PDFs and Spreadsheets of Individual Profile Components Below
What It Is: The Profile is a scalable and extensible assessment that financial institutions of all types can use for internal and external (i.e., third-party) cyber risk management assessment and as a mechanism to evidence compliance with various regulatory frameworks (a “common college application for regulatory compliance”) both within the United States and globally.
Why It Was Created: When surveyed two years ago, Chief Information Security Officers for financial services institutions reported that up to 40% of their time was spent on the compliance requirements of various regulatory frameworks, not cybersecurity.*
For financial institutions, if the Profile approach is implemented, accepted by supervisory agencies for use, and maintained by industry, the benefits would be tremendous. Focusing cybersecurity experts’ time on protecting global financial platforms, rather than compliance activity, will significantly enhance security efforts. For an industry already burdened by a shortage of adequately skilled individuals, reducing this percentage by streamlining compliance activity is an immediate gain in efficiency and managed risk.
For the regulatory community, Profile use would enhance transparency and improve visibility across institutions, subsectors, third-parties, and across sectors, enabling better analysis and mitigation of systemic and concentration risks.
* This predated the Financial Stability Board’s announcement in 2017 that 72% of its 25 member jurisdictions were self-reporting that each had plans to issue further cybersecurity regulatory frameworks, etc.
Benefits to Financial Institutions
Boardroom Engagement to Advance Investment: For the C-Suite and board directors, cybersecurity is a top concern and supervisors expect institutions to track their progress in mitigating identified security gaps. By using the Profile over several cycles, financial institutions can benchmark their programs with the Profile’s recommended practices, identify gaps, articulate those gaps to the C-Suite and board directors in plain language, discuss appropriate resourcing for mitigation, and track the advancement in mitigation efforts over time.
Efficiencies: The Profile promises to reduce the time a financial institution needs to complete a comprehensive assessment by offering a tailored set of diagnostic assessment questions, the Diagnostic Statements, reflecting the institution’s risk to the broader economy.
- 73% Reduction for Community Institution Assessment Questions. For the least complex and interconnected institutions, it is expected that they would answer a total of 145 questions (9 tiering questions + 136 Diagnostic Statement questions). As compared to another widely-used assessment tool’s 533 questions, this represents a 73% reduction.
- 49% Reduction in Assessment Questions for the Largest Institutions. For the most complex and interconnected institutions, the reduction also is significant. With the Profile, it is expected that such institutions would answer 279 questions (2 tiering questions + 277 Diagnostic Statement questions) as compared to the other widely-used assessment’s 533, a 49% reduction.
Additional Benefits: While increased time and focus on cybersecurity projects and activities is a substantial benefit, continued use of the Profile would bring additional benefits. Immediate benefits for financial institutions include:
- Enhanced internal and external oversight, due diligence and risk identification using consistent terms and concepts;
- More efficient third-party vendor management review and oversight;
- Greater intra-sector, cross-sector and international cybersecurity collaboration due to the common use of ISO standards, CPMI-IOSCO and the NIST Cybersecurity Framework; and
- Encouraging innovation and adoption of emerging technology, as FinTech firms and startups can more readily demonstrate adherence to financial services sector cybersecurity requirements and supervisory expectations.
Benefits to Regulatory Community
For the regulatory community, the benefits also are numerous and substantial. With the Profile, state, federal, and global supervisors could:
- Tailor examinations to institutional complexity and conduct “deeper dives” in those areas of greater importance;
- Better discern the sector’s systemic risk by comparing answers across institutions using common terms and concepts;
- Understand an institution’s baseline security status quickly, affording additional time for specialization, testing and validation;
- Broaden the ability to take collective supervisory action to address identified global, national, sector and institution risks;
- Improve data analysis and data comparisons from other agencies and jurisdictions; and
- Enhance supervisors’ visibility into non-sector and third-party risks.
How to Use the Profile: The Profile may assist institutions in assessing their cybersecurity risk management governance, processes, capabilities, and regulatory compliance posture as expected with the various Impact Tiers to which they correspond. In understanding their posture, institutions can then develop plans to close any identified gaps. This process can be reduced to four repeatable steps as depicted and further described below:
Step 1 – The Institution determines its Impact Tier by completing the Impact Tiering Questionnaire. The Questionnaire consists of 9 questions that identify an institution’s Impact Tier:
- Tier 1: National/Super-National Impact;
- Tier 2: Subnational Impact;
- Tier 3: Sector Impact; and
- Tier 4: Localized Impact.
Step 2 – Based on the Institution’s Impact Tie, the Institution assesses itself with the corresponding Diagnostic Statement questions:
- Tier 1: 277 Diagnostic Statement questions;
- Tier 2: 262 Diagnostic Statement questions;
- Tier 3: 188 Diagnostic Statement questions; and
- Tier 4: 136 Diagnostic Statement questions.
Step 3 – Based on the self-assessment, the Institution identifies shortcomings and gaps in its cybersecurity risk management governance, processes, capabilities, and regulatory compliance posture.
Step 4 – Once gaps are identified, the Institution develops and implements a plan to close gaps and address shortcomings to satisfy the cybersecurity expectations of its Impact Tier.
- The reference libraries are included to assist an Institution in developing a roadmap to address gaps and shortcomings. Many of the references have specific instructions or detail correct security approaches and best practices.
Repeat – The Institution repeats the self-assessment and gap-closing process periodically, or upon an event, which warrants a re-evaluation of their Impact Tier, such as:
- Acquisition of another entity;
- Introduction of a new business line;
- Significant growth in number of accounts, delivery of critical services, or interconnectedness;
- A significant change in a threat landscape;
- The Institution believes that their Impact Tier has changed; and/or
- A regulatory or supervisory body believes that the Institution’s self-assessed Impact Tier is inaccurate or has changed.
For further information, please feel free to view: [Users Guide with hyperlink] and/or contact Profile leads: Josh Magri of Bank Policy Institute (BPI) – BITS and Denyette DePierro of the American Bankers Association.
Senior Vice President, Counsel for Regulation & Developing Technology
Bank Policy Institute (BPI) – BITS
Vice President & Senior Counsel Center for Payments and Cybersecurity
American Bankers Association
Maintenance Going Forward: The Financial Sector Coordinating Council (FSSCC), the trade associations, financial institutions, and other Profile development stakeholders recognize that future maintenance of the Profile is essential for its ultimate success. Numerous trade associations and financial institutions involved in the Profile’s development are forming a sustained coalition to manage Profile update activities and to educate and engage jurisdictions around the world on its benefits and usage. Interested parties will continue committing resources, such as their own subject matter experts and expertise, full time personnel, and funds for external experts and advisors.
This coalition has also committed to a 2-3 year update cycle to iterate a new, full version similar to the cycles used by other standards bodies, such as the National Institute of Standards and Technology (NIST) and International Standards Organization (ISO) for a full version. The coalition has also committed to more flexible update timeframes to include additional global supervisory expectations as well as any newly issued supervisory expectations.
More details will follow in the coming weeks.
These materials are licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/4.0/ or send a letter to Creative Commons, PO Box 1866, Mountain View, CA 94042, USA.