Closing the Pandora’s Box of International Cyber Regulatory Fragmentation?

Closing the Pandora’s Box of International Cyber Regulatory Fragmentation?

With each passing day, more of the systems that provide us with food, water, shelter, energy, communication, and currency are digitized.  Accordingly, cybersecurity and its advancement as a discipline has never been more important; it is now existential.  Governments across the globe generally grasp this fact and also understand that it is the private sector owners and operators of these systems that are on the front lines of defense.

As the saying goes, however, “a little knowledge is a dangerous thing.”  In reaction, governments and their agencies have done what they typically do: they regulate.  In the United States alone, the federal financial services regulatory agencies recently self-reported 43 separate and distinct cyber supervisory expectations (e.g., guidance, guidelines, supervisory requests and questionnaires, diagnostics and tools) applicable to the sector.  Those 43 items did not include questionnaires, first-day letters, and other non-public supervisory expectations that financial institutions are also subject to during their examination process, nor does it include the cyber regulatory expectations issued by each of the fifty states.

Other jurisdictions have been just as prolific.  In that same report – the Financial Stability Board’s “Stocktake of Publicly Released Cybersecurity Regulations, Guidance and Supervisory Practices” – the European Union referenced 26 publicly available supervisory expectations.  Members of the Union also reported their own individual nation states supervisory expectations, with France, for example, reporting 4, Germany 7, and Italy 19.  In the Asia-Pacific region, Japan reported 4 publicly available supervisory expectations, China 11, and Australia 11 as well.  In fact, according to the FSB Stocktake, “[a]ll 25member jurisdictions[1] report that they have publicly released regulations or guidance that address cybersecurity for at least part of the financial sector, and a majority have also publicly released supervisory practices.”

Nonetheless, 72% of the member jurisdictions reported that they plan to issue “new regulations, guidance or supervisory practices that address cybersecurity for the financial sector” in calendar year 2018.  According to the Stocktake, these supervisory expectations  would include new regulation, “guidance and strategy for the financial sector; a self-assessment exercise to gauge the cyber resilience of FMIs; guidance on conducting threat intelligence based testing of cyber resilience; developing a set of standards for industry on Information Technology Risk (including cyber) and updating existing guidance in this area; and establishment of a computer emergency response team (together with computer security incident response team referred to hereinafter as CERT) for the financial sector.”

Assessed individually, most of these existing supervisory expectations could help advance the cybersecurity posture within firms, in that, for some firms, it helps focus both financial and personnel resources.  The sheer volume and velocity of cyber supervisory expectations, however, has been counter-productive to cybersecurity.  Firms have had to focus more of their cyber professionals’ time on compliance related activities, such as mapping their firms’ cyber programs to the various and differing categorization systems and terminology specific to each issuance, at the expense of sitting at the computer, protecting systems.

When the sector surveyed its information security teams approximately two years ago, one multinational estimated that 40% of its cyber team’s time was spent on compliance related matters, not on cybersecurity.  That multinational’s experience was not unique; it was the mean.  Faced with the well documented shortage of cybersecurity professionals, it is not a percentage that has been meaningfully reduced.  In fact, it is likely to increase if the 72% of FSB member jurisdictions that intend to release new cyber guidance continue to do so in a fragmented, non-harmonized, and non-standardized manner.

The Pandora’s Box of fragmented cyber regulation can be closed, however.  There is HOPE: there is an international solution.  The solution is the Financial Services Sector Cybersecurity Profile, a meta framework based on the organizational structures of the National Institute of Standards and Technology “Framework for Improving Critical Infrastructure Cybersecurity” (NIST Framework) and CPMI-IOSCO “Guidance on cyber resilience for financial market structures” and extended with assessment questions based on the FFIEC Cybersecurity Assessment Tool and direct correlative mappings to the ISO 2700 series.

