The latest, free copy of the Profile is available for download on the Financial Services Sector Coordinating Council (FSSCC) website, the NIST Cybersecurity Framework Critical Infrastructure Resources webpage: https://www.nist.gov/cyberframework/critical-infrastructure-resources, and on the websites of supporting trade associations.
These materials are licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/4.0/ or send a letter to Creative Commons, PO Box 1866, Mountain View, CA 94042, USA.
| What the Profile Is | What the Profile is NOT |
| It is built from existing regulations, guidance, frameworks, and standards. | It is not an [originally developed] standard of good practice divorced from regulatory considerations. |
| It is comprehensive. | It is not exhaustive. |
| It describes some of the more universal elements of a cyber risk management program (i.e., the “what” of the program). | It does not necessarily describe how a firm should fulfill those elements (i.e., the “how” of the program). |
| Through the addition of diagnostic statements and an impact tiering construct, it also functions as a scalable self-assessment that can be used by financial institutions and third parties. | While generally applicable, it may not full address the unique requirements of all unique firms. It is often referred to as the 80% solution for 80% of firms. |
| It provides guidance. | It does not supersede regulatory authority, nor is it intended to replace reasonable business judgement. |
When surveyed two years ago, Chief Information Security Officers for financial services institutions reported that up to 40% of their time was spent on the compliance requirements of various regulatory frameworks, not cybersecurity.*
For financial institutions, if the Profile approach is implemented, accepted by supervisory agencies for use, and maintained by industry, the benefits would be tremendous. Focusing cybersecurity experts’ time on protecting global financial platforms, rather than compliance activity, will significantly enhance security efforts. For an industry already burdened by a shortage of adequately skilled individuals, reducing this percentage by streamlining compliance activity is an immediate gain in efficiency and managed risk.
For the regulatory community, Profile use would enhance transparency and improve visibility across institutions, subsectors, third-parties, and across sectors, enabling better analysis and mitigation of systemic and concentration risks.
* This predated the Financial Stability Board’s announcement in 2017 that 72% of its 25 member jurisdictions were self-reporting that each had plans to issue further cybersecurity regulatory frameworks.
Yes, there was broad representation by subsectors (e.g., banking, insurance, asset management, market utilities, broker-dealers) as well as functional roles (e.g., Board Directors, CEOs, CISOs, Chief Information Risk Officers, cyber and privacy attorneys) in the Profile’s development.
Starting in Q3 2016, a coalition of trade associations gathered under the Financial Services Sector Coordinating Council (FSSCC)* and began working on what would become the Profile, Version 1.0. The 40-50 working sessions over two years included the participation of over 300 individual experts, representing over 150 financial institutions, ranging from community banks and credit unions to large multi-national banks, investment firms, and insurance institutions. These sessions were largely co-led by Josh Magri of BITS (josh.magri@bpi.com), Denyette DePierro of the American Bankers Association (ABA) (ddepierr@aba.com), and the team of framework and standards experts at BCG Platinion, a division of The Boston Consulting Group, led by Nadya Bartol (Bartol.nadya@bcgplatinion.com).
Further input was solicited, received, and integrated from a myriad of U.S. and international financial services regulatory bodies. In April 2018, NIST hosted an open workshop to further develop a scaling methodology for the Profile. Over 100 individuals attended the workshop, with representation from financial services institutions and the state and national supervisory community.
From these sessions, the inputs, feedback, and recommendations provided were reviewed, discussed, and incorporated based on the working group’s consensus. The result is the Profile, Version 1.0.
* FSSCC’s mission is to strengthen the resiliency of the financial services sector and critical infrastructure against cyber and physical incidents by proactively identifying risks and promoting protection and mitigation, driving preparedness, and coordinating response for the benefit of its consumers, the sector, and the world. Established in 2002, FSSCC is now composed of over 70 member financial institutions, financial utilities, and financial services related trade associations (which, in turn, consist of 1000s of other member institutions). To achieve its mission, FSSCC and its member entities collaborate with appropriate government agencies and governmental bodies to develop and implement a variety of risk management and operational resilience strategies and initiatives. A list of FSSCC member entities can be found on its website: www.fsscc.org.
The Profile had to benefit customers, financial institutions, and supervisory agencies worldwide. The working group consensus was that the Profile would have to be –
To achieve these objectives, the working group decided to organize the Profile based on widely used frameworks and standards, as well as supervisory guidance and assessment tools, such as the NIST Cybersecurity Framework, the ISO/IEC 27001/2 controls, CPMI-IOSCO, and the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT), among others. This principle of leveraging what existed – and not “starting from scratch” – extended into the creation of the Impact Tiering scaling methodology, with the use of existing criteria for financial sector criticality. It also extended to the formulation of the diagnostic statements, which reference current supervisory expectations. If assessment language existed that did not overlap or have redundant phrasing, that language was used. However, where supervisory agencies used similar, overlapping, or duplicative language or phrasing, the simplest or most ubiquitous language was selected for the Profile.
