Why Financial Institutions Are Adopting the Cyber Risk Institute (CRI) Profile

By Lawrence Chin, Security Architect – Financial Services

Rising Cost and Complexity of Compliance

As the cyberthreats facing financial institutions (FIs) continue to grow, financial regulators have responded with new and/or updated regulations to address data protection, data security, cyber hygiene, third-party risk, and operational resilience. For FIs, this means additional time, resources, and costs must be expended to meet regulatory requirements, which may be at odds with business growth and operational efficiency.

FIs that operate across jurisdictions face multiple distinct and separate regulatory obligations and expectations. There may be nuanced differences across such a set of regulations, which further adds to the regulatory burden. To demonstrate compliance with these myriad regulations, FIs spend countless hours, devoting significant people and technology resources to capture and provide evidence of appropriate processes and controls for each and every exam or audit. Some chief information security officers (CISOs) reportedly spend up to 40% of their time on compliance-related activities.

However, there are often similarities across the required elements from these multiple exams as well. Instead of addressing these separately and repeatedly, the evidence collected to demonstrate compliance can be reused for similar obligations across multiple audits and jurisdictions.


Efficiency via Consolidation

Taking advantage of that concept, financial institutions can reduce the burden of responding to numerous separate exams using a consolidated approach to assess cybersecurity, resilience, and efficacy, with the help of the Cyber Risk Institute (CRI) Financial Services Cybersecurity Profile (“the Profile”).

Cyber Risk Institute (CRI) Financial Services Cybersecurity Profile (“the Profile”).

The Profile harmonizes over 3,000 regulatory expectations from around the world into less than 300 diagnostic statements (control objectives). This translation and consolidation addresses topical overlaps and phrasing differences to streamline and reduce the cost and complexity of cyber risk and compliance workloads for FIs. As an example, the Profile has a diagnostic statement (DE.CM-1.3) that calls for the implementation of intrusion detection and prevention capabilities. After gathering the appropriate evidence once, an FI can reuse it to satisfy similar obligations for the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT), European Central Bank (ECB) Cyber Resilience Oversight Expectations, and International Organization of Securities Commissions (IOSCO) Guidance on cyber resilience for financial market infrastructures — just to name a few. Additionally, for the largest of FIs, the Profile has almost 50% fewer questions to address than another widely used assessment tool by this sector. Ultimately, the reuse of evidence and the smaller universe of diagnostic statements results in a substantial reduction in effort for compliance-related activities since fewer interviews with assorted subject matter experts and less time are needed overall. Anecdotally, one FI cited a 35% average reduction in effort for their regulatory exams since adoption of the Profile.

Since the Profile may be used as a shared baseline for examinations by different financial regulators, this allows FIs to deploy their resources more effectively for compliance work, reduces time needed to reconcile exam issues, and makes security oversight easier. For the financial regulators, the widely adopted cyber control assessment framework in the Profile offers greater visibility into systemic risk across the financial sector and a common, consistent vocabulary as well. FIs have used the Profile with financial regulators in the Americas, Asia, and Europe too. Financial regulators or standards bodies that have recognized or acknowledged the Profile include the U.S. Treasury, FFIEC, Federal Reserve Board, National Institute of Standards and Technology (NIST), IOSCO, European Union Agency for Cybersecurity (ENISA) and the Reserve Bank of New Zealand.


Evolution of the Profile

The CRI is a not-for-profit coalition of FIs and trade associations — currently with over 50 members, which include large banks, financial markets, insurance companies, regional/community banks, and a growing base of global firms as well. Working with its members, the CRI is responsible for curating and evolving the Profile to meet the needs of the financial sector. Thousands of FIs have adopted the Profile — including some in the U.S. that have transitioned away from the FFIEC CAT. Outside of the U.S., where some firms may be reluctant to use the NIST Cybersecurity Framework (CSF), the Profile offers a viable alternative.

As its user base grows, the Profile will evolve with cybersecurity-related standards for emerging technologies and practices (e.g., AI, cloud, privacy, financial digitalization, and operational resilience). The CRI’s next update, the Profile v2.0, is expected in early 2024. The CRI also offers the Cloud Profile, which was developed in collaboration with FIs and cloud service providers to ensure better communication about (shared) responsibilities. The Cloud Profile extends the Profile to include contractual language and implementation guidance. FIs that have not yet considered using the CRI Profile (or Cloud Profile) are encouraged to take a closer look and see how it may reduce the regulatory compliance burden and to explore continuous controls monitoring and automation benefits.


Complement the Profile with Automation

With the Profile’s 10x consolidation of regulatory expectations, an FI will realize a significant time- and cost-savings in compliance activities overall. However, the actual effort to identify, collect, and validate the needed artifacts and evidence for each diagnostic statement is still a very manual process that is time- and resource-intensive. For many in the risk and compliance world, the gathering of evidence is still a pain point. To lighten that load, automation and continuous controls monitoring can produce the required artifacts in real time. Looking back at the diagnostic statement on intrusion detection and prevention, a network security management tool can generate a report of all intrusion detection and prevention system (IDPS) devices in the environment as evidence. Another example is a cloud security posture management (CSPM) tool that generates a CRI Profile compliance report for an FI’s cloud estate. With automation behind and aligned to the Profile’s diagnostic statements, FIs can further reduce the effort required for exams and audits of cybersecurity risks.


About Palo Alto Networks

Palo Alto Networks is the world’s cybersecurity leader. We innovate to outpace cyber threats so organizations can confidently embrace technology. We provide next-gen cybersecurity to thousands of customers globally across all sectors. Our best-in-class cybersecurity platforms and services are backed by industry-leading threat intelligence and strengthened by state-of-the-art automation. Whether deploying our products to enable the Zero Trust Enterprise, responding to a security incident, or partnering to deliver better security outcomes through a world-class partner ecosystem, we’re committed to helping ensure each day is safer than the one before. It’s what makes us the cybersecurity partner of choice.

Palo Alto Networks has recently joined the CRI Innovator Program at the Premium level.

For more information, visit www.paloaltonetworks.com.