What It Is: The Profile is a scalable and extensible assessment that financial institutions of all types can use for internal and external (i.e., third party) cyber risk management assessment and as a mechanism to evidence compliance with various regulatory frameworks (a “common college application for regulatory compliance”) both within the United States and globally.
Why It Was Created: When surveyed two years ago, Chief Information Security Officers from financial institutions indicated that nearly 40% of their time, and their teams’ time, was spent reconciling various cybersecurity and regulatory frameworks.*
For financial institutions, if the Profile approach is implemented, accepted by regulators for use, and maintained, the benefits of focusing cybersecurity experts time on protecting global financial platforms, rather than compliance activity, will be significant. For an industry already burdened by a shortage of adequately skilled individuals, reducing this percentage by streamlining compliance is a tremendous benefit.
For the regulatory community, Profile usage will enhance their visibility across firms, subsectors, third parties, and other sectors, which will enable better analysis and mitigation of systemic and concentration risks.
* This predated the Financial Stability Board’s announcement in 2017 that 72% of its 25 member jurisdictions were self-reporting that each had plans to issue further cybersecurity regulatory frameworks, etc.
Boardroom Engagement to Advance Investment: For the C-Suite and board directors, cybersecurity is a top concern and supervisors expect institutions to track their progress in mitigating identified security gaps. By using the Profile over several cycles, financial institutions can benchmark their programs with the Profile’s recommended practices, identify gaps, articulate those gaps to the C-Suite and board directors in plain language, discuss appropriate resourcing for mitigation, and track the advancement in mitigation efforts over time.
Efficiencies: The Profile promises to reduce the time a financial institution needs to complete a comprehensive assessment by offering a tailored set of diagnostic assessment questions, the Diagnostic Statements, reflecting the institution’s risk to the broader economy.
Additional Benefits: While increased time and focus on cybersecurity projects and activities is a substantial benefit, there are a number of additional
significant benefits that would inure to firms and the community currently, in the near term, and longer term with Profile usage.
Immediate benefits for financial institutions include:
• Enhanced internal and external oversight, due diligence and risk identification using consistent terms and concepts;
• More efficient third-party vendor management review and oversight;
• Greater intra-sector, cross-sector and international collaboration and understanding based on ISO standards,CPMI-IOSCO and the NIST Cybersecurity Framework; and
• Greater innovation as technology companies, FinTech firms, startups, etc., are able to meet requirements/expectations more efficiently.
For the regulatory community, the benefits are likewise numerous. With the Profile, Regulators could:
How to Use the Profile: The Profile assists institutions in assessing their cybersecurity risk management governance, processes, capabilities, and regulatory compliance posture as expected against the various Impact Tier levels to which they correspond. In understanding their posture, institutions can then develop plans to close any identified gaps. This process can be reduced to four repeatable steps as depicted and further described below:
Step 1 – The Institution would first determine its Impact Tier level by completing the Impact Tiering Questionnaire. The Questionnaire consists of only 9 potential questions that depending on an institution’s set of responses segment the institution into one of four Impact Tier levels: Level 1: National/Super-National Impact; Level 2: Subnational Impact; Level 3: Sector Impact; and Level 4: Localized Impact. Depicted by #1 above.
Step 2 – Based on the Institution’s Impact Tier level, the Institution would then assess itself against the corresponding set of Diagnostic Statement questions. Institutions at the Level 1: 277 Diagnostic Statement questions; an Institution at the Level 2: 262 Diagnostic Statement questions; an Institution at the Level 3: 186 Diagnostic Statement questions; and Institutions at the Level 4: 133 Diagnostic Statement questions. Depicted by #2 above.
Step 3 – Through its responses, the Institution would then identify any shortcomings or gaps in its cybersecurity risk management governance, processes, capabilities, and regulatory compliance posture. Depicted by #3 above.
Step 4 – Once gaps are identified, the Institution would develop and implement a plan to close those gaps so that it can satisfy the expectations associated with its particular Impact Tier level.
The Institution repeats this process on a periodic basis or upon a “change event” which would warrant an Impact Tier level reconsideration, such as –
For further information, please feel free to view: Profile Overview and User Guide and/or contact
Senior Vice President, Counsel for Regulation & Developing Technology
Bank Policy Institute (BPI) – BITS
Vice President & Senior Counsel
Center for Payments and Cybersecurity
American Bankers Association
Maintenance Going Forward: Trade association partners are currently in discussion regarding the establishment of an ongoing coalition to ensure that the Profile remains an active and dynamic product that helps develop, assess and advance cybersecurity broadly across the financial services sector. To achieve this objective, the coalition will establish a governance process committed to updating and maintaining the Profile in 2-3 year cycles using a multi-stakeholder process similar to the one used to complete a Version 1.0. More details will follow in the coming weeks.