Josh Magri: The CRI Profile - A Simplified Approach to Better Assessment

The Cyber Risk Institute has developed a cybersecurity framework for the financial sector that is based on globally recognized standards. Josh Magri, CRI President & CEO, talks about the genesis of this framework and how it can help bridge the gap between self-assessment and regulatory compliance, even for financial firms that have operations around the globe.Notes from our Discussion with JoshCRI ProfileThe profile is the Rosetta Stone between cybersecurity frameworks, standards, and regulatory provisions. The purpose is to use the profile as an assessment tool. It incorporates several different regulatory jurisdictions. Genesis of the ProfileThere was significant regulatory fragmentation in the way cybersecurity was being approached. This regulatory fragmentation wasn’t just across the globe, but even within the US. This led to firms spending a tremendous amount of time on compliance documentation, rather than on frontline cyber defense. FS-ISAC conducted a survey of how firms were dealing with compliance and found that 40% of the cyber team’s time was spent on compliance, rather than on frontline cyber defense. So, under the umbrella of the Financial Services Sector Coordinating Council, several financial institutions and trade associations got together to find a different way to do this. CRI focused on NIST CSF and the International Organization of Securities Commissions’ frameworks. Adoption of the ProfileThousands of firms are using it. It’s a free downloadable spreadsheet. It’s used in the US, UK, mainland Europe, Japan and Africa. Self-Assessment That Can Be Used for Regulatory Compliance Different regulatory requirements had a set of around 3,000 questions that firms would need to address. The framework brought this down to around 277 diagnostic statements related to a cyber program. To bring these 277 statements to a manageable amount, an “impact hearing” schema was layered on top. It’s essentially an assessment for financial services that can be used for compliance.Challenges in Regulatory Harmonization It’s probably not possible to achieve 100% regulatory harmonization. We should aim at regulatory convergence, where regulators take a common approach to cyber, without the expectation of all regulatory provisions looking the same. Geopolitical challenges are going to be the impediments. Role of the Profile in Managing Supply Chain Cyber RisksA number of firms have used the profile internally and are using it for external evaluation of third parties and even M&As. One of the key distinctions of the profile is the detailed and holistic view of third party. This is what all regulators and firms care about, and it tends to be the weakest link. Role of the Profile for Cloud Service Providers Financial services bring compliance requirements to cloud service providers. But if it’s not part of their strategic roadmap, the cloud service providers are reluctant to do it. So, 2-3 years ago, the Profile was merged with Cloud Security Alliance’s Cloud Controls Matrix to show where cloud controls intersected with cyber controls and regulatory compliance. The Profile and AIThere are a number of agencies working on AI already and the profile shouldn’t duplicate that. The profile will probably focus more on security controls around AI than on algorithmic bias or even privacy.Advantages of the ProfileUsing it saves a huge amount of time and effort. It is freely downloadable. Software suites like Axio are incorporating it. There’s another program in which consulting firms like EY and KPMG are involved. So, there will be many more support type services out there, rather than having a spreadsheet on its own.