Why Financial Institutions Are Adopting the CRI Profile

The original version of this blog appeared as an article in the Summer/Fall 2023 printed edition of Cyber Perspectives Magazine.

Rising Cost and Complexity of Compliance

As the cyberthreats facing financial institutions (FIs) continue to grow, financial regulators have responded with new or updated regulations to address data protection, data security, cyber hygiene, third-party risk and operational resilience. For FIs, this means additional time, resources and costs must be expended to meet regulatory requirements, which may be at odds with business growth and operational efficiency.

FIs that operate across jurisdictions face multiple distinct and separate regulatory obligations and expectations. There may be nuanced differences across such a set of regulations, which further adds to the regulatory burden. To demonstrate compliance with these myriad regulations, FIs spend countless hours, devoting significant people and technology resources to capture and provide evidence of appropriate processes and controls for every exam or audit. Some chief information security officers (CISOs) reportedly spend up to 40% of their time on compliance-related activities.

However, there are often similarities across the required elements from these multiple exams as well. Instead of addressing these separately and repeatedly, we can reuse the evidence collected to demonstrate compliance for similar obligations across multiple audits and jurisdictions.

Efficiency via Consolidation

Taking advantage of that concept, financial institutions can reduce the burden of responding to numerous separate exams by using a consolidated approach to assess cybersecurity, resilience and efficacy. This is where the Cyber Risk Institute (CRI) Financial Services Cybersecurity Profile (commonly known as “the Profile”) can help.

The Profile harmonizes over 3,000 regulatory expectations from around the world into less than 300 diagnostic statements (control objectives). This translation and consolidation addresses topical overlaps and phrasing differences to streamline and reduce the cost and complexity of cyber risk and compliance workloads for FIs. As an example, the Profile has a diagnostic statement (DE.CM-1.3) that calls for the implementation of intrusion detection and prevention capabilities. After gathering the appropriate evidence once, an FI can reuse it to satisfy similar obligations for the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT) and the European Central Bank (ECB) Cyber Resilience Oversight Expectations — just to name two examples. Additionally, for the largest of FIs, the Profile has almost 50% fewer questions to address than another widely used assessment tool by this sector. Ultimately, the reuse of evidence and the smaller universe of diagnostic statements results in a substantial reduction in effort for compliance-related activities. This is due to the fact that fewer interviews with assorted subject matter experts and less time are needed overall to capture the appropriate evidence. Anecdotally, one FI cited a 35% average reduction in effort for their regulatory exams since adopting the Profile.

Since the Profile may be used as a shared baseline for examinations by different financial regulators, this allows FIs to deploy their resources more effectively for compliance work. It reduces time needed to reconcile exam issues and makes security oversight easier. For the financial regulators, the widely adopted cyber control assessment framework in the Profile offers greater visibility into systemic risk across the financial sector and a common, consistent vocabulary, as well. FIs have used the Profile with financial regulators in the Americas, Asia and Europe too. Financial regulators or standards bodies that have recognized or acknowledged the Profile include the U.S. Treasury, FFIEC, Federal Reserve Board, National Institute of Standards and Technology (NIST), International Organization of Securities Commissions (IOSCO), European Union Agency for Cybersecurity (ENISA) and the Reserve Bank of New Zealand.

Evolution of the Profile

The CRI is a not-for-profit coalition of FIs and trade associations, currently with over 50 members, which include large banks, financial markets, insurance companies, regional/community banks and a growing base of global firms. Working with its members, the CRI is responsible for curating and evolving the Profile to meet the needs of the financial sector. Thousands of FIs have adopted the Profile, including some in the U.S. that have transitioned away from the FFIEC CAT. Outside of the U.S., where some firms may be reluctant to use the NIST Cybersecurity Framework (CSF), the Profile offers a viable alternative.

As its user base grows, the Profile will evolve with cybersecurity-related standards for emerging technologies and practices (e.g., AI, cloud, privacy, financial digitalization and operational resilience). The CRI will release the Profile v2.0 early in 2024. The CRI also offers the Cloud Profile, which is a collaboration with FIs and cloud service providers to ensure better communication about responsibilities. The Cloud Profile extends the Profile to include contractual language and implementation guidance. FIs that have not yet considered using the CRI Profile (or Cloud Profile) are encouraged to take a closer look. Learn how the Profile may reduce the burden of your regulatory compliance activities and explore continuous controls monitoring and automation benefits.

Complement the Profile with Automation

With the Profile’s 10x consolidation of regulatory expectations, an FI will realize a significant time and cost-savings in compliance activities overall. However, the actual effort to identify, collect and validate the needed artifacts and evidence for each diagnostic statement is still a manual process that is time and resource-intensive. For many in the risk and compliance world, the gathering of evidence is still a pain point. To lighten that load, automation and continuous controls monitoring can produce the required artifacts in real time. Looking back at the diagnostic statement on intrusion detection and prevention, a network security management tool can generate a report of all intrusion detection and prevention system (IDPS) devices in the environment as evidence. Another example is a cloud security posture management (CSPM) tool that generates a CRI Profile compliance report for an FI’s cloud estate. With automation behind and aligned to the Profile’s diagnostic statements, FIs can further reduce the effort required for exams and audits of cybersecurity risks.

Connect today with the Financial Services team of Palo Alto Networks to learn more on how we support the CRI Profile with automation and continuous controls monitoring to achieve measurable business impact across your risk, compliance and security teams.