Shared Assessments Regulatory Hub

As the compliance and audit environment sees changes affecting outsourcing relationships, Shared Assessments reviews, discusses, and responds to draft third-party regulatory guidance from state, federal, and international regulators. Scroll through this page to learn more about regulations impacting risk management.

Timeline: Regulations Impacting Risk Management

2003 Federal Financial Institutions Examination Council (FFIEC)- Handbook, E-banking Dot
2004 Federal Financial Institutions Examination Council (FFIEC)- Handbook, Development and Acquisition Dot
2004 Federal Financial Institutions Examination Council (FFIEC)- Handbook, Wholesale Payment Systems Dot
2004 Federal Financial Institutions Examination Council (FFIEC)- Handbook, Outsourcing Technology Dot
2010 International Standards Organization (ISO) Guidance on Social Responsibility Dot
2012 National Institute of Standards and Technology (NIST) Computer Security Incident Handling Dot
2012 Federal Financial Institutions Examination Council (FFIEC)- Handbook Audit Dot
2012 Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook Dot
2013 Monetary Authority of Singapore (MAS) Technology Risk Management Guidelines Dot
2013 International Standards Organization (ISO), Security Techniques Dot
2013 International Standards Organization (ISO), Code of Practice for Information Security Controls Dot
2015 National Institute of Standards and Technology (NIST), Industrial Control Systems Dot
2015 North American Electric Reliability Corporation (NERC) Infrastructure Protection Standards Dot
2015 Federal Financial Institutions Examination Council (FFIEC)- IT Handbook, Management Dot
2016 North American Electric Reliability Corporation (NERC), Infrastructure Protection Standards, Cyber Security Dot
2016 North American Electric Reliability Corporation (NERC), Physical Security of BES Cyber Systems Dot
2016 North American Electric Reliability Corporation (NERC,) Recovery Plans for BES Cyber Systems Dot
2016 NERC Critical Infrastructure Protection Standards, CIP-007-6 - Cyber Security - Systems Security Management, Cyber Security - Systems Security Management Dot
2016 North American Electric Reliability Corporation (NERC), Cyber Security - Information Protection Dot
2016 Federal Financial Institutions Examination Council (FFIEC), IT Handbook- Retail Payment Systems Dot
2016 EU Parliament/Council of the European Union, General Data Protection (GDPR) Dot
2016 Federal Financial Institutions Examination Council (FFIEC), IT Handbook, Information Security Dot
2016 National Institute of Standards and Technology (NIST) Cybersecurity Event Recovery, Dot
2016 North American Electric Reliability Corporation (NERC), BES Cyber System Categorization Dot
2017 Federal Financial Institutions Examination Council (FFIEC), Cybersecurity Assessment Tool (CAT) Dot
2017 Open Web Application Security Project (OWASP), Top 10 Dot
2017 New York State Department of Financial Services (NYDFS), Cybersecurity Requirements for Financial Services Companies Dot
2018 International Society of Automation (ISA), Secure product Development Lifecycle Dot
2018 International Society of Automation (ISA), Technical Security Requirements for IACS Components Dot
2018 European Commission, Payment Services Directive (PSD2) Dot
2018 National Institute of Standards and Technology (NIST), Improving Critical Infrastructure Cybersecurity Dot
2018 Payment Card Industry Security Standards Council (PCI), Requirements and Security Assessment Procedures Dot
2018 North American Electric Reliability Corporation (NERC), Cyber Security - Electronic Security Perimeter(s) Dot
2018 North American Electric Reliability Corporation (NERC), Cyber Security - Configuration Change Management and Vulnerability Assessments Dot
2018 North American Electric Reliability Corporation (NERC), Cyber Security - Supply Chain Risk Management Dot
2018 California Legislature, Consumer Privacy Act of 2018 Dot
2018 US General Services Administration (GSA), FedRAMP Security Controls Baseline Dot
2019 North American Electric Reliability Corporation (NERC) ,Incident Reporting and Response Planning Dot
2019 European Banking Authority (EBA), EBA Guidelines on Outsourcing Arrangements Dot
2019 Parliament of Canada, Canada Personal Information Protection Electronic Documents Act (PIPEDA) Dot
2019 North American Electric Reliability Corporation (NERC), Security Management Controls Dot
2019 Prudential Standard
Australian Prudential Regulation Authority (APRA)
Dot
2019 Cloud Controls Matrix
CSA
Dot
2019 Security Techniques
ISO
Dot
2019 Federal Financial Institutions Examination Council (FFIEC), IT Handbook- Business Continuity Management Dot
2020 National Institute of Standards and Technology (NIST), Privacy Framework Dot
2020 Pandemic Planning
FFIEC
Dot
2020 California Legislature, California Privacy Rights Act of 2020 Dot
2020 Cloud Security Alliance (CSA), Consensus Assessment Initiative Questionnaire Dot
2020 National Institute of Standards and Technology (NIST), Security and Privacy Controls for Information Systems and Organizations Dot
2021 Monetary Authority of Singapore (MAS), Technology Risk Management Guidelines Dot
2021 Federal Financial Institutions Examination Council (FFIEC), IT Handbook- Architecture, Infrastructure, and Operations Dot
2021 Cloud Controls Matrix Dot
2021 Open Web Application Security Project (OWASP), Application Security Verification Standard (ASVS) Dot
2021 New York State Department of Financial Services (NYDFS), Guidance for New York Domestic Insurers on Managing the Financial Risks from Climate Change Dot
2021 Open Web Application Security Project (OWASP), Top 10 Dot
2021 Cloud Security Alliance (CSA), Consensus Assessment Initiative Questionnaire (CAIQ) Dot
2022 International Standards Organization (ISO), Cybersecurity and Privacy Protection - Information Security Controls Dot
2022 Health Information Trust Alliance (HITRUST), Common Security Framework (CSF) Dot
2023 US Department of Justice (DOJ), Guidance on the Evaluation of Corporate Compliance Programs Dot
2023 Center for Internet Security (CIS), Controls v8 Dot
2023 German Supply Chain Act Dot
2023 Digital Operational Resilience Act (DORA) Dot
2024 Directive On Corporate Sustainability Due Diligence Dot

