NIST Cybersecurity Framework Updates: What Financial Services Leaders Need to Know

MARCH 7TH, 2023

On its website, the National Institute of Standards and Technology (NIST) calls out financial services as vital to our nation’s critical infrastructure, one of 16 sectors considered as such. Financial IT leaders tasked with ensuring the protection of their institution’s assets—measured today in both data and dollars—look to NIST as a vital source for guidance regarding cybersecurity.

That’s why we took notice last month when NIST published a concept paper seeking input on the Cybersecurity Framework (CSF) updates. The CSF was “developed based on existing standards, guidelines, and practices to better manage and reduce cybersecurity risk.” Released in 2014 and updated in 2018, CSF is widely used by financial services organizations—both in the U.S. and worldwide—to develop and mature their cybersecurity programs. Many applaud this coming update, given the pace of change in cyber threats and mitigations made possible by new technologies.

Increase International Collaboration and Engagement

Since many financial services organizations do business worldwide, NIST’s stated intention to increase collaboration with other nations is a welcome update. NIST also notes its ongoing work with the International Organization for Standardization (ISO), where several documents refer to the CSF.  

Alignment With Other Frameworks

One section of the concept paper of interest is the update to “relate the CSF clearly to other NIST frameworks.”  These include the Risk Management Framework, the Privacy Framework, the National Initiative for Cybersecurity Education, Workforce Framework for Cybersecurity, and the Secure Software Development Framework. These frameworks will be referenced in the updated framework or related materials. That should help the various teams in financial services organizations better coordinate their cybersecurity efforts.

Vendor Neutrality Without Ignoring Cybersecurity Best Practices

The concept paper notes that CSF will remain technology- and vendor-neutral but also says that NIST recognizes that the technology landscape has changed dramatically since 2018. With that in mind, NIST is working with the community to develop descriptions for configuration or enabling security features within the technology that provide the required protections. Zero trust is central to this discussion, with NIST participating in the Zero Trust Architecture (ZTA) Project. In the concept paper, NIST clarifies that ZTA “supports the outcomes outlined in the CSF to secure environments.”

Cybersecurity Can’t Wait

When complete, projected for 2024, the updated CSF will help those responsible for data resiliency in financial organizations implement more effective solutions. For immediate help with financial services best practices and standards that mitigate cybersecurity and privacy risks, check out the NIST’s National Cybersecurity Center of Excellence. There you’ll find security guidance for IT asset management, access rights management, and privileged account management specifically for the financial services sector.

Data Resiliency Is Crucial to Cybersecurity Success

Humans are involved in 82 percent of breaches, according to the Verizon 2022 Data Breach Investigations Report. And 55 percent of financial services organizations were hit by ransomware attacks in 2022, with the ransom paid increasing by 52 percent over the same period.

No technology can prevent every cyberattack. That’s why you must focus on data resiliency if you’re responsible for your organization’s privacy and protection practices. Data resiliency ensures your organization’s data is always available and accessible, even if a ransomware attack, data breach, hardware failure, or natural disaster strikes. Data resiliency means your organization can keep moving forward, no matter what.

Immutability Is One Key to Data Resiliency

Arcserve offers software and hardware solutions that employ immutable backup storage to ensure data resiliency. Immutable backups are saved in a write-once-read-many-times format that can’t be altered or deleted. Arcserve Unified Data Protection (UDP) delivers immutability across environments, supporting Amazon S3 Object Lock, while Arcserve OneXafe offers immutable network-attached storage for unstructured data and backup targets.

Expert Guidance Makes a Difference

Arcserve technology partners’ business depends on their ability to stay on top of cybersecurity and data resiliency trends, from NIST updates to the latest threats. They can help you navigate the complexities of today’s cybersecurity and data resiliency requirements and better protect your data and your organization.

Find an expert Arcserve technology partner here.

You May Also Like