The Cybersecurity Profile: a harmonised approach to cybersecurity supervision

As global financial services become increasingly interconnected and supervisors focus on transnational cybersecurity threats, UK-based financial companies are spending time and money ensuring internal and external processes, as well as third-party suppliers, are compliant with domestic and international regulatory frameworks and requirements.

In response to this burden a group of financial sector firms came together to develop the Financial Services Sector Cybersecurity Profile. Finalised in October 2018, the Profile is being implemented by a growing cohort of international companies and being reviewed by a broad cross-section of financial services regulators in Europe, the Americas and Asia. In a model that could be replicated in the UK, the Profile is accepted by US banking, securities and insurance regulators (among others), and kept up-to-date by users/firms based on the best in class security approaches developed by international cybersecurity standards, including IOSCO and NIST. It could alleviate the compliance burden created by overlapping and duplicative regulations and supervisors allowing firms to focus on enhancing their security as opposed to regulatory reporting and compliance.

Cybersecurity compliance should be appropriate to an organisation's risk, size and complexity

An acknowledged friction within banking supervision is the inability of a one-size-fits-all regulation to be the appropriate approach for financial organisations of all sizes, charter types, and business models. The Profile addresses this supervisory-regulatory disconnect by incorporating a nine-question questionnaire that identifies a bank's impact, and what is the risk to the greater financial services and economic ecosystem if the bank were to be affected by a significant cybersecurity event. These nine questions are also based on international standards, such as Basel Committee on Banking Supervision G-SIFI designations, geopolitical risk, consumer impact, and levels of market share and interconnectedness.

Based on the responses, a company is identified as being Impact Tier 1 (global/national impact), Tier 2 (sub-national impact), Tier 3 (sector wide impact) or Tier 4 (local impact).  The number of questions asked is customised based on the identified tier. A global Tier 1 firm answers 279 questions, while a Tier 4 community-based firm answers 145 questions.

Lessons learned from early adopters of the Cybersecurity Profile

Fundamentally the Profile encourages firms to adopt internationally recognised security standards and practices, while helping to quickly identify and mitigate security vulnerabilities outside of the time-consuming rule writing and examination cycle. The use of a common framework to guide an organisation's risk management approach and rationalise internal reporting can provide further assurance for regulators and senior management that an organisation is resilient and adhering to a credible cybersecurity posture in alignment with risk and activities.

Firms using the tool have observed several benefits:

  • Reduced time spent completing cybersecurity assessments due to a customised template based on an organisation's size, risk, and complexity.
  • Enhanced M&A preparation as target companies can be compared within a standardised approach mapped to frameworks.
  • Eased hiring of cybersecurity professionals and on-boarding of directors with cybersecurity expertise from other sectors (who often prefer using recognised standards such as CPMI-IOSCO or NIST).
  • More efficient deployment of cybersecurity resources where bank IT teams organise around IOSCO, ISO, COBIT or NIST and prefer a supervisory assessment aligning with the existing technology approach.

Harmonisation rationalises third-party oversight and offers a security roadmap for fintech

Significantly, the Profile also assists third-party assessments, providing specificity to general oversight guidelines and due diligence, as well as minimising the time spent assessing peers and widespread financial sector suppliers. Regulators also benefit from third-party update of the Profile to improve visibility into providers, and potentially systemic risks that could have a significant impact on the UK economy.

UK Finance has strong relationships with a number of firms who have implemented the Profile, as well as BPI and ABA which led its development. Please get in touch for further information.