/mar 30, 2020

Financial Sector Cybersecurity Framework Profile Consolidates Regulatory Requirements

By Hope Goslin

Cyberattacks are an all too common occurrence, especially for financial institutions. In response, we are seeing an influx of security rules and regulations for financial institutions to follow. And – although the regulations are beneficial – complying with the regulations can be time consuming and costly.

According to findings from the technology division of the Banking Policy Institute (BITS), “One firm’s Chief Information Security Officer estimated that 40 percent of his time and that of his team was devoted to reconciling various requirements of regulatory agencies.” And a report from Boston Consulting Group (BCG) cited that a multinational bank was spending more than 15 percent of its annual operating budget on risk and compliance.

In an effort to mitigate the time and financial restraints, BCG, BITS, and more than 150 financial services institutions came together to develop the Financial Sector Cybersecurity Framework Profile. The profile consolidates regulatory requirements, making it easier to comply with multiple requirements. This is a major win for financial services institutions because, according to industry data collected by BITS, over 30 cybersecurity regulations have been released in the past five years, with plans to issue more. 

With the profile now in place, financial services institutions don’t have to answer a separate set of reporting questions to prove compliance with every rule and regulation. There is now one framework that encompasses all of the rules and regulations with a consolidated set of questions. According to BCG, having one common framework has reduced the number of questions by 49 percent for large organizations and 73 percent for small ones.

Aside from the decrease in compliance questions, the time and money saved from the profile helps financial institutions focus on the main aspects of their cybersecurity program, innovation, and – most importantly –their clients.

The response from the new profile has been overwhelmingly positive. As Paul Farrington, EMEA Chief Technology Officer at Veracode stated:

“Financial services firms have to deal with a myriad of regulations, especially relating to cybersecurity. We need organisations to be held accountable for improving their security posture. Standards are vital, but reporting can be a real burden and, in some cases, gets in the way of doing valuable security work. We welcome the Financial Sector Cybersecurity Framework Profile. It should help teams fast-track compliance exercises and create capacity for additional security focus.”

Any financial institution, regardless of size, can leverage the profile. It encompasses more than 30 US federal, state, and global regulations, including the NIST Cybersecurity Framework, The International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001, and The Committee on Payments and Market Infrastructures (CPMI)-International Organization of Securities. The profile should address up to 90 percent of regulatory requirements at one time, enabling companies to focus on threats. The hope is for the profile to incorporate more global regulations in the coming years.

For additional information on the new profile, please read the Financial Sector Cybersecurity Framework Profile user guide.

Related Posts

By Hope Goslin

Hope is part of the content team at Veracode, based in Burlington, MA. In this role, she focuses on creating engaging AppSec content for the security community.