The Financial Services Sector Cybersecurity Profile – A Primer:

Starting in October 2016, the financial services industry began mapping the various financial services regulatory organizations’ supervisory expectations against the NIST Cybersecurity Framework, CPMI-IOSCO and the ISO standards.  With multiple mappings complete, a pattern emerged:  over 80% of the mappings were topically identical, but semantically different.  To reduce the time for reconciling these differences, the industry began developing the Financial Services Sector Cybersecurity Profile.  The Profile was architected around the NIST Cybersecurity Framework’s five functions, categories, and subcategories, and extended to include two new functions – Governance and Supply/Dependency Management – which emerged as distinct areas of (appropriate) regulatory focus. ). Borrowing from the FFIEC Cybersecurity Assessment Tool, the Profile also added a series of Diagnostic Statements that synthesize overlapping expectations from multiple regulatory organizations into a more singular, standardized set of assessment-ready diagnostics.

To further enhance the assessment capabilities of the Profile industry began developing, with the regulatory community’s support, an “Impact Tiering” overlay.  The Impact Tiering offers a more tailored set of expectations for financial services institutions of varying systemic criticality. The Impact Tiering methodology is based on an institution’s potential to impact the security of the jurisdiction within which it sits:

  • Level 1: Institution could pose a super-national/national impact
  • Level 2: Institution could pose a subnational impact;
  • Level 3: Institution could pose a more sectoral impact;
  • Level 4: Institution’s impact is more contained to the enterprise, customers, and/or business partners

As firms move numerically lower on the Impact Tiering levels – from 4 to 3, 3 to 2, and 2 to 1 – they would answer progressively more diagnostic statements to account for their increased criticality.

This work is near complete, and the sector anticipates releasing a fully developed Sector Profile Version 1.0 in the September.

The Benefits of Cybersecurity Profile Adoption and Financial Services Sector Usage:

The Cybersecurity Profile provides a mechanism for alignment of, and acknowledges, to align current regulatory expectations, requirements, and authorities.  More importantly, it provides a clear path forward to streamline existing and any future cybersecurity regulatory expectations around a common structure and vocabulary.

As noted below, the benefits are innumerate, as agreeing on a standard architecture would not only benefit the regulatory community and financial institutions, but the global society dependent on the security of the financial systems that enable the activities of their daily lives.

By standardizing the language and regulatory approach around the Financial Services Sector Cybersecurity Profile, the international regulatory community will be able to –

  • Tailor examinations to institutional complexity and conduct “deeper dives” in those areas of greater importance to that particular regulatory agency (e.g., asset management)
  • Better discern the sector’s systemic risk, affording  more agency time for specialization, testing and validation;
  • Create the ability to take collective action to better address identified risks;
  • Compare and better analyze data from other agencies and other jurisdictions;
  • Enhance regulators  visibility into non-sector and third party risks;

For financial institutions, the benefits are likewise numerous:

  • Optimization of cybersecurity professionals’ time “at the keyboard” and defending against next generation attacks (e.g., calibrating risk identification, automating controls, cyber range testing, maturing program components);
  • Improved Boardroom and Executive engagement, understanding and prioritization;
  • Enhanced internal and external oversight and due diligence;
  • Greater innovation as technology companies, FinTech firms, startups, etc., are able to meet requirements expectations more efficiently;
  • More efficient third-party vendor management review and oversight; and
  • Greater intra-sector, cross-sector and international cybersecurity collaboration and understanding.

Disclaimer: The views expressed in this post are those of the author(s) and do not necessarily reflect the position of BITS, The Bank Policy Institute, or their memberships, and are not intended to be, and should not be construed as, legal advice of any kind.

[1]The 25 member jurisdictions of the Financial Stability Board are: Argentina, Australia, Brazil, Canada, China, France, Germany, Hong Kong, India, Indonesia, Italy, Japan, Korea, Mexico, Netherlands, Russia, Saudi Arabia, Singapore, South Africa, Spain, Switzerland, Turkey, United Kingdom, United States and the European Union.