Skip to main content

Resources

FSSCC Releases New Cybersecurity Framework

FSSCC Releases New Cybersecurity Framework

The FSSCC has released a new cybersecurity framework call the “Cybersecurity Profile.” The Profile is a standards-based tool to help guide financial services institutions in developing and maintaining a cybersecurity risk management program. The overall intent of the FSSCC’s Cybersecurity Profile is to combine a large number of different cybersecurity standards from all over the world into one framework that’s scalable and more efficient than the other frameworks on the market today. Does it accomplish its goal? Will it be used by US regulators? Let’s discuss.

 


Who is the FSSCC?

Established in 2002 by the financial sector, the FSSCC works collaboratively with key Government agencies to protect the Nation’s critical infrastructure from cyber and physical incidents. FSSCC members (70 in total) consist of financial trade associations, financial utilities, and the most critical financial firms. FSSCC partners with the public sector on policy issues concerning the resilience of the sector.

 


What is the Profile?

The Cybersecurity Profile is a scalable and comprehensive framework that financial institutions of all types can use for internal and external (i.e., third party) cyber risk management assessment and as a mechanism to demonstrate compliance with various regulatory frameworks both within the United States and globally.


The Profile was developed based on the NIST Cybersecurity Framework, but it’s designed to take the next step by aligning numerous cybersecurity regulatory expectations and authorities and simplifying and consolidating the cyber maturity and readiness identification process. The Profile builds upon the NIST CSF’s 5 components – Identify, Protect, Detect, Respond, and Recover – by adding two new components: Governance and Supply Chain Management – to the front and back end, respectively, of the CSF.


The Cybersecurity Profile also adds one additional-but-familiar component to its framework – the ability to scale its standards based on the type of institution completing the assessment. In the Profile’s case, a 9-question assessment is completed before jumping into the framework to determine the institution’s “impact” on the financial sector. The result is the institution falling into one of four “Impact Tiers,” including:

  • Tier 1: National/Super-National Impact – organizations that may impact the stability of the North American or global economy; a total of 277 control standards to meet
  • Tier 2: Subnational Impact – organizations that may impact the US financial services sector on a national scale; a total of 262 control standards to meet
  • Tier 3: Sector Impact – organizations that may impact the US financial services sector on a regional scale; a total of 188 control standards to meet
  • Tier 4: Localized Impact – organizations that only have a localized presence with less than 1 million customers; a total of 136 control standards to meet


The potential benefits to the FSSCC’s Cybersecurity Profile are:

  • A focus on senior executive and boardroom review of cybersecurity risks and budgeting
  • Utilization of plain language for benchmarking, risk management, audit, and in-house education
  • Potential compliance efficiencies that grow with a financial institution’s complexity
  • Assistance with the prioritization and focused-use of resources
  • Increased collaboration with other financial institutions, third-parties, and innovative nonbank financial companies
  • Tailored supervision, examinations, and collaboration among state, federal, and international supervisors
  • Enhanced understanding of systemic risk within the sector, across sectors, and among institutions and third-parties
  • Development of a common baseline security threshold
  • Improved data collection and comparison

 


Boardroom Engagement to Advance Investment

For the C-Suite and Board Directors, cybersecurity is a top concern, and regulators expect institutions to understand cyber threats and track their progress in mitigating identified security gaps. By using the Cybersecurity Profile over several cycles, the FSSCC hopes that financial institutions can benchmark their programs with the Profile’s recommended practices, identify gaps, articulate those gaps to the C-Suite and board directors in plain language, discuss appropriate resourcing for mitigation, and track the advancement in mitigation efforts over time.

 


Is the Profile Supported and Accepted by Regulators?

The cybersecurity preparedness and risk management framework financial institutions use is decided independently by the organization (or sometimes the regulator). Using this new FSSCC Cybersecurity Profile is not required by any regulatory body. Early reports from several regulatory agencies indicate they will accept the Profile as a supported cybersecurity framework, but the Profile will not replace any existing regulatory framework, nor its completion required. There are, however, a limited number of financial institutions that are evaluating the Cybersecurity Profile for their cybersecurity framework.

 


How does the Profile compare to the FFIEC Cyber Assessment Tool (CAT)?

