The Financial Services Sector Cybersecurity Profile was launched on 25 October 2018. More than 150 banks and many of the world's largest vendors, working via collaboration with trade groups, introduced a ?best practices? assessment tool for applying cybersecurity regulations globally.

Financial-sector regulators have welcomed the industry's introduction of a National Institute of Standards and Technology (NIST) cyber framework-based profile for guiding institutions' implementation of cybersecurity policies. However, they say it will take time to see how the use of the profile measures up to their expectations.

?While we're not going to mandate the use of the profile, we'll welcome any financial institution to provide information to us using the structure and taxonomy of the profile, we see that as a boon for harmonisation,? notes Julia Philipp, from the Federal Reserve Board.

What is The Financial Services Sector Cybersecurity Profile? 

The Profile is a scalable and extensible assessment that financial institutions of all types can use for internal and external (i.e. third-party) cyber risk management, and as a mechanism to demonstrate compliance with various regulatory frameworks, both within the United Kingdom and globally. 

The Profile offers a common, credible approach to cybersecurity and assessment and complements the NIST cybersecurity framework. As such, the Profile reduces the time a financial institution needs to complete a comprehensive assessment by offering a tailored set of diagnostic assessment questions (the Diagnostic Statements). This reflects the institution's risk to the broader economy. 

For financial institutions
If the Profile approach is implemented, accepted by supervisory agencies for use and maintained by industry, the benefits would be tremendous. Focusing cybersecurity experts? time on protecting global financial platforms, rather than on compliance activity, will significantly enhance security efforts.

For the regulatory community
The Profile's use would enhance transparency and improve visibility across institutions, sub-sectors, third-parties, and across sectors, thus enabling better analysis and mitigation of systemic and concentration risks. Supervisors could:

• Tailor examinations to institutional complexity and conduct ?deeper dives? in those areas of greater importance
• Better discern the sector's systemic risk by comparing answers across institutions using common terms and concepts
• Understand an institution's baseline security status quickly, affording additional time for specialisation, testing and validation
• Broaden the ability to take collective supervisory action to address identified global, national, sector and institution risks
• Improve data analysis and data comparisons from other agencies and jurisdictions
• Enhance supervisors? visibility into non-sector and third-party risks

How to Use the Profile: The Profile may assist institutions in assessing their cybersecurity risk management, governance, processes, capabilities, and regulatory compliance posture as expected with the various Impact Tiers to which they correspond. In understanding their posture, institutions can then develop plans to close any identified gaps. This process can be reduced to four repeatable steps, as depicted and further described below:

Maintenance Going Forward: The Financial Services Sector Coordinating Council (FSSCC), trade associations, financial institutions, and other Profile development stakeholders recognise that future maintenance of the Profile is essential for its ultimate success. Numerous trade associations and financial institutions involved in the Profile's development are forming a sustained coalition in order to manage Profile update activities, and to educate and engage jurisdictions around the world on its benefits and usage. Interested parties will continue committing resources, such as their own subject matter experts and expertise, full time personnel, and funds for external experts and advisers.

This coalition has also committed to a two to three-year update cycle to iterate a new, full version similar to the cycles used by other standards bodies, such as NIST and the International Standards Organization (ISO).  The coalition has also committed to flexible update timeframes to include additional global supervisory expectations, as well as any newly issued supervisory expectations.

The Profile and more information can be found here.