Profile All-In-One With Assessment Tool

The Roadmap Forward

Profile Overview and User Guide

Profile Impact Tiering Questionnaire

Profile Diagnostic Statements and Mappings-Only Spreadsheet

Profile FAQs

 Financial Services Sector Cybersecurity Profile

What It Is: The Profile is a scalable and extensible assessment that financial institutions of all types can use for internal and external (i.e., third party) cyber risk management assessment and as a mechanism to evidence compliance with various regulatory frameworks (a “common college application for regulatory compliance”) both within the United States and globally.

Why It Was Created: When surveyed two years ago, Chief Information Security Officers from financial institutions indicated that nearly 40% of their time, and their teams’ time, was spent reconciling various cybersecurity and regulatory frameworks.*

For financial institutions, if the Profile approach is implemented, accepted by regulators for use, and maintained, the benefits of focusing cybersecurity experts time on protecting global financial platforms, rather than compliance activity, will be significant. For an industry already burdened by a shortage of adequately skilled individuals, reducing this percentage by streamlining compliance is a tremendous benefit.

For the regulatory community, Profile usage will enhance their visibility across firms, subsectors, third parties, and other sectors, which will enable better analysis and mitigation of systemic and concentration risks.

 * This predated the Financial Stability Board’s announcement in 2017 that 72% of its 25 member jurisdictions were self-reporting that each had plans to issue further cybersecurity regulatory frameworks, etc.

benefits to financial institutions

Boardroom Engagement to Advance Investment:  For the C-Suite and board directors, cybersecurity is a top concern and supervisors expect institutions to track their progress in mitigating identified security gaps. By using the Profile over several cycles, financial institutions can benchmark their programs with the Profile’s recommended practices, identify gaps, articulate those gaps to the C-Suite and board directors in plain language, discuss appropriate resourcing for mitigation, and track the advancement in mitigation efforts over time.  

Efficiencies:  The Profile promises to reduce the time a financial institution needs to complete a comprehensive assessment by offering a tailored set of diagnostic assessment questions, the Diagnostic Statements, reflecting the institution’s risk to the broader economy.

  • 73% Reduction for Community Institution Assessment Questions. For the least complex and interconnected institutions, it is expected that they would answer a total of 145 questions (9 tiering questions + 136 Diagnostic Statement questions). As compared to another widely-used assessment tool’s 533 questions, this represents a 73% reduction.
  • 49% Reduction in Assessment Questions for the Largest Institutions. For the most complex and interconnected institutions, the reduction also is significant. With the Profile, it is expected that such institutions would answer 279 questions (2 tiering questions + 277 Diagnostic Statement questions) as compared to the other widely-used assessment’s 533, a 49% reduction.

Additional Benefits:  While increased time and focus on cybersecurity projects and activities is a substantial benefit, there are a number of additional significant benefits that would inure to firms and the community currently, in the near term, and longer term with Profile usage.  

Immediate benefits for financial institutions include:
•    Enhanced internal and external oversight, due diligence and risk identification using consistent terms and concepts;
•    More efficient third-party vendor management review and oversight;
•    Greater intra-sector, cross-sector and international collaboration and understanding based on ISO standards,CPMI-IOSCO and the NIST Cybersecurity Framework; and
•    Greater innovation as technology companies, FinTech firms, startups, etc., are able to meet requirements/expectations more efficiently.

benefits to regulatory community

For the regulatory community, the benefits are likewise numerous. With the Profile, Regulators could:

  • Tailor examinations to institutional complexity and conduct “deeper dives” in those areas of greater importance to that particular supervisory organization;
  • Better discern the sector’s systemic risk by being able to compare answers using common terms and concepts from different institutions;
  • Understand the baseline status of security more quickly, affording more agency time for specialization, testing and validation;
  • Create the ability to take collective action to better address identified risks;
  • Compare and better analyze data from other agencies and other jurisdictions;
  • Enhance supervisors’ visibility into non-sector and third-party risks.

How to Use the Profile: The Profile assists institutions in assessing their cybersecurity risk management governance, processes, capabilities, and regulatory compliance posture as expected against the various Impact Tier levels to which they correspond. In understanding their posture, institutions can then develop plans to close any identified gaps. This process can be reduced to four repeatable steps as depicted and further described below:


Step 1 – The Institution would first determine its Impact Tier level by completing the Impact Tiering Questionnaire. The Questionnaire consists of only 9 potential questions that depending on an institution’s set of responses segment the institution into one of four Impact Tier levels: Level 1: National/Super-National Impact; Level 2: Subnational Impact; Level 3: Sector Impact; and Level 4: Localized Impact. Depicted by #1 above.

 Step 2 – Based on the Institution’s Impact Tier level, the Institution would then assess itself against the corresponding set of Diagnostic Statement questions. Institutions at the Level 1: 277 Diagnostic Statement questions; an Institution at the Level 2: 262 Diagnostic Statement questions; an Institution at the Level 3: 186 Diagnostic Statement questions; and Institutions at the Level 4: 133 Diagnostic Statement questions. Depicted by #2 above.

 Step 3 – Through its responses, the Institution would then identify any shortcomings or gaps in its cybersecurity risk management governance, processes, capabilities, and regulatory compliance posture. Depicted by #3 above.

 Step 4 – Once gaps are identified, the Institution would develop and implement a plan to close those gaps so that it can satisfy the expectations associated with its particular Impact Tier level.

The Institution repeats this process on a periodic basis or upon a “change event” which would warrant an Impact Tier level reconsideration, such as –

  • Acquisition of another entity;
  • Introduction of a new business line;
  • Significant growth;
  • A significant change in a threat landscape;
  • The Institution believes that their Impact Tier has changed; or
  • A regulatory or supervisory body believes that the Institution’s self-assessed Impact Tier level is inaccurate or has changed.

For further information, please feel free to view: Profile Overview and User Guide and/or contact

Josh Magri     

Senior Vice President, Counsel for Regulation & Developing Technology 

Bank Policy Institute (BPI) – BITS




Denyette DePierro

Vice President & Senior Counsel

Center for Payments and Cybersecurity

American Bankers Association



Maintenance Going Forward: Trade association partners are currently in discussion regarding the establishment of an ongoing coalition to ensure that the Profile remains an active and dynamic product that helps develop, assess and advance cybersecurity broadly across the financial services sector. To achieve this objective, the coalition will establish a governance process committed to updating and maintaining the Profile in 2-3 year cycles using a multi-stakeholder process similar to the one used to complete a Version 1.0. More details will follow in the coming weeks.


Please provide your e-mail address and password to login.

If your login information is displayed below, then you are already logged in.

 Forgot your password?  »

No problem. Enter your e-mail address below. Then check your e-mail for a message that includes a link to change your password.