Version 1.1 of the Profile Incorporates NAIC IT Handbook Amendments and Adds Governance and Supply Chain/Dependency Management References to Widely Used Standards
Washington D.C. — On Nov. 12, 2020, the Cyber Risk Institute (CRI) released an update to its Profile to expand the Profile’s offerings and increase its utility for a vital segment of the financial services industry – insurers and the insurance industry. This Version 1.1 incorporates the National Association of Insurance Commissioners (NAIC) Financial Condition Examiners Handbook (sometimes referred to as the NAIC IT Handbook) updates, particularly updates to its Exhibit C: EVALUATION OF CONTROLS IN INFORMATION TECHNOLOGY (IT). Additionally, Profile v1.1 now includes a full suite of “Informative References” for the functions “Governance” and “Supply Chain/Dependency Management,” better connecting those functions and related diagnostics to widely used industry standards such as ISO, COBIT and NIST 800-53.
CRI Managing Director Josh Magri characterized the release of Version 1.1 as a great “next step” in the development of the Profile. “CRI is always working to improve and amplify the Profile by integrating new elements — but I am especially pleased that for our first update, we are adding guidance which is used across the insurance industry. This clearly demonstrates the flexibility of the Profile, and in certain ways, is a symbol of what is to come: we aren’t limited to one portion of the sector.”
The NAIC Handbook “offers specific instructions and suggestions for carrying out each individual phase of examination” and the inclusion of Exhibit C and amendments in the Profile eases the ability of these users to ensure they’re meeting their cybersecurity and IT requirements. Because NAIC managed this mapping to the Profile directly, the inclusion of the Handbook’s Exhibit C reflects the progressive approach that the NAIC has taken toward supporting industry compliance efforts, and their confidence in the Profile. It also provides Profile users certainty in the matching of the Profile diagnostic statements to regulator intent.
Leading users of the Profile among the insurance industry are vocal about their enthusiasm for what Version 1.1 will bring:
“As a member of the Cyber Risk Institute, Western & Southern Financial Group worked closely with CRI and other industry members to develop the latest version of their Cyber Risk Profile. This is a valuable tool that companies within the financial and insurance industries can use when working with their examination teams.” – Western & Southern Financial Group
“USAA remains engaged and committed to the advancement and maturation of CRI’s Cyber Risk Profile, and looks forward to additional guidance being incorporated into the Profile. As a member, we support CRI’s efforts to further the maturity of cyber risk assessments for the financial services industry.” – Anna Hines, Business Information Security Officer (BISO) – P&C, USAA
The Cyber Risk Institute (CRI) is a not-for-profit coalition of financial institutions and trade associations operating as a subsidiary of Bank Policy Institute. CRI is working to protect the global economy by enhancing cybersecurity and resiliency through assessment standardization. Its Cyber Profile tool is the benchmark for cyber security and resiliency in the financial services industry. Learn more at cyberriskinstitute.org.