Inside Cybersecurity

March 8, 2021

Daily News

Banking-sector cyber ‘profile’ to be a living document under new risk management institute

By Charlie Mitchell / June 5, 2020

The cyber-risk nonprofit launched by the Bank Policy Institute offers a model for collaborative cybersecurity initiatives even in one of the most highly regulated sectors, with plans for continuous updates to its cyber “profile” for the financial industry such as incorporating new mapping done by state insurance commissioners and steps on global alignment.

BPI last week announced the Cyber Risk Institute, which will be home to the sector profile first unveiled in 2018 by the Financial Services Sector Coordinating Council. The cyber assessment tool has earned statements of support from the National Institute of Standards and Technology -- the profile is based on NIST’s framework of cybersecurity standards -- and federal financial regulators.

Inside Cybersecurity discussed the new institute’s role and place in the cyber ecosystem with officials close to the initiative

“BPI/BITS’ focus on improving cybersecurity and leading the coalition that launched last week as the Cyber Risk Institute Profile will be a boon for the industry. Our multi-year effort to incorporate input from regulators and standards bodies and from the front line to the board room improves efficiency and will help enhance cyber capabilities for both firms and the industry,“ said Chris Feeney, BPI’s executive vice president and the president of BITS, the association’s tech policy arm.

The Bank Policy Institute announced the CRI in late May with 31 members including the American Bankers Association. Josh Magri, a longtime policy hand at BPI, is the institute’s managing director and Alan Carroll is vice president and senior program manager.

The CRI “is an outgrowth of the work to create the FSSCC cyber profile, we realized it had to be maintained,” said one source familiar with the effort. “We worked to get regulators on the record as supportive of the profile as the standard for assessments, but we didn’t find an existing natural fit for housing the profile,” leading to BPI’s decision to launch the CRI. The CRI is a separate nonprofit within BPI with its own membership.

“This knits together the NIST framework with [financial sector] compliance and assessment requirements,” the source said. Further, the institute is focused on scaling the profile for both the largest and smallest members of the financial community and its supply-chain partners. “We looked to create something with broad industry membership,” the source said.

The new institute is working on “more granular mapping” of the profile to the Federal Financial Institutions Examination Council Cybersecurity Assessment Tool, or CAT, the source said, calling this “one of the first requests” from members. The group is also mapping the profile to cyber guidance from the National Association of Insurance Commissioners.

CRI members also wanted to integrate international regulatory regimes into the profile, the source said, and the institute is starting with European Union standards and then will turn to regulatory standards in the Asia-Pacific region.

“That’s what our members have asked for initially,” the source said. “We’re also reaching out to states and asking their regulators to accept our mapping to the NIST framework,” a process that’s in early stages.

“We had significant input from [federal] regulators on the profile, we’re at a point where we have very rational discussions on how it fits, focusing on what’s relevant to protecting firms and the economy,” the source said. “The iterative dialogue is very collegial and collaborative. We’re really here to help the industry.”

The goal is “iterating the profile going forward and working with the regulatory community to streamline the assessment process and make sure that process is robust,” the source said. “Cutting the clutter, duplicity and inconsistency of the marketplace is the most significant thing we could do. [Banking sector] CIOs and CISOs are really behind this, there has been a lot of support over the past three years.”

CSI is looking to hold an open workshop at some point when coronavirus restrictions ease on public gatherings, and is hoping to collaborate with NIST on such an event, according to the source. The group is closely following NIST efforts on both the cyber framework and privacy framework, as well as International Standards Organization efforts and cyber-related elements in international trade agreements, the source said. NIST’s evolving work on “enterprise risk management” is of particular interest, the source said. -- Charlie Mitchell (cmitchell@iwpnews.com)