NIST Proposes Update to Cybersecurity Framework to Address Service Provider Oversight

Many investment advisers and broker-dealers have embraced the NIST Cybersecurity Framework since it was first released in 2014, using it to formalize the mapping of risks and controls as part of a comprehensive cybersecurity program. Alas, cybersecurity risks continue to grow, and so too must the response to those risks keep pace. What has become clear from the SEC’s cybersecurity enforcement actions to date is that vendors and service providers to advisers and broker-dealers have access to a wealth of information and data about a firm and its clients, and that a breach or security incident involving the service provider can have privacy impacts for the IA or BD.

Recognizing the significance of service provider relationships and interdependencies on operational risk, the National Institute of Standards and Technology (NIST) proposed an update to its Cybersecurity Framework on January 10, 2017. The proposed changes in version 1.1 are in draft form pending a comment period which is open until April 10, 2017. The draft proposes to amend the Cybersecurity Framework by:
  • Adding a new section on cybersecurity measurement to help define consistent terminology for aligning business actions, results, cybersecurity expenditures, and cybersecurity metrics
  • Updating the Framework Core by adding a new category within the Identify function for Supply Chain Risk Management (ID.SC), which is essentially a focus on the policies, procedures, and controls to manage the risks posed by a firm’s third party vendors and service providers. The new category will include, among other things, an assessment of whether vendors are appropriately identified, prioritized, required to adhere to certain contractual obligations for information security, monitored for compliance with such terms, and included within the scope of business continuity testing.
  • Enhancing the Protect -> Access Control category (PR.AC) to include authentication, authorization, and identity verification, and renaming the category as “Identity Management and Access Control” to reflect that access is closely tied to an understanding of the identity of the party requesting access
  • Adding explanatory text throughout the Framework to describe how Implementation Tiers can be used in conjunction with the Current Profile and Target Profile. A tier is a way to benchmark the strength of a firm’s cybersecurity program, with higher tiers reflecting a more comprehensive and proactive program. The tiers are: Tier 1 (Partial), Tier 2 (Risk Informed), Tier 3 (Repeatable), and Tier 4 (Adaptive).

A redlined version of the NIST Cybersecurity Framework as updated by the proposed draft is available here.


Subscribe to CSS Blog

CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.

Latest Content

From One CCO to Another: Don’t Lie to the SEC

Every once in a while, I think it’s important to get back to the basics. Since the adoption of the compliance rules in 2004, the Securities and Exchange Commission staff has repeatedly stated that the intent of the rules were not to hunt CCOs. Great pains have been made to enlist CCOs support in ensuring … Continued

BME Partners with CSS to Strengthen its Regulatory Service Suite

BME to offer financial services firms in Spain and Portugal a multi-regulation reporting platform Partnership brings a unique combination of local market presence and global coverage BME has partnered with Compliance Solutions Strategies (CSS), a leading RegTech platform provider, to offer a global regulatory reporting solution in Spain and Portugal. The combination of BME’s local … Continued

Compliance Solutions Strategies Acquires AMFINE

Combination Creates First Fully End-To-End Compliance Reporting Platform NEW YORK, September 10, 2020 – Compliance Solutions Strategies (“CSS”), a leading RegTech platform providing technology-driven solutions which enable financial services firms to meet mandatory regulatory compliance requirements, today announced the acquisition of AMFINE (“AMFINE”), a provider of SaaS-based regulatory reporting services to European asset managers, asset … Continued