The Profile is a straightforward tool for easy adoption. However, as a new development, you may have questions about the Profile’s origins, and CRI’s role. Some of those are answered below. Other questions, please contact us.
Ensuring the industry is safe from cyber incidents is a critical priority for regulators. However, the rapid proliferation of cybersecurity requirements for financial firms has left institutions struggling to keep up, and critical frontline resources are often instead focused on meeting requirements. When surveyed, Chief Information Security Officers for financial services institutions reported that up to 40% of their time was spent on the compliance requirements of various regulatory frameworks — not cybersecurity.*
The Profile eases this burden on the financial services industry while still meeting regulatory expectations. Focusing cybersecurity experts’ time on protecting global financial platforms, rather than compliance activity, will significantly enhance security efforts. For an industry already burdened by a shortage of adequately skilled individuals, reducing this percentage by streamlining compliance activity is an immediate gain in efficiency and managed risk.
For the regulatory community, Profile use would enhance transparency and improve visibility across institutions, subsectors, third-parties, and across sectors, enabling better analysis and mitigation of systemic and concentration risks.
When industry can focus on cybersecurity, and when regulators have more confidence in compliance, the consumer benefits.
* This predated the Financial Stability Board’s announcement in 2017 that 72% of its 25 member jurisdictions were self-reporting that each had plans to issue further cybersecurity regulatory frameworks.
Yes, there was broad representation by subsectors (e.g., banking, insurance, asset management, market utilities, broker-dealers) as well as functional roles (e.g., Board Directors, CEOs, CISOs, Chief Information Risk Officers, cyber and privacy attorneys) in the Profile’s development.
Work began on the profile in late 2016, when a coalition of trade associations gathered under the Financial Services Sector Coordinating Council (FSSCC)* to review and identify areas of regulatory overlap. The 50+ working sessions over two years included the participation of over 300 individual experts, representing over 150 financial institutions, ranging from community banks and credit unions to large multinational banks, investment firms, and insurance institutions.
Input was solicited, received, and integrated from a large group of U.S. and international financial services regulatory bodies. In one major event in April 2018, NIST hosted an open workshop to further develop a scaling methodology for the Profile. Over 100 individuals attended the workshop, with representation from financial services institutions and the state and national supervisory community. Inputs, feedback, and recommendations provided by these sessions were reviewed, discussed, and incorporated based on the working group’s consensus. The result is the Profile.
Industry leaders realized that for the Profile to be useful, it had to stay current. A dedicated organization which could house and maintain the Profile, and which could work as a standards-setting organization representing the entire industry, needed to be pulled together to ensure the Profile continued to serve its initial mission.
In order to benefit customers, financial institutions, and supervisory agencies worldwide, the Profile is designed to be:
- Generally applicable and usable by all types of financial institutions, and adaptable based on inherent risk and institutional circumstances
- Comprehensive in terms of the scope of assessment questions asked and adequately efficient to optimize cybersecurity staff time at the keyboard and supervisors’ time conducting higher-value analysis
- Usable and beneficial for those that are supervised by numerous agencies, in possibly multiple international jurisdictions, and by those that may have fewer supervisors, but want a credible, standardized self-assessment framework
- Usable and beneficial for the most interconnected, systemically important institutions, and also among the smaller and least interconnected institutions
To achieve these objectives, the Profile is based on widely used frameworks and standards, as well as supervisory guidance and assessment tools, such as the NIST Cybersecurity Framework, the ISO/IEC 27001/2 controls, CPMI-IOSCO, and the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT), among others. This principle of leveraging what existed—not “starting from scratch”—extended into the creation of the Impact Tiering scaling methodology, with the use of existing criteria for financial sector criticality. It also extended to the formulation of the diagnostic statements, which reference current supervisory expectations. If assessment language existed that did not overlap or have redundant phrasing, that language was used. However, where supervisory agencies used similar, overlapping, or duplicative language or phrasing, the simplest or most ubiquitous language was selected for the Profile.
The Profile is a financial services sector-specific distillation of the NIST Cybersecurity Framework (NIST CSF)—and other key guidance documents such as ISO and CPMI-IOSCO—to better address the sector’s regulatory environment. Like the NIST CSF, the Profile articulates desired security outcomes based on cyber risk management best practices and credible approaches. However, unlike the NIST CSF, the Profile extends the mapping of those risk management activities to sector-specific regulations, guidance, and supervisory materials and includes Diagnostic Statements to aid in assessing a risk management program. It also adds two new functions to NIST’s five function design. These two new functions are “Governance” and “Dependency Management,” which were added due to their prioritization by the financial services regulators.
In sum, the Profile effectively extends the NIST CSF vertically, by adding two additional Functions, and horizontally, by adding diagnostic statements that elaborate desired Subcategory outcomes. These expansions align the Profile with the financial services sector’s cybersecurity environment, protection needs, and regulatory requirements.
Yes. With the publication of Profile, Version 1.0, NIST released this a written statement of support:
Congratulations on publication of the Financial Services Sector Cybersecurity Profile Version 1.0. NIST encourages customization of our publications in ways that best meet the needs of each user. The Financial Services Sector Cybersecurity Profile Version 1.0 builds upon the Cybersecurity Framework in ways that support the financial services community.
NIST has found the Financial Services Sector Cybersecurity Profile Version 1.0 to be 1) correct with regard to Cybersecurity Framework Version 1.1, 2) supportive of a risk-based approach to cybersecurity, and 3) one of the more detailed Cybersecurity Framework-based, sector regulatory harmonization approaches to-date.
