The financial services sector has historically been a first mover in embracing information technology to advance its business models and to protect its assets and that of its customers.
Not surprising, the banking and financial services sector faces many more cyber attacks than any other industry. Banks are where the money is and financial services companies collect, store and transmit sensitive data for individual and organizational customers. Cybercriminals – to a great extent organized crime – know that attacking a bank provides opportunity for theft, extortion and fraud. As a result, financial services organizations operate under a constant state of attack.
In dealing with these challenges, the U.S. financial services industry has been coalescing around the NIST Cybersecurity Framework as its go-to-approach for cyber risk management and streamlining compliance, with a focus on third-party risk. For years, the leading financial institutions have highlighted the NIST Framework’s superior approach in protecting financial and economic platforms. The Framework is noted for providing an enhanced understanding of the state of cybersecurity for regulators and industry, reduced administrative burdens and regulatory compliance complexity, and more efficient and effective resource allocation to address risk. A more vital aspect of the NIST Framework is its capacity to maximize cybersecurity and compliance in complement with various industry-specific extensions, as evidenced by the Financial Services Sector Cybersecurity Profile.
Financial Services Sector Cybersecurity Profile
On October 25, 2018 at an event at the National Press Club, the Financial Services Sector Coordinating Council (FSSCC) along with a group of leading financial trade associations unveiled the sector’s Cybersecurity Profile, an initiative that NIST has called “…one of the more detailed Cybersecurity Framework-based, sector regulatory harmonization approaches to-date.” In addition to releasing a statement of support with the publication of the Profile, NIST has been an active facilitator and partner in its development.
The Profile is a financial services sector-specific extension of the NIST Framework developed to better address the sector’s cybersecurity environment, protection needs, and regulatory requirements. Specifically, the Profile seeks to provide financial institutions and their third-party providers with more consistent and efficient processing of examination material by firms and regulators. It also helps regulators and firms to prioritize resources and focus on cyber threats of greatest concern.
One of the unique aspects of the Profile is the broad financial services sector representation in its development, including by subsectors (e.g., banking, insurance, asset management, market utilities, broker-dealers) as well as functional roles (e.g., Board Directors, CEOs, CISOs, Chief Information Risk Officers, cyber and privacy attorneys). The development working sessions were largely co-led by representatives from the Bank Policy Institute (BPI), the American Bankers Association (ABA), and the team of framework and standards experts at BCG Platinion, a division of The Boston Consulting Group.
What Some of the Leaders in the Financial Services Sector Say
Tom Wagner, SIFMA, Managing Director; the FSSCC, Vice Chair: “There is no greater threat to financial stability than a large-scale cyber event, and robust public private partnerships are the most effective way to manage cyber threats. The financial services industry is constantly working to improve cyber defenses, resiliency and recovery through massive monetary investment in technology and personnel, regular training, best practices development, and industry tests. The Cybersecurity Profile is the latest example of our commitment to keeping our industry and our clients safe.”
Denyette DePierro, ABA’s Center for Payments and Cybersecurity, Vice President and Senior Counsel: “The industry took up the challenge to find a cybersecurity roadmap that works for both community banks and global banks. It’s an exciting moment and a new, innovative approach to regulation that could be applied to other areas of supervision and oversight.”
Greg Rattray, JPMorgan Chase, Head of Global Cyber Partnerships & Government Strategy: “It [the NIST cybersecurity framework] is widely recognized as the leading approach for owners and operators of critical infrastructure to improve cybersecurity risk management. JPMC applies the Framework in a variety of ways. Among other uses, the Framework informs JPMC’s cyber risk assessments, development of cyber control standards, determination of cyber strategic priorities, and investment planning.”
Rich Baich, Wells Fargo, Chief Information Security Officer: “The FSSCC would also like to again applaud NIST for the open and transparent process that it has used in creating and seeking to update the Cybersecurity Framework. The financial services sector has found value in this ongoing, multi-stakeholder collaborative process and has been one of its most ardent proponents.”
Russell Fitzgibbons, The Clearing House, Executive Vice President and Chief Risk Officer: “The NIST Cybersecurity Framework is the common Cybersecurity Framework of U.S. companies.”