FFIEC Announces that the Cybersecurity Profile is Acceptable as a Standardized Assessment
Sean Oblack
August 28, 2019
Washington, D.C. —The Bank Policy Institute (BPI) welcomed the Federal Financial Institutions Examination Council (FFIEC) statement encouraging a standardized approach for assessment, and naming the Financial Services Sector Cybersecurity Profile one of those assessment tools. The Cybersecurity Profile integrates widely used industry and regulatory standards to help financial institutions develop and maintain cybersecurity risk management programs. The BPI-led effort, managed under the Financial Services Sector Coordinating Council (FSSCC), was co-developed with the American Bankers Association and over 300 industry experts from 150 financial institutions worldwide, ranging from community banks to large multi-national firms.
“Today’s statement reflects great work by the relevant agencies to coordinate their efforts, and allow firms to adopt a clear, high and consistent benchmark for cybersecurity assessment,” said Greg Baer, President and CEO of the Bank Policy Institute. “BPI believes that for those firms which choose to use it for assessment and examination purposes, the Cybersecurity Profile will enable their cybersecurity professionals to focus their time on the threats they face.”
The Cybersecurity Profile launched in 2018 with input from regulators, and it offers a common, credible approach to cybersecurity and assessment for financial firms and is complementary to the NIST cybersecurity framework, on which it is largely based. Specifically, the Cybersecurity Profile seeks to provide financial institutions and third-party providers more consistent and efficient examination processing. It also helps regulators and firms to prioritize resources and focus on cyber threats of greatest concern, while establishing a common set of industry best practices.
“Chris Feeney and Josh Magri from the BPI team have worked side by side with U.S. and Global regulators and all interested stakeholders to help get us to where we are today,” Baer continued. “We remain committed to working with regulators and the whole industry to improve capabilities and avert cybersecurity issues around the world.”
The Cybersecurity Profile uses a questionnaire to identify the risk and complexity of a company and match the company with an appropriate, customized, and focused cybersecurity assessment. With its tailoring, the Cybersecurity Profile enables front-line defenders to optimize their time on security activity, rather than paper work. For example, as compared against another widely used diagnostic, a community bank could reduce the number of questions it might answer by as much as 73%.
The Cybersecurity Profile is intended for use by any financial institution or third-party provider to a financial institution. The industry designed the Cybersecurity Profile to be a framework that scales across institutions of varying complexity, interconnectedness, and criticality, and it incorporates regulatory expectations and best practices from across the sector and around the globe.
###
About the Bank Policy Institute. The Bank Policy Institute (BPI) is a nonpartisan public policy, research and advocacy group, representing the nation’s leading banks and their customers. Our members include universal banks, regional banks and the major foreign banks doing business in the United States. Collectively, they employ almost 2 million Americans, make nearly half of the nation’s small business loans, and are an engine for financial innovation and economic growth.