The Financial Services Sector (FSSCC) Cyber Security Profile is one of the critical pieces of information used for proving compliance across a host of standards necessary of financial institutions of all types, financial services companies, financial firms, and their third-party providers. In 2018, a survey showed that CISOs in the financial services sector spent 40% of their time, and their teams’ time reconciling various cybersecurity and regulatory frameworks instead of focusing on cybersecurity needs. This time spent was because each regulation has its own standards for institutions to follow for their cybersecurity initiatives resulting in a segmented approach to compliance with various regulatory standards. As such, the Financial Services Sector Coordinating Council developed the Financial Services Sector Cybersecurity Profile to unify CISOs and practitioners’ efforts to maintain and improve their compliance activity. The FSSCC Cybersecurity Profile uses a cybersecurity risk management-based approach, very similar to the NIST Cybersecurity Framework, from which it draws inspiration. One thing that separates the FSSCC from the NIST CSF is that the FSSCC is broken up into four impact tiers based on an institution’s impact on the world. Tier 1 institutions provide services to millions of customer accounts and have the most potential adverse impact on the North American economy’s overall stability, and potentially, the global market. These are designated as most critical. These institutions provide mission-critical services with millions of customer accounts. The cyber risk exposure of an institution of this size would have the potential for a substantial adverse impact on the financial services sector and subnational regional economy. These institutions have a high degree of interconnectedness, with certain institutions acting as critical nodes for their sector. Coordinating with your sector coordinating council of the FSSCC can help you find if you qualify for this tier. These institutions have a limited impact on the overall financial services sector and the national economy, often with less than one million customers. Using tiers to segment your financial institution is necessary since the FSSCC Profile is a scalable tool, and tiering will allow you to track the proper controls and cyber risk management assessments. Additionally, the profile can be used as a baseline assessment tool. It can also be extended to be used for internal and external assessments, including to evaluate partners, vendors, and third-party service providers. Also, using a risk-based approach allows an organization to unify its cybersecurity teams with the C-Suite and Board by making cybersecurity language like benchmarking, risk assessment, risk mitigation, and audit common practice; therefore, resources can be properly and efficiently allocated to bolster your cybersecurity and compliance objectives. Many C-Suites and Boards of Directors prioritize cybersecurity as a business concern and practitioners can expect institutions to seek solutions that continuously track, harmonize and automate their compliance practices over time. Using an integrated risk management program like CyberStrong can empower your organization to track not only FFIEC, but other gold standard cybersecurity frameworks alongside it. FFIEC was built upon the best practices of multiple frameworks, like the NIST CSF, COBIT, DFARS and SOX to name a few, and using an integrated risk management solution can harmonize those frameworks by crosswalking and automating your compliance efforts ass well as benchmark against your current risk profile. If you have any questions or want to discuss how CyberStrong or Integrated Risk Management benefits financial institutions, give us a call at 1-800-NIST CSF or click here to schedule a free demo.Financial Services Sector Cybersecurity Profile Tiers
Financial Services Sector Cybersecurity Profile Tier 1: National/Super-National Impact
Financial Services Sector Cybersecurity Profile Tier 2: Subnational Impact
Financial Services Sector Cybersecurity Profile Tier 3: Sector Impact
Financial Services Sector Cybersecurity ProfileTier 4: Localized Impact
How the Financial Services Sector Cybersecurity Profile Enables Harmonization
FAQs
What is the financial services cybersecurity profile? ›
The Financial Services Sector (FSSCC) Cyber Security Profile is one of the critical pieces of information used for proving compliance across a host of standards necessary of financial institutions of all types, financial services companies, financial firms, and their third-party providers.
What is cyber security in the financial sector? ›Cybersecurity for financial services is instrumental in preventing losses. Through network security, intrusion detection systems, malware protection, and other cybersecurity measures, financial institutions can prevent cyber attacks and mitigate their impact.
What is the FFIEC cybersecurity assessment tool? ›The FFIEC Cybersecurity Assessment Tool (CAT) is a diagnostic test designed to help institutions identify risks and gauge cybersecurity preparedness.
What is a cyber security profile? ›A Profile enables organizations to establish a roadmap for reducing cybersecurity risk that aligns well with organizational and sector goals, considers legal/regulatory requirements and industry best practices, and reflects risk management priorities.
What is the profile of financial services? ›The financial services sector consists of banking, investing, taxes, real estate, and insurance, all of which provide different financial services to people and corporations.
What is security in the financial sector? ›The financial sector is one of the most critical and vulnerable sectors in the economy, facing a variety of security threats from both physical and cyber sources. With the increasing digitalization and globalization of financial services, security risks have become more complex and challenging to address.
What are the threats to financial cybersecurity? ›Prevalent threats to banks and financial services companies include phishing attacks, malware and ransomware, insider threats, DDoS attacks, and vulnerabilities in application programming interfaces (APIs). Each of these can lead to significant financial and reputational damage.
What are the 3 major types of cyber security? ›Cyber security has become an indispensable requirement for any business, regardless of size or industry. Understanding the three major types of cyber safety – network, endpoint, and data security – empowers enterprises to protect themselves proactively against the ever-growing threat landscape.
What is the role of the finance department in managing cyber security? ›As part of a risk management team, finance department leadership brings expert risk assessment skills to ask the right questions during planning. Cyber incident first response teams should include a knowledgeable leader from the finance department to analyze the potential financial impact of an attack.
What are the Ffiec guidelines? ›FFIEC guidelines aim to ensure that financial institutions operate safely, mitigate risk, comply with applicable regulations, follow legal requirements and adequately manage risks.
Is Ffiec based on NIST? ›
FFIEC CAT overview
The CAT uses the NIST Cybersecurity Framework and tailors its guidance for banks and credit unions.
Overview. SOC 2 and NIST SP 800-53 are both standards for protecting the security, availability, and confidentiality of customer data. SOC 2 focuses on the security of the systems and processes used to store and process data while NIST SP 800-53 focuses on the security of the data itself.
What are the 3 A's of cyber security? ›Authentication, authorization, and accounting (AAA) is a security framework that controls access to computer resources, enforces policies, and audits usage.
What are the three key areas of cyber security? ›Cyber security is made up of three main areas- physical, technical and human. In order to exercise the best practice of cyber security, all three elements need to be understood and considered. Only an approach which secures the physical, technical and human aspects of cyber security can be effective.
What is cyber security role profile? ›Typical duties include: developing and implementing a cyber security strategy. monitoring for vulnerabilities and risks in existing software and systems. building firewalls and spyware and malware detection into network infrastructures.
What is a NIST CSF profile? ›Profiles are an organization's unique positioning of their business requirements; such as the size of the company, industry and vertical as well as their unique requirements such as; contractual obligations, objectives, risk tolerance, and organizational resources against the desired outcomes of the Framework Core.
What is FSO in cyber security? ›Facility Security Officers (FSOs) need a whole host of information from personnel security clearances to facility clearances. The following section is designed to help FSOs get the information they need on interims, investigations, adjudications, and facility clearances in one place.
What is the role of the CFO in cybersecurity? ›CFOs aren't cybersecurity experts, but they are experts in risk management. This makes them natural allies of the CISO, who is responsible for protecting the organization's systems and data. CFOs should be consulted on cybersecurity plans, making sure they reflect the company's overall financial risk.