Standards Raised.

“Supervised financial institutions may also consider use of industry developed resources, such as the Cyber Risk Institute’s (CRI) Cyber Profile, and the Center for Internet Security Critical Security Controls…. While the FFIEC does not endorse any particular tool, these standardized tools can assist financial institutions in their self-assessment activities.”

“As we [Treasury] develop our [Cloud use in the financial services] report and over the longer term as we continue to work on these issues, we will collaborate with the private sector and organizations like Cyber Risk Institute, FBIIC members, and our international partners, many of which are considering increasing their oversight of cloud service providers.”

“Financial institutions may choose from a variety of standardized tools aligned with industry standards and best practices to assess their cybersecurity preparedness. These tools include the FFIEC Cybersecurity Assessment Tool, the National Institute of Standards and Technology Cybersecurity Framework, the Center for Internet Security Critical Security Controls, and the [CRI] Profile.”

“A cyber assessment framework is a useful component of a comprehensive risk assessment…widely used frameworks Covered Entities employ are the FFIEC Cyber Assessment Tool, the CRI Profile, and the NIST Cybersecurity Framework.”

“[The CRI Profile] is one of the more detailed Cybersecurity Framework-based, sector regulatory harmonization approaches to date.”

“[The CRI Profile] is a customization of the NIST Cybersecurity Framework that financial institutions can use for internal and external cyber risk management assessment and as evidence for compliance, encompassing relations between Cyber frameworks, including the Core Standards. Further, CRI’s Cybersecurity Profile tool encompasses all three of the Core Standards (the NIST Cybersecurity Framework, ISO, and the CPMI-IOSCO Guidance), as well as others…”

“The Cyber Risk Institute houses and maintains the CRI Profile—the benchmark for cyber security and resiliency in the financial services industry.”

“Recommended frameworks for entities to refer to:[Cyber Risk Institute Cybersecurity Profile, NIST Cybersecurity Framework, New Zealand Information Security Manual (NZISM), and ISO/IEC 27000.]”

“Treasury, as Sector Risk Management Agency for the financial services sector, appreciates the inclusion of precision time resiliency into the CRI Profile. This collaboration on responsible use of precision time enables the sector to fully benefit from the Biden-Harris Administration’s continued work on this Executive Order.”

“[The CRI Profile] is a powerful tool to assist banks to mitigate the cost of fragmented cybersecurity regulations…it should become the accepted supervisory base-line…so supervisors and banks alike can more efficiently use scarce cyber security expertise.”

“…we’ll welcome any financial institution to provide information to us using the structure and taxonomy of the Profile, we see that as a boon for harmonization.”

“The Cyber Profile shows a third party the path and progression from a fin-tech into a mature organization. It tells you what the investment journey is going to look like, giving them a roadmap to do business with the big banks.”