2026 Bank Cyber Exam Readiness Checklist

Examiner perspective Your primary regulator — FDIC, OCC, or Fed — is asking more sophisticated cyber questions in 2026. The expectation is that your technology strategy and supporting governance can withstand them, not just that controls are in place.

• Most recent supervisory guidance and risk perspectives from primary regulator reviewed for current exam focus areas
• Technology strategy documented and appropriate for the institution's size and complexity
• End-of-life asset strategy risk-based, documented, and executed against with exceptions documented and reported
• Governance documentation supporting strategies: risk assessment, board risk appetite, reporting, and decision trail
• Prepared for risk-based, tailored exams — examiners have more discretion on where they focus; areas of higher risk identified where they may dig in further
• Prepared for better cyber questions from increasingly knowledgeable examiners

Next focus: Third- and Fourth-Party Risk. The 2026 emphasis is concentration risk and AI — both direct vendor AI use and embedded fourth-party model exposure.

Examiner perspective The Interagency Third-Party Risk Management Guidance is the anchor. The 2026 emphasis is concentration risk and AI — if multiple critical vendors run on the same underlying platform or AI model, examiners want to see you've evaluated it and communicated it to governing bodies.

• Vendor risk management program aligned to the Interagency Third-Party Risk Management Guidance
• Governance processes for vendor oversight documented and understood by stakeholders — how risk is assessed, monitored, and reported
• Risk profile of each critical vendor articulated — not just due diligence confirmed
• Controls applied to each vendor commensurate with the risk, rationale documented
• Vendors embedding AI in their products and services identified
• Familiar with the CRI Financial Services AI Risk Management Framework (FS AI RMF, February 2026)
• AI governance plan in place — or a plan for a plan — accounting for both direct and embedded AI use
• Vendor consolidation and concentration risk evaluated and communicated to governing bodies — expect focus on resilience implications
• Fourth-party AI concentration considered: do you know what underlying models power critical vendor systems?

Next focus: Framework Adoption. Whatever you've chosen, be ready to defend the choice and demonstrate how it actually shapes program decisions.

Examiner perspective A framework on a shelf scores no better than no framework at all. Examiners want to see how it informs decisions and where you've identified gaps — being honest about deficiencies beats pretending they don't exist.

• Replacement framework(s) identified
• Rationale for framework selection documented and defensible
• Self-assessment(s) against the adopted framework(s) completed and documented with evidence
• Deficiencies identified in the self-assessment documented with short-term and long-term remediation plans
• Framework(s) actively shaping the program — able to demonstrate how they inform decisions, not sitting on a shelf as a compliance artifact
• Familiar with the CRI FS AI RMF and its applicability to the institution's AI governance posture — if not CRI, able to answer AI governance questions through another framework or tool

Next focus: Board-Level Reporting. This is where oversight quality is judged — make sure your minutes tell the story examiners can read.

Examiner perspective Board minutes are where oversight quality is judged. Quality of challenge and substantive questions matter as much as the metrics being reported — examiners read them, and increasingly, they cite specifics.

• Board package reflects meaningful information provided to support quality oversight
• Board and committee minutes reflect substantive questions and effective challenge on cyber risk
• Cyber metrics tied to the institution's risk appetite, presented in a format that supports trend analysis — not ad hoc status slides or raw vulnerability data
• Board members able to contextualize cyber metrics, evidenced through quality of engagement in meeting minutes
• Informed decisions demonstrated — budgeting and resource allocation tied to reporting as evidence
• Reporting structure repeatable, defined, and meaningful enough that examiners can assess quality of board oversight

All sections complete. You're ready to defend your posture in 2026. Scroll down if you'd like a second set of eyes.