NIST is happy to have supported the Financial Services Sector Coordinating Council in developing your work product. As financial services users implement your guidance, we should continue communicating, as user observations will likely inform future versions of the Financial Services Sector Cybersecurity Profile and the Cybersecurity Framework itself
In addition to the statement, NIST has been an active facilitator and partner in the Profile’s development. In May 2017, NIST invited the Profile working group to present an early draft Profile at the annual CSF stakeholders meeting at NIST’s Gaithersburg, MD location and posted a summary of the Profile on the NIST CSF webpage. On April 26, 2018, NIST hosted a full-day, open and public workshop, in concert with the Financial Services Sector Coordinating Council, at the U.S. Department of Commerce building in Washington, DC. This workshop considerably advanced the development of the Profile’s scaling methodology (what would later become the Profile’s Impact Tiering).
The Profile is designed for all financial institutions, financial services companies, financial firms, and their third-party providers. A broad cross-section of the financial services industry—banking, insurance, asset management, market utilities, broker-dealers—designed the Profile to scale across institutions of varying complexity, interconnectedness, and criticality. Regulatory issuances and best practices from across the sector (and around the globe) are incorporated.
Usage of the Profile is entirely voluntary. Many regulators publicly recognize the Profile as an acceptable framework and have promised to accept it, however, there is no mandate to use the Profile. There are many benefits to using the Profile.
There are numerous and substantial benefits to the financial services sector. The Profile:
- Offers compliance efficiencies that grow with a financial institution’s complexity
- Focuses senior executive and boardroom review of cybersecurity risks and budgeting
- Brings plain language to benchmarking, risk management, audit, and in-house education
- Aids prioritization and focused use of resources
- Eases collaboration with other financial institutions, third-parties, and innovative non-bank financial companies
- Supports tailored supervision, examinations, and collaboration among state, federal, and international supervisors
- Enhances understanding of systemic risk within the sector, across sectors, and among institutions and third-parties
- Creates a common baseline security threshold
- Improves data collection and comparison
- Enhances internal and external oversight, due diligence and risk identification using consistent terms and concepts
- Allows more efficient third-party vendor management review and oversight;
- Ensures greater intra-sector, cross-sector and international cybersecurity collaboration due to the common use of ISO standards, CPMI-IOSCO and the NIST Cybersecurity Framework
- Encourages innovation and adoption of emerging technology, as FinTech firms and startups can more readily demonstrate adherence to financial services sector cybersecurity requirements and supervisory expectations
Benefits to Regulatory Community
For the regulatory community, the benefits also are numerous and substantial. With the Profile, state, federal, and global supervisors can:
- Tailor examinations to institutional complexity and conduct “deeper dives” in those areas of greater importance
- Better discern the sector’s systemic risk by comparing answers across institutions using common terms and concepts
- Understand an institution’s baseline security status quickly, affording additional time for specialization, testing and validation
- Broaden the ability to take collective supervisory action to address identified global, national, sector and institution risks
- Improve data analysis and data comparisons from other agencies and jurisdictions
- Enhance supervisors’ visibility into non-sector and third-party risks
The use of the Profile’s approach does not limit what a supervisor can review or require. Rather, it provides a strong foundation—allowing financial institutions to confidently produce baseline evidence for review and more quickly respond to iterative and follow-up questions from the supervisor. This shared approach produces a more efficient and consistent examination process for supervisors and financial institutions.
The Profile may be used in multiple ways, from self-assessment and third-party risk management, to providing a common supervisory engagement approach among state, federal, and international regulatory bodies.
Yes, the Profile has wide financial services sector support. It has the support of the FSSCC, financial institutions, and financial services trade associations representing financial institutions from each subsector.
Developed and released by the FSSCC, the Profile is also supported by a coalition of trade associations and financial institutions. This includes our 36 formal members, and a much larger network of organization that use, and contribute to, the Profile.
Numerous U.S. federal regulators and agencies have encouraged its development and announced their public support for the Profile and its use at its release event on October 25, 2018, and in the years which followed. Find a selection of these statements of support.
Yes, financial institutions are already using the Profile—as a self-assessment, a third party assessment, and / or for their compliance efforts.
The Profile’s mappings are comprehensive, but they are not exhaustive. The Profile has mapped to and integrated numerous global standards and supervisory expectations, including the ISO 27000 series of controls, CPMI-IOSCO’s “Guidance on cyber resilience for financial market structures,” among others. More such mappings, however, have been requested. To satisfy these requests, the coalition has committed to map regulations, frameworks, guidance, etc., from leading jurisdictions on a rolling basis in the months that immediately follow Profile, Version 1.0’s release.
To the extent that you believe that a Supervisory issuance should be included in a future version, please submit suggestions to CRI.
The Profile is designed to keep up with changes to the regulatory environment, and to continually incorporate new issuances. CRI identifies priority integration opportunities and maps these to the Profile, usually working with BCG Platinion.
Then, we organize industry working groups to validate the initial mapping. These working groups walk through each affected diagnostic statement and ensure they function. These changes are then provided to relevant regulators for their feedback.
Our working groups are open to all members of the industry to achieve the widest-possible consensus and most effective input.
Yes, you can! If you are interested in joining CRI, please reach out.
Yes, these materials are licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/4.0 or send a letter to Creative Commons, PO Box 1866, Mountain View, CA 94042, USA.