A coalition of industry groups has unveiled a new cyber compliance profile framework specifically for financial institutions, aimed at streamlining regulatory burdens.
The Financial Services Sector Coordination Council (FSSCC) hopes the new framework—based on the National Institute of Standards and Technology’s (NIST) Cyber Security Framework (CSF), CPMI-IOSCO’s “Guidance on cyber resilience for financial market structures,” FFIEC Cybersecurity Assessment Tool (CAT) and direct correlative mappings to ISO/IEC 27001/2 controls—will help banks reduce their cyber risk compliance workload between 49 and 73 percent, depending on the size of the institution.
What happened
Financial institutions face mounting requirements with regard to cybersecurity, both within the United States and globally, and with the greater burden comes a greater cost of compliance.
Seeking to reduce the burden—and the associated cost—the FSSCC created a Financial Services Sector Cybersecurity Profile (Profile). A scalable and extensible assessment, the Profile can be used for both internal and external cyber risk management, and as a mechanism to evidence compliance with different regulatory requirements, the group explained.
The Profile is designed for all financial institutions, financial services companies, financial firms and their third-party providers.
By using the Profile over several cycles, financial institutions can benchmark their programs, identify gaps and track compliance progress over time. Depending on the size and risk profile of the institution, the Profile can reduce the time a bank needs to complete a comprehensive assessment. For the least complex and interconnected institutions, the FSSCC expects a 73 percent reduction in the number of assessment questions, with a 49 percent reduction for the most complex and interconnected institutions.
To use the Profile, financial institutions begin with the Impact Tiering Questionnaire, which consists of nine potential questions that segment the bank into one of four Impact Tier levels depending on its responses (Level 1: National/Super-National Impact, Level 2: Subnational Impact, Level 3: Sector Impact and Level 4: Localized Impact).
Based on its Impact Tier level, the bank would assess itself against the corresponding set of Diagnostic Statement questions. Institutions slotted into Level 1 face 277 questions, with 262 questions for Level 2 institutions, 186 questions for Level 3 institutions and just 133 questions for those in Level 4.
The bank would then, based on its responses, identify any shortcomings or gaps in its cybersecurity risk management governance, processes, capabilities and regulatory compliance posture. Once the gaps are identified, the bank would develop and implement a plan to close them so that it can satisfy the expectations associated with its Impact Tier level.
Importantly, the institution can repeat this process periodically or upon a “change event” that warrants an Impact Tier level reconsideration, such as significant growth, the acquisition of another entity, the introduction of a new business line, a significant change in a threat landscape, an institutional belief that the Impact Tier has changed, or a regulatory or supervisory body belief that the institution’s Impact Tier level is inaccurate or has changed.
In addition to the benefits to banks, the Profile will make life easier for regulators as well, the FSSCC said. Regulators may be able to understand the baseline status of security more quickly and be able to better discern the sector’s systemic risk by being able to compare answers using common terms and concepts from different institutions.
To ensure that the Profile remains “an active and dynamic product that helps develop, assess and advance cybersecurity broadly across the financial services sector,” the FSSCC noted it is still discussing whether to assemble an ongoing coalition that will establish a governance process to update and maintain the Profile in two-to-three-year cycles.
Why it matters
The Profile is a valuable new tool for banks, given that it is specific to financial services, breaks down the industry into four tiers, is tailored to the size of the institution, and is based on the NIST CSF, CPMI-IOSCO and ISO standards, which all the latest regulations reference. The initial response from regulators was positive. “While we’re not going to mandate the use of the profile, we welcome any financial institution to provide information to us using the structure and the taxonomy of the profile,” Julia Philipp, senior supervisory financial analyst at the Federal Reserve Board of Governors, told Bloomberg Law.