Financial Sector and Cloud Security Providers Complete Initiative To Enhance Cybersecurity

The Cyber Risk Institute (CRI), the Cloud Security Alliance (CSA), and the Bank Policy Institute-BITS announced today the release of a cloud extension for the CRI Profile version 1.2. The “Cloud Profile” represents the collaboration of over 50 financial institutions and major cloud service providers (CSPs) to extend the CRI Profile, which is a widely accepted cybersecurity compliance framework for the financial sector.

“Today’s release marks an historic achievement,” said CRI President Joshua Magri. “This is the first time that financial institutions, the major CSPs, and trade associations have come together to develop a set of baseline expectations related to cybersecurity and roles and responsibilities for cloud deployment. We are exceedingly proud of the work done here and what it may mean for future cloud usage in the financial services sector. We are pleased to be part of a collaborative solution to a longstanding challenge.”

As more financial institutions move to the cloud, financial regulators globally have become increasingly focused on ensuring firms use sound risk management practices during cloud implementation. The Cloud Profile provides guidance to financial institutions and CSPs on commonly understood responsibilities related to cloud deployment across software-as-a-service, platform-as-a-service, and infrastructure-as-a-service delivery models.

“Financial regulators need clear, consistent, and timely information on firms’ relationships with their third parties. The Cloud Profile helps clarify where a firm’s responsibilities end and a cloud service provider’s responsibilities begin,” said Chris Feeney, Executive Vice President of BPI and President of BPI-BITS. “A common understanding of cybersecurity controls for cloud implementation that has been developed, vetted, and accepted by firms and CSPs is a sound approach in ensuring our financial sector is more secure.”

This guidance is designed to enable financial institutions and CSPs to come to contractual understanding more easily and should also facilitate more streamlined and secure processes for deploying cloud services.

“We are very happy to work with a like-minded organization such as CRI, and we are excited about these initial results. The Cloud Profile extension brings together the CRI Profile with the security controls and security shared responsibility model of the CSA Cloud Controls Matrix v4.0. This represents a very powerful tool to support financial institutions in building a cloud security governance and compliance program that can meet their strict sectorial requirements,” said Daniele Catteddu, Chief Technology Officer, Cloud Security Alliance.

CRI, CSA, and BPI will continue working on ways to leverage this joint framework and look forward to greater collaboration.

About Cyber Risk Institute.

The Cyber Risk Institute (CRI) is a not-for-profit coalition of financial institutions and trade associations. We’re working to protect the global economy by enhancing cybersecurity and resiliency through standardization. https://cyberriskinstitute.org/ *The CRI Profile is the successor to the Financial Services Sector Coordinating Council (FSSCC) Cybersecurity Profile, a NIST and IOSCO based approach to assessing cybersecurity in the financial services industry.

About Bank Policy Institute.

The Bank Policy Institute (BPI) is a nonpartisan public policy, research and advocacy group, representing the nation’s leading banks and their customers. Our members include universal banks, regional banks and the major foreign banks doing business in the United States. Collectively, they employ almost 2 million Americans, make nearly half of the nation’s small business loans, and are an engine for financial innovation and economic growth.

About Cloud Security Alliance.

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, training, certification, events, and products. CSA’s activities, knowledge, and extensive network benefit the entire community impacted by cloud — from providers and customers to governments, entrepreneurs, and the assurance industry — and provide a forum through which different parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at www.cloudsecurityalliance.org.