DRAFT Financial Services Sector Cybersecurity Profile

The initial DRAFT Financial Services Sector Cybersecurity Profile (“Profile”) is intended as a starting point for meaningful and ongoing dialogue with our regulators and interested parties on the feasibility and value of cybersecurity regulatory harmonization. This Profile, similar to those developed by the Electrical Subsector and the Maritime Bulk Liquid Transfer (a subcomponent of the oil and gas industry) in collaboration with their sector specific agency and regulatory agency, is a customization of the NIST Cybersecurity Framework that incorporates unique aspects of the sector and our regulatory requirements.

If completed with regulatory community engagement, a Profile or other framework similar to this will allow regulators and sector firms of all sizes to:

· Perform to a uniformly described set of security practices, scaled to the institution’s risk;
· Document performance of such practices in a uniform way; and
· Facilitate efficient, consistent responses to regulatory requests.

Moreover, this proposed Profile (or something similar) if roundly adopted by the regulatory community would provide a categorization methodology by which any new regulation could reference a specific function, category, subcategory, or diagnostic statement that will be added to, augmented, etc.

Such an approach to cybersecurity – i.e., a GAAP or Dewey Decimal System for cybersecurity compliance – could drive notionally similar, but semantically different regulatory agency expectations/requirements to be both notionally the same and semantically the same. Using a sample set of data, the forecast, supported by industry and select regulators, indicates that over 80% of regulatory requirements/expectations could be consolidated in this manner. By reducing the need for reconciliation of differing language, firms would be able to focus resources more directly on improving cybersecurity, enhance risk management, and reduce costs by addressing both the workforce and the regulatory burden challenges that the industry is acutely experiencing right now (since the release of the NIST CSF three years ago industry has tracked over 30 regulatory agency and self-regulatory organization cybersecurity proposals that have an impact on financial services information security programs).

Download the Draft Profile Document here

Cybersecurity Profile – Risk Tiering Methodology

To enhance cybersecurity risk management while offering a more tailored set of expectations for financial services institutions of varying systemic criticality, the sector has developed the following four tier “risk tiering” methodology that will seamlessly align with a set of Diagnostic Statements as contained in the Financial Services Sector Cybersecurity Profile (“Profile”). This risk tiering enables the use of the Profile across the whole of the sector and across institutions of varying complexity.

As expressed via the Questionnaire, which can be downloaded here, the four risk tier levels are defined/described as follows:

Criticality Level 1: National and Super-National (Composed of 2 questions) –

– Designated most critical by one or more US regulatory agencies and/or bodies (e.g., GSIB, Section 9)

– Implies the gross cyber risk exposure of an organization or service categorized as National and Super-National has the most potential adverse impact to the FSS and the overall stability of the North American economy.

 Criticality Level 2: Sub-National (Composed of 6 questions) –

– Providers of mission critical services.

– Providers of a high # of services to end-consumers with customer counts rising into the millions.

– Though not designated as most critical, implies the gross cyber risk exposure of an organization or service categorized as Significant has substantial potential adverse impact to the FSS, but has not risen to the level of most concern or Sub-National.

Criticality Level 3: Sector (Composed of 5 questions) –

– Any provider of services considered vital to business operations.

– These characteristics imply the gross cyber risk exposure of an organization or service categorized as Sector has a concerning potential adverse impact to the FSS, but has not risen to the level of substantial concern or Sub-National.

Criticality Level 4: Localized Impact (Composed of Zero questions, but contains a description) –

– Organizations which typically serve a relatively small number of customers.

– Organizations typically characterized by relatively low levels of interconnectedness as it pertains to the FS Sector.

– Implies the gross cyber risk exposure of an organization or service categorized as Localized Impact hasn’t risen to the level of significant impact to the FSS; therefore, the organizations and services in this category may be considered out of scope for FSS cyber risk management efforts.

Questionnaire Usage Instructions for Financial Institutions:

  1. This particular questionnaire focuses on the tiering of institutions relative to the US Financial Services Sector (FSS), with an intention to expand the framework to a global perspective at a later point in time.
  2. If in doubt when responding to a question, institutions should always adopt the higher risk tier.
  3. Each risk tier will correspond to a set of capability and maturity guidance, with each successive tier representing a step up in capability and maturity expectations.
  4. An organization can always decide to go above and beyond their expected maturity to enhance their security practices.
  5. Organizations aligning to the highest risk tier will be immediately “off-ramped” and will need to complete everything in the Profile. Other institutions will have to answer more up-front questions via the Questionnaire, but would then answer less Diagnostic Statements within the Profile, itself.

Download the Risk Tiering Questionnaire