On September 18, the National Institute of Standards and Technology released a final version of its risk assessment guidelines, which are designed to advise all types of government and private organizations—including financial institutions—about information security risks and information technology infrastructures. The Guide for Conducting Risk Assessments provides guidance regarding (i) threats, (ii) vulnerabilities, (iii) impact to missions and business operations, and (iv) the likely threat of exploitation of vulnerabilities in information systems and their physical environment to cause harm or adverse consequence.