The Financial Services Sector Coordinating Council (FSSCC) is an industry-led non-profit organization established nearly twenty years ago. Its focus is to protect critical financial infrastructure while reducing complexity for those on the front lines, such as Chief Information Security Officers (CISOs). The FSSCC created the Profile, a comprehensive security framework, to improve cybersecurity by utilizing benchmarking to evaluate cyber risk across Financial Services organizations. (For details on the Profile’s benefits, please read more here).
The Profile, now maintained, updated, and managed by the Cyber Risk Institute (CRI), provides CISOs in the Financial Services industry with a framework and streamlined approach that protects their organizations from a myriad of threats, including cyberattacks, which are one of the biggest risks to financial organizations, and empowers them without adding more responsibilities and tasks.
The average cost of a cyber breach is $3.86 Million, yet in the financial sector, this skyrockets to $18.5 Million. Financial Services firms are also 300-times more likely to be targeted than other organizations. Risk-based cybersecurity frameworks and tools are rarely developed and dedicated to a single sector. The Profile eases managing and mitigating cyber risk, and unifies stakeholders, organizations, and regulators across the entire sector. Because it was developed solely for the financial sector and achieves these benefits, this makes the FSSCC unique and powerful .
Financial Sector CISOs face ongoing challenges including determining cyber risk, protecting the organization, and communicating up to the C-suite and Board of Directors. Boards and the C-suite focus on organizational compliance and will ask the CISO how their cyber strategies are compliant. However, the C-suite and Board of Directors rarely have a background in cybersecurity, leaving room for miscommunication, misunderstanding, and not prioritizing cyber risk solutions and compliance.
CISOs for Financial Services institutions reported that up to 40 percent of their time was spent on compliance requirements of various regulatory frameworks — not cybersecurity. Ultimately, regulators bridged the gap between increasing regulations and the ability of an organization’s leadership to comply with the FSSCC and the Cybersecurity Profile.
Regulators and industry leaders developed the Profile to provide a common language for all key stakeholders, and to explain cyber risk in a consolidated and simplified manner. The Profile combines over 2,300 regulations into one diagnostic self-assessment for industry-wide standardization among Financial Sector organizations and is maintained by CRI to stay up-to-date for financial organizations. When a CISO incorporates the Profile, they are simplifying their current security protocol without impacting their frontline defense. The Profile supports the CISO’s role and adds consistency across benchmarking cyber risk, which results in better communication with an organization’s leaders such as the Chief Financial Officer (CFO), Chief Executive Officer (CEO), and Chief Risk Officer (CRO). When organizational leaders better comprehend the threats, they are likely to better support, prioritize, and budget solutions to mitigate cyber risks.
Regulators benefit from increased visibility of cyber risk across the financial sector while enhancing cooperation with CISOs and other industry leaders. The entire Financial Services industry benefits from having a common language and framework to build upon its foundation, and organizations are better able to take collective actions against threats as they work together.
The Profile categorizes a CISO’s organization based on the impact to the sector that a cyber threat would pose. This equates to a roadmap that is tailored to the organization. The Profile’s impact tiering assessment and diagnostic statements can reduce the number of questions by up to 73 percent that an organization normally must review under a similar assessment. The Profile aims to grow with organizations in the financial sector through multiple updates made in annual cycles, expected added maturity ratings, alliance partnerships, and additional new international frameworks, making it a one-stop-shop for the financial sector CISO.