Kelly Feili, DTCC’s Director of Operational and Technology Risk (OTR) Advocacy, was recently named Cyber Risk Institute (CRI) Vice Chair for the U.S. Standards Subcommittee. CRI works to protect the global economy by enhancing cybersecurity and resiliency through standardization.
Related: Assessing the 2023 Cyber Security Landscape
“I'm excited to be in this role and further advocate on behalf of the financial services sector,” Feili said. “We can continue the momentum that has been building for the last three years. It would be a major advantage for the financial services sector to have less compliance costs and a more streamlined option for meeting regulatory obligations.”
DTCC Connection caught up with Kelly to learn more about her new role.
DC: Can you tell us about your role at DTCC?
KF: I started with DTCC in 2016 as a business information security officer, where we facilitated the engagement between DTCC Technology Risk Management and our business areas by acting much like a translator of security and compliance requirements to business process enhancements. In 2019, I returned from maternity leave and moved into my current role in cyber policy and advocacy where our focus is on DTCC’s external engagement and advocacy strategy as it relates to cybersecurity, resilience and third-party risk management. We work with trade associations and public sector partners, collaborating on various cyber and resilience advocacy activities and initiatives within the financial services sector, including opining on best practices, new guidance and new rules related to cybersecurity and efforts focused on strengthening the sector’s resilience.
DC: Tell us about the CRI’s role within financial services sector.
KF: In 2016, the Financial Services Sector Coordinating Council developed what we originally called the financial services profile and which we now refer to as the “Profile,” with a capital P. One of the sector's challenges is that there are many overlapping regulations. Managing adherence can be unruly, particularly for global firms as it relates to cybersecurity, resilience and third-party risk management, as these areas are constantly evolving to address new threats.
And so, the Profile harmonizes regulatory expectations into a more concise and manageable list of assessment questions and outcomes. It aims to be applicable broadly across financial services and maps different principles and regulations. The Cyber Risk Institute was created three years ago to be the designated organization responsible for maintaining the Profile.
DC: What are CRI’s and U.S. Standards Subcommittee’s goals and objectives?
KF: CRI’s objective is to reduce the cybersecurity compliance burden that the financial services sector faces by demonstrating how it meets the outcomes defined in the Profile. Cybersecurity experts spend a significant amount of time on compliance activities rather than protecting financial systems, so CRI’s goal is to streamline compliance activities to free up experts’ time. The U.S. Standards Subcommittee identifies regulations, guidance and standards that should be included in the mapping to the Profile and, when financial authorities or the U.S. government are setting new cybersecurity-related frameworks, we advocate for the Profile, talk about its benefits, why it exists, and why it is preferred by the sector.
Related: Why Cyber Advocacy is a Pivotal Step for Cybersecurity Efforts
DC: What is DTCC’s affiliation with CRI?
KF: It’s to our advantage to be a member of and support the CRI. Our relationship enables us to invest in the future of cybersecurity, providing a voice on important initiatives that could impact the financial services industry and help shape future cybersecurity requirements.
DC: What you are looking forward to in the role of Vice Chair of the U.S. Standards Committee?
KF: I am proud to be Vice Chair of this group and to work alongside the Chair, Debbie Eng from JPMorgan Chase, and the working group members on initiatives that are larger than our individual firms’ efforts. As Vice Chair, I am looking forward to helping lead collaboration efforts across the sector as these are powerful in strengthening our collective cybersecurity practices. Our group plays an important role in working towards ensuring industry alignment regarding cybersecurity compliance.
DC: What are some of key issues you will be focusing on with the CRI?
KF: One of the immediate initiatives is to work through how the Profile can be leveraged to address the Cybersecurity and Infrastructure Security Agency’s mandate to develop cross-sector specific performance goals, which are meant to establish common cybersecurity measurements that drive the management of cybersecurity risks. These cross-sector specific performance goals are part of a larger U.S. government effort to improve cybersecurity for critical infrastructure based on a 2021 Executive Order 14028.