Insight

The case for framework harmonization

The ascent of the FSSCC Cybersecurity profile

Leah Gregorio

Leah Gregorio

Advisory Managing Director, Cyber Security Services, KPMG US

+1 917-574-4118

Tom Nash

Tom Nash

Manager, Cyber Security Services, KPMG US

+1 347-443-5833

In April of 2021, Federal Reserve Chairman Jerome Powell asserted that cyberattacks are now the foremost risk to the global financial system, even more so than the lending and liquidity risks that led to the 2008 financial crisis.High profile cyber incidents have been widely reported in recent years and various financial services organizations have fallen victim to sophisticated cyber attackers. Cyber adversaries have developed such sophisticated techniques that they now have the capability to disrupt and destabilize confidence in global financial markets. It is little wonder, therefore, that the topic of cyber security as experienced a rapid and sustained increase in focus by both domestic and international financial regulators.

The regulatory response heretofore has been fragmented, with limited coordination across different bodies with overlapping oversight responsibilities. This has resulted in a complex web of requirements being generated, with many financial services organizations being asked the same question in many different ways. Reacting to similar requirements is time consuming and inefficient. It places additional strain on already scarce cyber security talent. One survey found that 40% of information security teams’ time is spent on reconciling disparate cyber expectations.2

It is for this reason that many organizations are adopting the Financial Services Sector Coordinating Council’s Cybersecurity Profile (‘the Profile’). The Profile provides financial services organizations with a common, standardized framework that captures requirements and supervisory expectations from the FRB, the OCC, the FDIC, the SEC, the CFTC, and FINRA (all of whom were engaged by the ABA, BITS, and SIFMA during the Profile’s creation). Organizations which are overseen by multiple regulators stand most to gain from the Profile.

The Profile’s primary basis is in NIST CSF, the de facto standard within Financial Services. The key departures from NIST CSF are twofold. First, in response to evolving regulatory focus areas two new Functions are included – Governance and Supply Chain/Dependency Management. Secondly, it is intentionally architected to capture and map the best from various frameworks. Through the mapping, the Profile reorientates the priorities away from compliance and towards a risk based approach. In doing so, regulators are enabled to focus on systemic risk and financial services firms are enabled to focus on residual risk.

The Profile is designed to scale based on potential impact. This means that there are additional requirements for systemically important firms and fewer requirements for organizations with a relatively small number of customers. This has the additional benefit of facilitating more accurate like-for-like benchmarking between financial services organizations.

Inevitably, some challenges are being worked through by organizations that are adopting the Profile. Many organizations have made significant investments into Board-level education and awareness of existing frameworks (such as the FFIEC CAT). There is a hesitancy to pivot frameworks if this requires repetition of Board-level education and awareness. Additionally, many organizations find value in tracking their maturity progress against any given framework and hence are reluctant to switch if this means losing the direct historical comparison view.

The profile is intentionally designed to be dynamic. The coalition of trade associations and financial services institutions that oversee the Profile are committed to flexible update timeframes, which capture additional global supervisory expectations as they are issued/promulgated. This enables greater agility than the 2-3-year update cycles alone, as maintained at other standards bodies including NIST and ISO.

Organizations that are looking to adopt the Profile should consider doing this as part of a broader initiative towards a unified risk management framework. In doing so, organizations should leverage the mapping that is native to the Profile, and with this identify any additional areas requiring coverage from a control perspective.

Footnotes

  1. Forbes, “Fed Chair Powell Warns That Cyber Attacks and Covid-19 Spreading Again Are The Biggest Risks To The Economy”, April 11, 2021.
  2. American Bankers Association, FSSCC Cybersecurity Profile: A NIST-based Cybersecurity Assessment Approach”, April 18, 2019.