A unified approach for assessing cybersecurity risk - the Profile

UK Finance has hosted prior blogs on the Profile[1], introducing it and explaining its relevance to supervisors as well as firms.  Since then the Profile has ?moved? and is now managed by the Cyber Risk Institute (CRI), although it retains strong links to its heritage.

Originating from the United States in response to the financial services regulatory fragmentation that began emerging around cybersecurity in 2016, the Profile is designed as a global tool that can scale across geographies, regulatory jurisdictions, and financial institution type and complexity. 

Rather than rely on US standards and frameworks its developers, numbering over 150 financial institutions, structured the Profile around the International Organization of Securities Commissioners (IOSCO)'s June 2016 Guidance on cyber resilience for financial market infrastructures categories, which were an amplification of the functions of the NIST Cybersecurity Framework. 

The Profile's modular and scalable nature mean that it can readily incorporate additional regulatory frameworks to evolve with the changing regulatory landscape. This flexible design is why the Profile remains relevant now and will do so in the future, and why firms across the UK and mainland Europe are increasingly using it as a cyber risk assessment and regulatory convergence instrument.

Beyond its initial design, the Profile has grown increasingly useful to international as well as domestic institutions, particularly those in the UK. UK Finance has worked with the CRI to ensure the Profile is specifically useful to our members. In 2020 a number of our members recommended that the Profile include mappings of its diagnostics to the European Banking Authority's (EBA) Guidelines on ICT and Security Risk Management and the European Central Bank's (ECB) Cyber resilience oversight expectations for financial market infrastructure.

We took a leading role in supporting the CRI in this effort through a number of working sessions to validate those mappings. Those sessions concluded in Q3 2020 and the mappings were shared with the relevant regulators. This work has enabled the Profile to be even more relevant in a UK and European context, and therefore more relevant to UK Finance members. Looking ahead, we expect the Profile to continue to integrate global regulations and guidance building upon its current foundations.

It is great to see that our members are not only implementing and using the Profile, but have joined the CRI. This reflects a long-term investment in shaping the future of the Profile when further regulations are published.

UK Finance has received strong interest from our members wanting to learn more about the Profile and has organised events for the CRI to educate members on the Profile's development and structure. Because of this interest, we continue to support the Profile work and will be joining the CRI team and the Cloud Security Alliance in the next few months in integrating a cloud overlay to the Profile that will operate as a baseline set of cloud controls for various cloud deployment models.

Though a relatively new tool, going forward I expect the Profile to grow in importance as the benefits of using it become better understood.  If you have any questions on the Profile or UK Finance's work on cybersecurity please feel free to contact me or my team.


[1] In addition to the being known as CRI Profile, the Profile is often referred to as NIST+, FSP, and even the Financial Services Sector Coordinating Council (FSSCC) Profile, with the FSSCC being the original Profile developer before assigning its rights to CRI.

 

 


Free webinars: Cyber and Third-Party Risk and Cyber Transformation

UK Finance is running a series of free briefings in March to support members with the evolving 2021 regulatory landscape. The Regulatory Roadmap series will take place between 15-29 March and will include sessions on Cyber & Third Party Risk, chaired by Ian Burgess, the author of this blog, Cyber Transformation chaired by Oge Udensi, Principal, Cyber Security, UK Finance, and RegTech, which will be led by Jonathan Middleton, Principal, Technology and Digital Policy Delivery Coordination, UK Finance.

Details of the full series can be found below - please click on a link to register for free via our webinar platform:

Area of expertise: