha Durkin | Jul 10, 2026

Artificial intelligence is changing cybersecurity. Vulnerabilities can be identified faster, exploits can be developed more quickly, and attackers can automate tasks that once required significant time and expertise.

That sounds like a technology problem requiring an equally futuristic solution.

But the response being emphasized by regulators is much more familiar: know what you have, know what is exposed, prioritize what matters, and fix it faster.

In recent correspondence to financial institutions, the FDIC encouraged banks to consider enrolling in the Cybersecurity and Infrastructure Security Agency’s (CISA) no-cost Cyber Hygiene Services. These services include ongoing vulnerability scanning of internet-accessible assets, web application scanning, external threat monitoring, and access to regional security advisors.

The FDIC’s recommendation is worth considering. Free vulnerability scanning from CISA is hard to argue with.

But signing up for another scanning service is the easy part. The harder question is what your financial institution does with the information once it arrives.

1. Get an Outside View of Your Environment

Most financial institutions already have some form of vulnerability scanning. CISA’s Cyber Hygiene Services can add another perspective by continuously looking at the institution’s internet-facing assets.

A practical first step is to compare what CISA identifies against what the bank believes is externally exposed.

Do you recognize every public IP address and internet-facing asset? Do you know who owns each one? Are the services running on those assets expected? Does your existing asset inventory match what an outside party can actually see?

Finding an unknown asset may be just as important as finding a vulnerability.

You cannot secure what you do not know exists. That phrase has been used in cybersecurity for years because, unfortunately, we keep finding new ways to prove it true.

2. Stop Prioritizing Vulnerabilities by Severity Alone

A long vulnerability report can create a false sense of productivity. Hundreds of findings are identified, color-coded, put into a spreadsheet, and discussed in a meeting.

Then everyone starts at the top.

A vulnerability score tells you something important about technical severity. It does not tell you everything about the risk to your institution.

Prioritization should also consider whether the vulnerability is actively exploited, whether the system is externally exposed, the criticality of the affected system, the data involved, existing compensating controls, and the potential business impact.

This does not require a complicated formula. The goal is a repeatable process that helps answer a simple question:

What presents the greatest risk to us right now?

3. Create a Fast Lane for Vulnerabilities That Cannot Wait

Most financial institutions have patching schedules and remediation timelines. That is a good foundation.

The problem is that not every vulnerability is willing to wait until Patch Tuesday.

Institutions should have a defined process for vulnerabilities requiring action outside the normal schedule, particularly those that are actively exploited, affect internet-facing systems, expose sensitive information, or impact critical business systems.

Once a vulnerability enters the fast lane, the institution should already know what happens next.

Who evaluates the exposure? Who contacts the vendor? Who can authorize emergency patching? What happens if a patch is unavailable? Who approves temporary compensating controls?

Those are difficult questions to answer for the first time while a critical vulnerability is actively being exploited.

And if a hosted system is affected, “waiting on the vendor” may be an accurate status update, but it is not a risk management strategy.

4. Create a Technical Debt List, Not Just an End-of-Life List

Most financial institutions understand the risk of end-of-life technology. Technical debt is broader.

It includes systems that are difficult to patch, aging infrastructure, permanent workarounds that were supposed to be temporary, outdated dependencies, and technology that requires repeated policy exceptions.

Every institution has some technical debt. Limited budgets, competing priorities, and vendor dependencies make that unavoidable.

The problem is when temporary decisions quietly become permanent.

A practical technical debt register can be simple. Identify the system or issue, the risk it creates, current compensating controls, the responsible owner, the planned action, and the target date.

If an exception has been renewed for three years, it probably is not an exception anymore. It is part of your environment.

Treat it accordingly.

5. Connect Vulnerability Management to Strategic Planning

Vulnerability management is often treated as an operational process:

Scan. Review. Patch. Repeat.

But the patterns found through vulnerability management should influence the institution’s longer-term strategy.

If the same system repeatedly misses remediation timelines, requires compensating controls, creates exceptions, or cannot support modern security controls, the institution may not have a patching problem.

It may have a modernization problem.

Those issues should move beyond the vulnerability report and into strategic planning discussions. This also supports better budget conversations.

“IT wants to replace an old system” is very different from “This system repeatedly creates vulnerability exceptions and represents an ongoing source of risk.”

More Visibility Is Only Helpful If It Leads to Action

The FDIC’s recommendation to consider CISA’s Cyber Hygiene Services is practical. Another view of the institution’s external attack surface can provide real value.

But more scanning will likely mean more findings.

The goal of a mature vulnerability management program is not to produce the shortest report or eliminate every vulnerability. Neither is realistic.

The goal is to know what you have, identify what creates the greatest risk, and act before an attacker does.

AI may be changing the speed of vulnerability discovery and exploitation. For most community financial institutions, keeping pace does not mean starting over.

It means making sure the fundamentals work as quickly and effectively as the threat environment now demands.

Because the question is no longer just:

Do we scan for vulnerabilities?

It is:

Can we identify what matters and act before an attacker does?

If your institution needs help figuring out what all of this looks like, Bedel Security is here to help ensure your information security program aligns with regulatory expectations. Contact us for more information!