The New Financial Services Sector Specific Goals (FS-SSGs) Tied to CRI Profile
Washington, D.C.–​The Cyber Risk Institute (CRI) applauds the Financial Services Sector Coordinating Council (FSSCC) and the U.S. Department of the Treasury for publishing the Financial Services Sector Specific Goals (FS-SSGs), a set of minimum cybersecurity expectations for financial institutions tied to the CRI Profile. These goals leverage the CRI Profile’s Tier 4 control objectives (i.e., “diagnostic statements”) to align with established cybersecurity standards and frameworks.
The FS-SSGs serve as a bridge between the Cybersecurity and Infrastructure Security Agency’s (CISA) Cross-Sector Cybersecurity Performance goals (CPGs) and the financial sector’s baseline regulatory expectations captured in the CRI Profile. Instead of creating new requirements, the FS-SSGs focus on mitigating critical risks by identifying baseline cybersecurity expectations for the financial sector’s supply chain and unregulated entities.
The financial services sector is highly regulated and mature in cybersecurity risk management practices and, for U.S.-supervised entities, Tier 4 of the CRI Profile represents minimum expectations. However, the sector’s interconnection with vendors and suppliers—many of whom may lack comparable cybersecurity practices—pose a significant risk to the sector. The FS-SSGs seek to address this risk by providing clear guidance to strengthen resilience across the financial ecosystem.
Josh Magri, President and Founder of CRI, said, “CRI is honored to collaborate with the FSSCC and our government partners on this initiative. The financial services sector is one of the most highly regulated and cybersecurity-mature industries. Yet, its deep connections to and with third parties—many of whom are less prepared—create a pressing need for guidance. The FS-SSGs offer a practical tool to help financial institutions and their partners navigate between CISA's Cross-Sector CPGs and the CRI Profile’s Tier 4 control objectives, fostering improved preparedness across the board.”
The FS-SSGs, like the CRI Profile, is a voluntary tool for financial institutions to use to enhance cybersecurity practices. The FS-SSGs can be found on the websites of the FSSCC and U.S. Treasury, as well as at www.cyberriskinstitute.org. To learn more about membership, please contact CRI at membership@cyberriskinstitute.org.
###
About Cyber Risk Institute: The Cyber Risk Institute (CRI) is a not-for-profit coalition of financial institutions and trade associations. We’re working to protect the global economy by enhancing cybersecurity and resiliency through standardization. https://cyberriskinstitute.org/
* The CRI Profile is the successor to the Financial Services Sector Coordinating Council (FSSCC) Cybersecurity Profile, a NIST and IOSCO based approach to assessing cybersecurity in the financial services industry.
Media Contact:
Emily Beam
Emily.Beam@cyberiskinstitute.org
January 8, 2025
){kind=icon}