When it comes to cybersecurity, those in the financial sector should consider alignment to the Financial Services Sector Coordinating Council’s (FSSCC) Cybersecurity Profile by incorporating their framework into current strategies and assessments in order to increase efficiency, simplify compliance, and cultivate communication about cybersecurity across the organization.
What Is the FSSCC and Cybersecurity Profile?
Established in 2002, the FSSCC is a non-profit organization that focuses on addressing policy issues related to the financial industry, collaboration and awareness between the Financial Services Sector and the public sector, and boosting the financial sector’s ability to analyze, prepare for, and respond to threats including cybersecurity, natural disasters, and terrorism. Now including over 70 members, FSSCC membership is open to all organizations within the financial services sector.
The FSSCC developed an all-encompassing approach to address risk related to cybersecurity called the Cybersecurity Profile (“Profile”), which has been referenced by the Federal Financial Institutions Examination Council (FFIEC) as a standardized tool that financial institutions can use to assess their cybersecurity preparedness.
The Profile simplifies risk reduction for customers as the “one-stop-shop” for over 2,300 regulations broken down into 277 diagnostic statements based on common International Organization for Standardization (ISO) and National Institute of Standards and Technology (NIST) categories, with an additional two that were created by the FSSCC specific to the financial sector. Per the FSSCC, use of the Profile reduces the time required to assess cybersecurity risk by up to 73 percent.
What Are the Benefits of the Profile?
Beyond the above benefits, the Profile enables consistent cybersecurity risk measurement and management across various organizational domains: finance, cybersecurity, privacy, legal, compliance, and technology. When different facets of an organization establish a common language and framework to manage cybersecurity risk, each reaps the benefits and no longer gets lost in translation. Synchronization in cybersecurity risk management also improves:
- Resource prioritization
- Status and issue tracking
- Due diligence for third parties and during transactions
- Regulatory readiness, compliance, and reporting
- Board engagement and understanding
Additionally, the Profile is updated 2-3 times a year, which enables institutions to be better equipped in preventing and responding to incidents and changes in the organization’s risk and threat landscape.
Lastly, the Profile does not require a huge undertaking or change in current strategies and regulatory alignments; rather, it streamlines existing approaches by improving assessment efficiency and reducing the number of assessment questions by up to three quarters based on the size and complexity of a financial institution. This gives cybersecurity leaders more time to focus on cyber defenses, driving the FSSCC’s main mission of growing security and resiliency of U.S. financial systems.
How Can a Financial Services Institution Begin Using the Profile?
Step 1: Determine Impact Tiers
Utilizing FSSCC’s nine-question inquiry form, categorize your institution into one of four tiers of criticality: National/ Super-National Impact, Subnational Impact, Sector Impact, or Localized Impact. These tiers are defined by an institution’s influence on global, national, and local markets in the event of a cybersecurity event, and their assignment allows the Profile to be tailored to your institution’s risk-threshold. Each of the four tiers have associated Diagnostic Statements, similar to control descriptions, with Tier 1 institutions defaulting to all 277 Diagnostic Statements and Tier 4 tailored to 137.
Step 2: Perform an Assessment Based on the Profile’s Diagnostic Statements
Assess your cybersecurity capabilities against the Diagnostic Statements applicable to your institution’s tier. The Profile’s Diagnostic Statements apply the functions, categories, and subcategories from the NIST Cybersecurity Framework by aligning them specifically to the financial services sector. The FSSCC removed subcategories that didn’t align to the financial services sector, and then developed two new sections (Governance and Dependency Management) that relate to it exclusively. The Diagnostic Statements take the subcategories a few steps further, providing control descriptions and mappings to 2,300 regulatory compliance requirements and industry frameworks – all in one spreadsheet.
Step 3: Update, Communicate, and Execute Your Risk Management Plan
Utilize the gaps identified in your assessment to identify your highest risks, prioritize risk management plans and resource requirements, and communicate your cyber risk profile to stakeholders. Then, manage your cyber risk profile by beginning to execute your risk management plan.