The Profile is a financial services sector-specific extension of the NIST Cybersecurity Framework (NIST CSF)—and other key guidance documents such as ISO and CPMI-IOSCO—to better address the sector’s regulatory environment. Like the NIST CSF, the Profile articulates desired security outcomes based on cyber risk management best practices and credible approaches. However, unlike the NIST CSF, the Profile extends the mapping of those risk management activities to sector-specific regulations, guidance, and supervisory materials and includes Diagnostic Statements to aid in assessing a risk management program. It also adds two new functions to NIST’s five function design. These two new functions are “Governance” and “Dependency Management,” which were added due to their prioritization by the financial services regulators.
In sum, the Profile effectively extends the NIST CSF vertically, by adding two additional Functions, and horizontally, by adding diagnostic statements that elaborate desired Subcategory outcomes. These expansions align the Profile with the financial services sector’s cybersecurity environment, protection needs, and regulatory requirements.
With the publication of Profile, Version 1.0, NIST released this a written statement of support:
“Congratulations on publication of the Financial Services Sector Cybersecurity Profile Version 1.0. NIST encourages customization of our publications in ways that best meet the needs of each user. The Financial Services Sector Cybersecurity Profile Version 1.0 builds upon the Cybersecurity Framework in ways that support the financial services community.
“NIST has found the Financial Services Sector Cybersecurity Profile Version 1.0 to be 1) correct with regard to Cybersecurity Framework Version 1.1, 2) supportive of a risk-based approach to cybersecurity, and 3) one of the more detailed Cybersecurity Framework-based, sector regulatory harmonization approaches to-date.
“NIST is happy to have supported the Financial Services Sector Coordinating Council in developing your work product. As financial services users implement your guidance, we should continue communicating, as user observations will likely inform future versions of the Financial Services Sector Cybersecurity Profile and the Cybersecurity Framework itself" (link to letter).
In addition to the statement, NIST has been an active facilitator and partner in the Profile’s development. In May 2017, NIST invited the Profile working group to present an early draft Profile at the annual CSF stakeholders meeting at NIST’s Gaithersburg, MD location and posted a summary of the Profile on the NIST CSF webpage. On April 26, 2018, NIST hosted a full-day, open and public workshop, in concert with the Financial Services Sector Coordinating Council, at the U.S. Department of Commerce building in Washington, DC. This workshop considerably advanced the development of the Profile’s scaling methodology (what would later become the Profile’s Impact Tiering). For a link describing the event, please click here: https://www.nist.gov/news-events/events/2018/04/financial-services-sector-cybersecurity-workshop. Furthermore, NIST invited the working group to present the Profile, Version 1.0 at the NIST risk management conference in Baltimore, MD in November 2018. For a link describing the event, please click here: https://www.nist.gov/news-events/events/2018/11/nist-cybersecurity-risk-management-conference.
The Profile is designed for all financial institutions, financial services companies, financial firms, and their third-party providers. A broad cross-section of the financial services industry— banking, insurance, asset management, market utilities, broker-dealers—designed the Profile to scale across institutions of varying complexity, interconnectedness, and criticality. Regulatory issuances and best practices from across the sector (and around the globe) are incorporated.
Through the impact tiering questionnaire, the Profile segments the financial services sector into four tiers of criticality. Each tier corresponds with the impact that an institution would have on the global, national, sector, or local market if substantially impacted by a cybersecurity event. These “Impact Tiers” are as follows:
Tier 1: National/Super-National Impact – These institutions are designated most critical by one or more U.S. or North American regulatory agencies and/or bodies (e.g., GSIB designation; Executive Order 13636, Section 9 designation). This category assumes the gross cyber risk exposure of an institution or service categorized as Tier 1 would have the most potential adverse impact to the overall stability of the North American economy, and potentially, the global market.
Tier 2: Subnational Impact – These institutions provide mission critical services with millions of customer accounts. This category assumes the gross cyber risk exposure of an institution or service would have the potential for a substantial adverse impact to the financial services sector and subnational regional economy, but does not rise to the level of Tier 1.
Tier 3: Sector Impact – These institutions have a high degree of interconnectedness, with certain institutions acting as key nodes within, and for, the sector. The nature of the services that these institutions provide to the sector plays a significant role in determining their criticality.
