Cybersecurity Advisory – NIST Releases Version 2.0 of its Cybersecurity Framework

The Cyber and Analytics Unit (CAU) within FINRA’s Member Supervision program is highlighting recent updates to the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0, which is a resource designed to help organizations manage and reduce cybersecurity risks, regardless of their degree of cybersecurity sophistication.

This Advisory does not create new legal or regulatory requirements or new interpretations of existing requirements, nor does it relieve members of any existing obligations under federal securities laws and regulations. Members may consider the information in this Advisory in developing new, or modifying existing, practices that are reasonably designed to achieve compliance with relevant regulatory obligations based on a member’s size and business model.

Key updates in CSF 2.0 reflect: 

• An aim to help organizations in any sector manage and reduce cybersecurity risks, not just organizations the NIST considers “critical infrastructure organizations.”
• A new financial sector Community Profile, providing an implementation roadmap for organizations in the financial industry.
• A Quick Start Guide for Small Businesses that is designed for organizations with limited cyber resources.
• A new focus on governance, supply chain risks and emerging technologies (e.g., Artificial Intelligence).

CSF 1.0 was published in 2014 in response to Executive Order 13636: Improving Critical Infrastructure Cybersecurity, which called for the development of a risk-based framework to help critical infrastructure organizations manage cyber risks.  CSF 2.0 provides all organizations with a pragmatic methodology to help identify, mitigate and manage cyber risks.  The main components of the framework include:

• CSF Core:  a set of cybersecurity outcomes—arranged by function, category and subcategory—that break down complex cyber risks into manageable terms. For example, these outcomes are categorized into six high-level functions:
  • Govern – cyber risk management strategies, expectations and policies are established, communicated and monitored.
  • Identify – current cyber risks are understood.
  • Protect – safeguards to manage cyber risks are utilized. 
  • Detect – potential cyberattacks are identified and evaluated.
  • Respond – actions are taken regarding detected cyberattacks.
  • Recover – operations impacted by a cyberattack are restored.
• CSF Organizational Profiles:  describe an organization’s current and target cybersecurity posture based on business objectives, risk appetite and requirements.
• CSF Tiers:  internal benchmarks indicating an organization’s cyber risk management capabilities, including Tier 1 (Partial), Tier 2 (Risk-Informed), Tier 3 (Repeatable) and Tier 4 (Adaptive).
• Informative References: a broad set of current global policies, standards, guidelines, frameworks and regulations mapped to the framework’s six functions, 22 categories and 106 subcategories.

It is important for firms to regularly review and update their cybersecurity and technology management policies, procedures and controls to ensure customer information and firm data are adequately protected, as well as to help ensure compliance with relevant regulatory obligations (e.g., Regulation S-P,[1] Regulation S-ID and FINRA Rules 3110 and 3120).

General guidance for members on cybersecurity issues can be found in the Cybersecurity and Technology Management section of the 2024 FINRA Annual Regulatory Oversight Report. Comprehensive firm guidance and resources can be found on FINRA’s Cybersecurity Key Topic Page.

Questions related to this Advisory or other cybersecurity topics can be emailed to the CAU.

1 On May 16, the SEC announced the adoption of amendments to Regulation S-P. For additional information, refer to the SEC’s Final Rule Release and FACT Sheet.