Episode Notes
The Cyber Risk Institute has developed a cybersecurity framework for the financial sector that is based on globally recognized standards. Josh Magri, CRI President & CEO, talks about the genesis of this framework and how it can help bridge the gap between self-assessment and regulatory compliance, even for financial firms that have operations around the globe.
Notes from our Discussion with Josh
CRI Profile
The profile is the Rosetta Stone between cybersecurity frameworks, standards, and regulatory provisions. The purpose is to use the profile as an assessment tool. It incorporates several different regulatory jurisdictions.
Genesis of the Profile
There was significant regulatory fragmentation in the way cybersecurity was being approached. This regulatory fragmentation wasn’t just across the globe, but even within the US. This led to firms spending a tremendous amount of time on compliance documentation, rather than on frontline cyber defense. FS-ISAC conducted a survey of how firms were dealing with compliance and found that 40% of the cyber team’s time was spent on compliance, rather than on frontline cyber defense.
So, under the umbrella of the Financial Services Sector Coordinating Council, several financial institutions and trade associations got together to find a different way to do this. CRI focused on NIST CSF and the International Organization of Securities Commissions’ frameworks.
Adoption of the Profile
Thousands of firms are using it. It’s a free downloadable spreadsheet. It’s used in the US, UK, mainland Europe, Japan and Africa.
Self-Assessment That Can Be Used for Regulatory Compliance
Different regulatory requirements had a set of around 3,000 questions that firms would need to address. The framework brought this down to around 277 diagnostic statements related to a cyber program. To bring these 277 statements to a manageable amount, an “impact hearing” schema was layered on top. It’s essentially an assessment for financial services that can be used for compliance.
Challenges in Regulatory Harmonization
It’s probably not possible to achieve 100% regulatory harmonization. We should aim at regulatory convergence, where regulators take a common approach to cyber, without the expectation of all regulatory provisions looking the same. Geopolitical challenges are going to be the impediments.
Role of the Profile in Managing Supply Chain Cyber Risks
A number of firms have used the profile internally and are using it for external evaluation of third parties and even M&As. One of the key distinctions of the profile is the detailed and holistic view of third party. This is what all regulators and firms care about, and it tends to be the weakest link.
Role of the Profile for Cloud Service Providers
Financial services bring compliance requirements to cloud service providers. But if it’s not part of their strategic roadmap, the cloud service providers are reluctant to do it. So, 2-3 years ago, the Profile was merged with Cloud Security Alliance’s Cloud Controls Matrix to show where cloud controls intersected with cyber controls and regulatory compliance.
The Profile and AI
There are a number of agencies working on AI already and the profile shouldn’t duplicate that. The profile will probably focus more on security controls around AI than on algorithmic bias or even privacy.
Advantages of the Profile
Using it saves a huge amount of time and effort. It is freely downloadable. Software suites like Axio are incorporating it. There’s another program in which consulting firms like EY and KPMG are involved. So, there will be many more support type services out there, rather than having a spreadsheet on its own.
FinCyber Today
FinCyber Today is a podcast from FS-ISAC that covers the latest developments in cybersecurity, contemporary risks, financial sector resilience and threat intelligence.
Our host Elizabeth Heathfield leads wide-ranging discussions with cybersecurity leaders and experts around the world who bring practical ideas on how to confront cyber challenges in the financial sector, improve incident response protocols, and build operational resilience.
Amid the clutter and noise, FS-ISAC Insights is your go-to destination for clarity and perspectives on the future of finance, data, and cybersecurity from C-level executives worldwide.
© 2024 FS-ISAC, Inc. All rights reserved.