Tier 4: Localized Impact – These institutions have a limited impact on the overall financial services sector and national economy. Typical characteristics include: (a) institutions with a local presence and less than 1 million customers (e.g., community banks, state banks); and (b) providers of low criticality services.
Upon determining an institution’s impact category, the Profile is customized to meet the institution’s likely cybersecurity risk. The user is then prompted to answer a set of self-assessment questions – the Diagnostic Statements – coded by function, category, subcategory, and associated numbering with the CPMI-IOSCO and NIST Cybersecurity Framework.
Financial institutions can use the Profile as the baseline examination assessment, and extend the functionality to evaluate partners, vendors, and third-party service providers.
Usage of the Profile is entirely voluntary. There is no mandate to use the Profile; but there are many benefits to using the Profile.
The numerous and substantial benefits to the financial services sector are:
Benefits to Financial Institutions
Boardroom Engagement to Advance Investment: For the C-Suite and board directors, cybersecurity is a top concern and supervisors expect institutions to track their progress in mitigating identified security gaps. By using the Profile over several cycles, financial institutions can benchmark their programs with the Profile’s recommended practices, identify gaps, articulate those gaps to the C-Suite and board directors in plain language, discuss appropriate resourcing for mitigation, and track the advancement in mitigation efforts over time.
Efficiencies: The Profile promises to reduce the time a financial institution needs to complete a comprehensive assessment by offering a tailored set of diagnostic assessment questions, the Diagnostic Statements, reflecting the institution’s risk to the broader economy.
Additional Benefits: While increased time and focus on cybersecurity projects and activities is a substantial benefit, continued use of the Profile would bring additional benefits. Immediate benefits for financial institutions include:
Benefits to Regulatory Community
For the regulatory community, the benefits also are numerous and substantial. With the Profile, state, federal, and global supervisors could:
The use of the Profile’s approach does not limit what a supervisor can review or require. Rather, it provides an examination approach allowing financial institutions to confidently produce baseline evidence for review and more quickly respond to iterative and follow-up questions from the supervisor. This shared approach would produce a more efficient and consistent examination process for supervisors and financial institutions.
Mergers and Acquisition/Institutional Safety and Soundness. A common approach to cybersecurity is important for M&A purposes. When evaluating acquisition targets — even those located within a 1-state footprint—cyber readiness and compliance gaps are a primary concern. Cyber alignment and maturity would be easier to evaluate and compare across institutions with a common approach, such as the Profile.
Multibank or Financial Services Holding Company. A small community bank may be part of a multibank holding company, with sister banks holding differing charters and/or financial services affiliates subject to SEC, or other non-bank oversight. A common approach to cyber within the financial services family of companies is a better use of resources and would make all affiliated entities safer.
Bank Growth and Evolution/Safety and Soundness. A bank’s ability to evolve and grow would be aided by a common cyber approach. If a single-state bank wants to expand operations to a second state, change charters, acquire another institution—bank or nonbank financial company—a common cyber approach facilitates a bank’s ability to be responsive to market conditions and strategic planning.
Interconnectedness/Safety and Soundness. As the supervisory environment becomes more focused on third-party risk and vulnerability by interconnectedness, banks of all sizes could be asked to demonstrate a robust approach to cybersecurity before participating in certain payment activities, high-risk banking transactions, or lower premium cybersecurity insurance policies. A common approach to cybersecurity, based on the Profile, Version 1.0, will allow banks of all sizes and business models to evaluate their cyber program—and the cyber program of other institutions— for threats, vulnerabilities, and defenses, in order to make an informed business decision about how, and with whom, to partner.
The Profile may be used in multiple ways, from self-assessment and third-party risk management, to providing a common supervisory engagement approach among state, federal, and international regulatory bodies.
Profile as Third-Party Risk Management Tool: Similar to self-assessment, a financial institution could evaluate partners, vendors and service providers with the four impact tiers based upon the third-parties’ criticality and interconnectivity. The financial institution could then request the third-party to provide evidence against the corresponding set of Diagnostic Statements identified by their impact tier.
Profile as a Common Supervisory Approach: The organization, vocabulary, and taxonomy of the Profile offers a credible method of cybersecurity risk management and a basis for conducting supervisory exams. Supervisors may allow financial institutions to use the evidence in their Profile self-assessment exercise for supervisory reporting and analysis. This consistency will allow supervisors to evaluate and compare peer institutions and clearly identify gaps for remediation. This approach is more efficient for the institution and supervisor and provides consistency for an institution in communicating its program, internally and externally.
Yes, the Profile has wide financial services sector support. It has the support of the Financial Services Sector Coordinating Council (FSSCC), financial institutions, and financial services trade associations representing financial institutions from each subsector.
