You can use the search function to find a range of UK Finance material, from consultation responses to thought leadership to blogs, or to find content on a range of topics from Capital Markets & Wholesale to Payments & Innovation.
As global financial services become increasingly interconnected and supervisors focus on transnational cybersecurity threats, UK-based financial companies are spending time and money ensuring internal and external processes, as well as third-party suppliers, are compliant with domestic and international regulatory frameworks and requirements.
In response to this burden a group of financial sector firms came together to develop the Financial Services Sector Cybersecurity Profile. Finalised in October 2018, the Profile is being implemented by a growing cohort of international companies and being reviewed by a broad cross-section of financial services regulators in Europe, the Americas and Asia. In a model that could be replicated in the UK, the Profile is accepted by US banking, securities and insurance regulators (among others), and kept up-to-date by users/firms based on the best in class security approaches developed by international cybersecurity standards, including IOSCO and NIST. It could alleviate the compliance burden created by overlapping and duplicative regulations and supervisors allowing firms to focus on enhancing their security as opposed to regulatory reporting and compliance.
Cybersecurity compliance should be appropriate to an organisation's risk, size and complexity
An acknowledged friction within banking supervision is the inability of a one-size-fits-all regulation to be the appropriate approach for financial organisations of all sizes, charter types, and business models. The Profile addresses this supervisory-regulatory disconnect by incorporating a nine-question questionnaire that identifies a bank's impact, and what is the risk to the greater financial services and economic ecosystem if the bank were to be affected by a significant cybersecurity event. These nine questions are also based on international standards, such as Basel Committee on Banking Supervision G-SIFI designations, geopolitical risk, consumer impact, and levels of market share and interconnectedness.
Based on the responses, a company is identified as being Impact Tier 1 (global/national impact), Tier 2 (sub-national impact), Tier 3 (sector wide impact) or Tier 4 (local impact). The number of questions asked is customised based on the identified tier. A global Tier 1 firm answers 279 questions, while a Tier 4 community-based firm answers 145 questions.
Lessons learned from early adopters of the Cybersecurity Profile
Fundamentally the Profile encourages firms to adopt internationally recognised security standards and practices, while helping to quickly identify and mitigate security vulnerabilities outside of the time-consuming rule writing and examination cycle. The use of a common framework to guide an organisation's risk management approach and rationalise internal reporting can provide further assurance for regulators and senior management that an organisation is resilient and adhering to a credible cybersecurity posture in alignment with risk and activities.
Firms using the tool have observed several benefits:
Harmonisation rationalises third-party oversight and offers a security roadmap for fintech
Significantly, the Profile also assists third-party assessments, providing specificity to general oversight guidelines and due diligence, as well as minimising the time spent assessing peers and widespread financial sector suppliers. Regulators also benefit from third-party update of the Profile to improve visibility into providers, and potentially systemic risks that could have a significant impact on the UK economy.
UK Finance has strong relationships with a number of firms who have implemented the Profile, as well as BPI and ABA which led its development. Please get in touch for further information.
Denyette DePierro, VP and Senior Counsel, American Bankers Association
Josh Magri, SVP, Bank Policy Institute
22.04.24
24.04.24
19.04.24
By downloading this document, you understand and agree that any sharing, distribution or republishing of the content, without prior written authorisation from the author or content managers at UK Finance, shall be constituted as a breach of the UK Finance website terms of use.