Most financial institutions are familiar with the FFIEC Cybersecurity Assessment Tool (CAT) and have a good understanding of the benefits it provides. The CAT is an organizational risk management framework that allows institutions to quantify and measure their risk exposure and identify the maturity of current controls. The institution identifies its inherent risk based on activities, products, and services offered. It then utilizes that information to align the level of cybersecurity maturity (baseline, evolving, intermediate, advanced, and innovative) the institution should achieve and maintain based on inherent risks. Institutions go through the self-assessment questionnaire focusing on the questions related to their maturity level goal which identifies any control gaps. The CAT provides direction to the institution on where improvement is needed in their cybersecurity preparedness. The CAT is widely accepted and supported by regulatory agencies.


So how does the new FSSCC Cybersecurity Profile compare to the CAT? The following provides a side by side comparison of the two frameworks:

FSSCC Cybersecurity Profile

FFIEC Cyber Assessment Tool (CAT)
  • Scalable self-assessment tool that can be used by financial institutions and third parties
  • Mature cybersecurity self-assessment framework widely utilized by financial institutions
  • Limited dashboard with a solid framework to assess risks and controls
  • Comprehensive dashboard to provide insight and direction on risks and controls
  • Built from existing regulations, guidance, frameworks, and NIST standards
  • FFIEC and NIST guidance based on financial industry cybersecurity best practices
  • Maturity is based on a tiering model, not specifically on inherent risks
  • The level of maturity is based on inherent risks and goals identified by the organization
  • FSSCC is allowing customization to the tool, but it currently does not offer any visual reporting progress
  • Provides customizable and measurable maturity goals, as well as visual progress on achievement status
  • Utilizes tiering based on size and impact the organization has on the sector, which limits the number of assessment questions for lower tiered organizations
  • Cybersecurity maturity goal determines the number of questions required to be answered
  • Provides guidance for the more universal elements of a cyber risk management program (i.e., the “what” of the program)
  • Identifies control gaps which will guide organizations in achieving a more mature cybersecurity preparedness
  • Early stages of regulatory acceptance and support
  • Widely accepted and supported by regulatory agencies

 


Should You Check Out the Profile?

Should financial institutions use the FSSCC Cybersecurity Profile to assess their cybersecurity preparedness? The answer is not quite as simple as a “yes” or a “no.”


One of the main goals in developing the Profile was to create efficiencies in the crowded world of cybersecurity requirements and regulatory frameworks. The Profile’s tiering model provides some efficiencies, but the tiers may not take into consideration various inherent risks to which some smaller, full-service financial institutions are exposed, which could lead to gaps in controls.


For financial institutions, especially smaller community institutions, that are currently utilizing a proven cybersecurity framework such as the CAT, there does not appear to be a compelling reason or benefit for converting to the new FSSCC Cybersecurity Profile. In addition, the Profile is in its early release phase, and the overall industry acceptance is still uncertain.


However, for organizations looking to expand or reassess their cybersecurity preparedness, the Profile could offer another perspective. The Profile might be a good fit for larger institutions that are already mature from a cybersecurity perspective, as the Profile is more granular and prescriptive than the NIST Cybersecurity Framework. Larger institutions that are subject to additional regulatory guidance, such as publicly-traded institutions or those with a global presence, will likely find the 30 different regulations that are consolidated within the Profile to be beneficial.


It’s important that each organization carefully evaluate and compare new and evolving cybersecurity standards frameworks and to their existing frameworks, as the world of technology, threats, and regulatory guidance continues to evolve each day. The framework that each institution deploys is a decision each organization must make independently based on their business model and inherent risks.


There are many different organizational cybersecurity risk management frameworks available, from the FFIEC to the FSSCC to NIST to SANS. Determining which framework is right for your institution is just as important as putting together a plan to mature your organization’s cybersecurity maturity. But – at the end of the day – the most important thing to do is to simply START. Start somewhere, implement a control to mitigate risk(s), and be a little bit better than yesterday.

 


Written By: Terry Kuxhaus
Senior Information Security Consultant - SBS CyberSecurity


 

SBS Resources:

  • {Solution} Cyber-RISKTM: Automate your FFIEC cybersecurity assessment with Cyber-RISK™. This web-based software is based directly on FFIEC recommendations but goes beyond a simple spreadsheet. Cyber-RISK is offered free of charge to any financial institution looking to efficiently complete their cybersecurity assessment.
  • {Special Report Hacker Hour} FSSCC Releases New Cybersecurity Framework: Join SBS as we review the framework and provide answers to common questions.

 

Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.

Certified Banking Cybersecurity Manager   

 

 


Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Wednesday, December 5, 2018
Categories: Blog