Jason Harrell, DTCC Head of Business and Government Cybersecurity Partnerships.
Building and maintaining an effective cybersecurity program is a major challenge for financial services firms. That challenge is amplified by the fact that firms who operate globally expend considerable resources to comply with existing regulations and keep pace with new regulations from multiple jurisdictions and multiple regulators.
In fact, an industry survey showed that Chief Information Security Officers (CISOs) for financial institutions reported spending up to 40% of their time satisfying compliance requests for supervisory and regulatory agencies. Given the global shortage of cybersecurity talent, it is imperative that cybersecurity professionals dedicate their valuable time addressing known cyber threats and developing strategic approaches to new and emerging threats.
To more effectively support the cyber security and resiliency of the world’s financial institutions, a coalition of more than 30 firms representing trade associations and financial institutions, including DTCC, joined to create the Cyber Risk Institute (CRI).
Jason Harrell, DTCC Head of Business and Government Cybersecurity Partnerships, sits on the Management Board of the CRI. He sat down with DTCC Connection to talk about the CRI and its work to protect the financial service sector through enhancing financial institution partnership with the public sector to demonstrate compliance with new and existing cyber and cyber resilience rulemaking.
What is the Cyber Risk Institute?
The Cyber Risk Institute (CRI) is a coalition of financial institutions representing the entire spectrum of the financial services sector established to develop cybersecurity and resilience strategies and standards to assist institutions in responding to evolving cyber threats. The CRI serves as home to the Financial Services Cybersecurity Profile (“the Profile”), a benchmark for cyber risk assessment that can be applied to financial institutions of all sizes, as well as third-party providers to those institutions.
Can you tell us more about the Profile?
Stated simply, the Profile allows financial institutions to demonstrate their compliance to the numerous supervisory texts (e.g., supervisor rules, rules interpretations, guidance, supervisory tools and questionnaires) and for supervisors and regulators to deepen their comparative understanding of the control environment between firms of similar systemic impact. To accomplish this, the Profile aligns these supervisory texts into 277 diagnostic statements. These diagnostic statements are mapped to the National Institute of Standards and Technology (NIST) Cybersecurity Framework which roots this compliance convergence tool into an industry accepted framework for managing risks. With its tailoring, the Profile enables front-line defenders to optimize their time between security operations and compliance activities.
How will the CRI bring benefit/value to the financial services industry?
While there are many benefits for financial institutions and supervisors to use the Profile, the four that are most impactful include:
1. The Profile is rooted in an industry-accepted framework (i.e., NIST Cybersecurity Framework): Many financial institutions use NIST Cybersecurity Framework as a basis for measuring their cybersecurity programs so there isn’t a large shift in the philosophical approach to securing the environment
2. Time optimization: The ability to demonstrate compliance to multiple supervisory texts through diagnostic statements allows financial institutions to balance the human capital used to conduct security operations and respond to regulatory requests. It also allows regulatory examiners to focus more specifically on the financial institution’s approach to managing this risk based on its operations.
3. Comparison of ‘like’ financial institutions: Supervisors and regulators continue to look for metrics to measure the industry preparedness for a material cyber event. Through financial institution’s use of the Profile, these entities can begin to compare firms based on their systemic impact and gain deeper understanding of potential strengths and weaknesses across financial institutions. This may lead to additional guidance or rule interpretations that strengthen the financial services sector.
4. Form the basis for advanced analytics: As supervisors and regulators move to more effective means of oversight (e.g., SupTech and RegTech), the use of a common toolset across financial institutions will also provide a framework that can be used by these new technology solutions to gain deeper insights than may currently be possible
What role will DTCC play in the CRI?
DTCC has taken a leadership role with CRI as a demonstration of its industry commitment to advancing the risk management of the financial markets. We are committed to working with CRI and financial services sector participants to grow the Profile to include additional supervisory texts and expand its use. We are also committed to working with CRI to expand its membership globally.
Looking a bit further ahead, the CRI website states “Three Years. Four Goals.” What are those four goals?
Goal #1: Use. We want to partner with financial institutions to demonstrate the value of the Profile and to encourage its use throughout the global financial services sector. Currently, the Profile is in use by approximately 100 firms on four continents.
Goal #2: Educate. In order to expand the Profile use, we need to educate global financial institutions and policy makers on the rationale behind the Profile development; the process used to draft the diagnostic statements; the potential benefits for the financial services sector and future planned enhancements.
Goal #3: Integrate. The initial draft of the Profile included mappings for the US cyber regulatory space and key European and APAC cybersecurity supervisory texts. The mapping of additional supervisory text will expand the depth and jurisdictions where the Profile can be used.
Goal #4: Build. This includes enhancing the consumer experience through improving the current user interface and providing new user interfaces for the Profile. It also includes improving the reporting outputs for the Profile and ensuring that new supervisory text in the cybersecurity space is subsequently mapped to the Profile.