Financial organizations handle a large amount of sensitive data, including payment information, customer details, and financial records. They also manage large financial transactions, so any successful cyberattack against them can lead to a huge payout for threat actors (the bad guys). Therefore, it’s no surprise that the financial services industry was part of the top 10 most vulnerable industries in 2021.
One of the best ways to improve your financial firm's security posture is to adopt the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF).
What Is NIST CSF?
NIST CSF is a set of recommendations aimed at helping organizations manage and minimize their cybersecurity risk. It’s based on existing standards, guidelines, and practices that form the foundation for many other high-compliance industry regulations.
NIST originally developed this cybersecurity framework in response to former US President Obama’s directive to improve critical infrastructure cybersecurity. However, since its release in 2014, NIST CSF has become the go-to resource for any organization looking to improve their cybersecurity program.
Why Should Financial Firms Adopt NIST CSF, You Ask?
Financial companies can greatly benefit from adopting NIST CSF for three main reasons:
- It provides comprehensive cyber protection.
- There are sector-specific framework profiles for alignment with your unique business needs.
- You’ll have a living document that continuously updates as new cyber threats arise.
Comprehensive Cyber Protection
NIST CSF is widely recognized as the cybersecurity framework with the most in-depth and comprehensive set of controls. Adopting it can help financial companies cover all of their security bases, especially with the five high-level functions in the framework's core that represent the complete life cycle of managing cybersecurity risks:
- Identify – identifying, assessing, and managing cybersecurity risks
- Protect – protecting systems and data
- Detect – detecting cyber incidents
- Respond – responding to cyber incidents
- Recover – recovering from cyber incidents
Under each core function are 23 Categories and 108 Subcategories, which have matching Informative References.
Categories will cover the breadth of your organization’s cybersecurity objectives, from cyber to hardware to personnel while Subcategories describe the desired outcomes for creating or improving your cybersecurity program.
Sector-Specific Framework Profile
Another component of NIST CSF, Framework Profiles are:
"an organization's unique alignment of their organizational requirements and objectives, risk appetite, and resources against the desired outcomes of the Framework Core."
So, what does that mean? In simple terms, it means that how you choose to apply NIST CSF to your organization depends on any external requirements or internal goals you have regarding cybersecurity. It’s also saying that your CSF profile will be shaped by the risk level you’re willing to take on and what resources are available to you.
In 2018, the Financial Services Sector Coordinating Council, guided by NIST and certain regulatory organizations, developed the Financial Services Sector Cybersecurity Profile (FSP or Profile). They designed it to scale across banks, insurance companies, asset management firms, and all other members of this sector of “varying complexity, interconnectedness, and criticality.”
The FSP is based on NIST CSF, CPMI-IOSCO, ISO standards, and other relevant regulatory issuances, guidance, and supervisory expectations from across the sector and around the world. To better reflect the emphasis on supervision, the FSP’s final design extends the NIST cybersecurity framework’s five functions to include two new functions: Governance and Supply/Dependency Management.
Similar to NIST CSF’s, the FSP’s functions are subdivided into Categories and Subcategories. The Profile also includes Informative References but goes further by adding Financial Sector References.
The FSP comes with an Impact Tier questionnaire to segment the financial services sector into four tiers based on how much impact an organization would have if it suffers a cyber incident:
- Tier 1: National/Super-national impact
- Tier 2: Subnational impact
- Tier 3: Sector impact
- Tier 4: Localized impact
Afterward, a financial company must answer the Profile’s set of cybersecurity assessment questions (i.e., the Diagnostic Statements borrowed from the Federal Financial Institutions Examination Council Cybersecurity Assessment Tool) corresponding to their impact tier level. By doing so, you can evaluate yourself as well as your partners, vendors, and third-party service providers. This helps them prioritize their cybersecurity goals and determine the best use of their resources.
NIST CSF as a Living Document
As cyberthreats become more prevalent and sophisticated, financial companies need to keep advancing their cyber defenses. Fortunately, NIST will keep updating its CSF to stay on top of the evolving cybersecurity landscape.
To date, NIST CSF has been updated once with the release of CSF Version 1.1 in 2018. Another update is due this year aimed at helping organizations address supply chain risks.
Planning to start your financial firm’s NIST CSF journey? Let the IT experts at Charles IT help you. With us at your side, you can smoothly adopt the NIST CSF and enhance your company’s security posture. Get in touch with us today!