FSSCC Cybersecurity Profile
Who is the FSSCC?
The Financial Sector Coordinated Coordinating Committee (FSSCC) Cybersecurity Profile was initiated in 2002 by the financial industry. Since then, it has been working closely with key Government agencies to protect its critical infrastructure from both physical and cyber events. Members of the Financial Crimes Commission (FCC) include the most important financial institutions, as well as financial trade associations and financial utilities. The FCC and its partners use all of the public business to work on policy issues relating to the longevity of the business.What exactly is this Profile thing?
The FSSCC Cybersecurity Profile is a more scalable and detailed framework that financial institutions of all types can use for external and internal (i.e., third party) cyber threat management evaluation. Additionally, it is a mechanism to show compliance with various regulatory frameworks both within the United States of America and internationally.
What is the Profile?
The NIST Cybersecurity Framework was taken into consideration during the development of the Profile. Nevertheless, the purpose of this action is to take a further step by delegating several cybersecurity regulatory expectations and governments, as well as streamlining and consolidating the procedure for identifying cyber adults and those willing to participate online. The only way that the Profile can rely on the NIST CSF’s five components — Identity, Protect, Detect, Respond, and Recover — is if two new aspects — Governance and Supply Chain Management — are added to the beginning and end of this CSF, respectively. These new components are located at the front and back, respectively.
The Cybersecurity Profile enhances its framework with the addition of a single new, albeit familiar, component: the capability to scale its criteria based on the institution’s progress toward the completion of the examination. In the case of the Profile, a nine-question evaluation is finished prior to jumping into the frame in order to determine the organization’s “effect” on the financial industry. The consequence of this is that the organisation will be placed in one of the four “Effect Tiers,” which are as follows:
There are a total of 277 control criteria that need to be met for Tier 1, which is designated as “National/Super-National Effect.” These organisations are those that have the potential to disrupt the equilibrium of their respective North American or international market.
There are a total of 262 control criteria that need to be satisfied in Tier 2: the Subnational Impact tier, which is for associations that have the potential to have an effect on the United States financial services industry on a national scale.
There are a total of 188 control criteria that need to be satisfied in Tier 3, which is known as the Sector Impact tier. This tier is for associations that have the potential to influence the United States financial services industry on a regional scale.
There are a total of 136 control criteria that need to be met for the Tier 4: Localized Impact category, which is for associations that only have a localised existence and fewer than one million customers.
See also: the Strategy for Cybersecurity here.
Possible advantages of using this FSSCC’s Cybersecurity Profile include the following:
A focus on senior executives and boardrooms in terms of the inspection of cybersecurity risks and budgeting
Utilization of terms like “benchmarking,” “risk management,” “audit,” and “on-site schooling,” among others
Possible efficiencies in compliance that can be developed by utilising a bank’s level of sophistication
Help with the organisation of priorities and the targeted application of tools.
A closer working relationship with various other financial establishments, independent parties, and innovative nonbank financial businesses
Personalized supervision, evaluations, and collaborative effort on the part of state, national, and international managers
Is the FSSCC Cybersecurity Profile Supported and Accepted by Regulators?
- a deeper comprehension of the systemic risks present within the industry, as well as those present in other industries, as well as within one of the associations or third-parties
- Establishment of a baseline safety limit for frequent occurrences
- Increased contrast and improvement in information collection
- See also: the CCI Cybersecurity report.
- Is the Cybersecurity Profile Developed by the FSSCC Supported and Accepted by the Regulatory Agencies?
Even the framework that financial institutions use for their cybersecurity preparedness and risk management was determined independently from the company (or, on occasion, the regulator). Employing this completely new FSSCC Cybersecurity Profile is not mandated in any way, shape, or form by any of the regulatory bodies. However, the Profile will not replace any existing regulatory structure, nor will its conclusion be required. Historical reports from a number of regulatory agencies indicate that they will take that the Profile as a verified cybersecurity frame. On the other hand, there are a few financial institutions that are evaluating the Cybersecurity Profile as a result of the cybersecurity framework they have in place.
Should You Look into the Cybersecurity Profile of the FSSCC?
Should financial institutions use the FSSCC Cybersecurity Profile to evaluate whether or not they are prepared to deal with cybersecurity threats? The answer isn’t as simple as a yes or a no, and it’s not even close to being that simple.
When we set out to design the Profile, one of our primary goals was to find ways to streamline processes within the increasingly complex landscape of cybersecurity requirements and regulatory frameworks. The tiering version of the Profile requires certain levels of effectiveness. However, the tiers may take into consideration the various inherent dangers to which a select number of smaller full-time financial institutions are susceptible, which may result in a lack of controllers in certain areas.
There does not appear to be a compelling reason or advantage for financial institutions, particularly smaller neighbourhood associations, which utilise a recognised cybersecurity frame such as the CAT, to switch to the most recent iteration of the FSSCC Cybersecurity Profile. Specifically, the CAT framework. In addition, the Profile is currently in the first phase of its launch, and the total industry approval has not yet been determined.
See also: WhatsApp announces the rollout of end-to-end encrypted chat and cloud backups
The Profile, on the other hand, may offer an alternative perspective to businesses that are looking to expand or reevaluate their readiness for cyberattacks. From a cybersecurity point of view, more significant institutions that are already more advanced potentially make an excellent candidate for the Profile. The NIST Cybersecurity Framework is much less rigid and more prescriptive than the Profile, which is much more flexible. Larger associations that are required to adhere to additional regulatory guidance, such as publicly traded companies or organisations that have a presence in multiple countries, will probably find that the Profile’s consolidation of 30 separate regulations provides them with the greatest amount of benefit.
It is imperative that every organisation thoroughly evaluate and contrast how things are evolving. Since the field of engineering, dangers, and regulatory advice continues to expand every day, new cybersecurity criteria frameworks and their existing frameworks are constantly being developed. The choice of the frame that every company uses should be made independently by each company, taking into account both the nature of their business and the threats that lie beneath the surface.
There are many different organisational cybersecurity threat management frameworks that can be accessed, such as the ones provided by the FFIEC, the FSSCC, NIST, and SANS. The development of a plan to increase your organization’s cybersecurity maturity is just as important as making the decision regarding which framework is most suitable for your company. However, at the end of the afternoon, the most important thing to do would be to get started on it. Begin from wherever you are, hire a controller to mitigate the threat (or threats), and strive to be better than you were yesterday.