Developed and released by the FSSCC, the Profile is also supported by a coalition of trade associations. In alphabetical order, this coalition is composed of the following trade associations (and growing):
o BITS – Business, Innovation, Technology, Security;
o The Association for Financial Markets in Europe (AFME),
o The Asia Securities Industry & Financial Markets Association (ASIFMA), and
o The Securities Industry and Financial Markets Association (SIFMA);
Adding Your Trade Association’s Support: We are collecting logos of trades that are supportive of the Profile. By allowing usage of the logo on the Profile and Profile related documents, it means that the trade association and its member institutions recognize:
The Financial Services Sector Cybersecurity Profile represents a comprehensive compilation of cybersecurity risk management best practices that could represent a basis for regulatory/supervisory harmonization for the financial services sector.
For more information or to lend your support, please contact Profile leads: Josh Magri of Bank Policy Institute (BPI) - BITS and Denyette DePierro of the American Bankers Association.
|
Josh Magri Senior Vice President, Counsel for Regulation & Developing Technology Bank Policy Institute (BPI) – BITS
|
Denyette DePierro Vice President & Senior Counsel Center for Payments and Cybersecurity American Bankers Association
|
Numerous U.S. federal regulators and agencies have encouraged its development and announced their public support for the Profile and its use at its release event on October 25, 2018.
Additional statements of support will be posted in the coming days.
Yes, financial institutions are already using the Profile. A number of those institutions described their usage at the Profile’s release event on October 25th. Others volunteered to use earlier drafts alongside other frameworks and regulatory tools to compare and generate feedback. The feedback provided proved invaluable and led to the incorporation of enhancements into the Profile, Version 1.0.
The Profile’s mappings are comprehensive, but they are not exhaustive. The Profile has mapped to and integrated numerous global standards and supervisory expectations, including the ISO/IEC 27001/2 controls, CPMI-IOSCO’s “Guidance on cyber resilience for financial market structures,” among others. More such mappings, however, have been requested. To satisfy these requests, the coalition has committed to map regulations, frameworks, guidance, etc., from leading jurisdictions on a rolling basis in the months that immediately follow Profile, Version 1.0’s release.
To the extent that you believe that a Supervisory issuance should be included in a future version, please submit suggestions to ProfileComments@bpi.com. Such suggestions will be considered using a multi-stakeholder process similar to the one used in developing Version 1.0 of the Profile.
Future Profile Governance and Profile Maintenance: The Financial Sector Coordinating Council (FSSCC), the trade associations, financial institutions, and other Profile development stakeholders recognize that future maintenance of the Profile is essential for its ultimate success. Numerous trade associations and financial institutions involved in the Profile’s development are forming a sustained coalition to manage Profile update activities and to educate and engage jurisdictions around the world on its benefits and usage. Interested parties will continue committing resources, such as their own subject matter experts and expertise, full time personnel, and funds for external experts and advisors.
This coalition has also committed to a 2-3 year update cycle to iterate a new, full version similar to the cycles used by other standards bodies, such as the National Institute of Standards and Technology (NIST) and International Standards Organization (ISO) for a full version. The coalition has also committed to more flexible update timeframes to include additional global supervisory expectations as well as any newly issued supervisory expectations.
The coalition recognizes that users may suggest potential enhancements and new cyber risk management concepts between Profile versions. As these recommendations surface, the coalition will evaluate their applicability within the regulatory landscape, utility to a cyber risk management program, and the feasibility of incorporation into a Profile’s next version. This process of evaluation will include a review by a coalition executive committee and other stakeholders, as appropriate, as was done to develop the Profile from concept to a Version 1.0.
The Roadmap: In addition to the release of the Profile, FSSCC has also generated “A Roadmap Forward” (Roadmap). The Roadmap is a companion document articulating topics to be addressed and planned activities occurring between successive versions. These topics and activities are listed in priority order and may change as circumstances change. Accordingly, please continue to check the Roadmap regularly. It can be found on the same webpage as the Profile.
Yes, we are continuing to build our coalition of trade associations and financial institutions. For more information or to lend your support, please contact Profile
leads: Josh Magri of Bank Policy Institute (BPI) - BITS and Denyette DePierro of the American Bankers Association.
|
Josh Magri Senior Vice President, Counsel for Regulation & Developing Technology Bank Policy Institute (BPI) – BITS
|
Denyette DePierro Vice President & Senior Counsel Center for Payments and Cybersecurity American Bankers Association
|
Yes, these materials licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/4.0/ or send a letter to Creative Commons, PO Box 1866, Mountain View, CA 94042, USA.