FFIEC IT Examination Handbook - E-Banking, August 2003

The booklet primarily discusses e-banking risks from the perspective of the services or products provided to customers. This approach differs from other booklets that discuss risks from the perspective of the technology and systems that support automated information processing. To avoid duplication of material, this booklet refers the reader to other IT Handbook booklets for detailed explanations of technology-specific issues or controls.

FFIEC IT Examination Handbook - Development and Acquisition, April 2004

The development, acquisition, and maintenance process includes numerous risks. Effective project management influences operational risks (also referred to as transactional risks). These risks include the possibility of loss resulting from inadequate processes, personnel, or systems. Losses can result from errors; fraud; or an inability to deliver products or services, maintain a competitive position, or manage information.

FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004

This booklet is organized into the following four sections describing the various aspects of wholesale payment systems, followed by examination procedures, a glossary, a discussion of the legal framework for interbank payment systems, a discussion of the Federal Reserve Board’s Payments System Risk (PSR) Policy, and a discussion of the “Interagency Paper on Sound Practices to Strengthen the Resiliency of the U.S. Financial System.”

FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004

The Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook (IT Handbook) “Outsourcing Technology Services Booklet” (booklet) provides guidance and examination procedures to assist examiners and bankers in evaluating a financial institution’s risk management processes to establish, manage, and monitor IT outsourcing relationships.

ISO 26000: 2010 Guidance on Social Responsibility

ISO 26000: 2010 Guidance on Social Responsibility is intended to assist organizations in contributing to sustainable development. It is intended to encourage them to go beyond legal compliance, recognizing that compliance with law is a fundamental duty of any organization and an essential part of their social responsibility.

Computer Security Incident Handling Guide, NIST SP 800-61, Rev. 2

Performing incident response effectively is a complex undertaking; establishing a successful incident response capability requires substantial planning and resources. This publication assists organizations in establishing computer security incident response capabilities and handling incidents efficiently and effectively. This publication provides guidelines for incident handling, particularly for analyzing incident-related data and determining the appropriate response to each incident.

FFIEC IT Examination Handbook - Audit, April 2012

The audit program should address IT risk exposures throughout the institution, including the areas of IT management and strategic planning, data center operations, client/server architecture, local and wide-area networks, telecommunications, physical and information security, electronic banking, systems development, and business continuity planning. IT audit should also focus on how management determines the risk exposure from its operations and controls or mitigates that risk.

FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012

Supervisory policy provides for interagency examinations of TSPs that service insured financial institutions supervised by more than one federal financial institution regulator. The policy is expected to eliminate the need for separate examinations of TSPs by more than one regulator and to result in more efficient use of examiner resources and with less burden to the supervised TSP.

Technology Risk Management Guidelines, June 2013

The Technology Risk Management Guidelines (the “Guidelines”) set out risk management principles and best practice standards to guide the FIs in the following: Establishing a sound and robust technology risk management framework; Strengthening system security, reliability, resiliency, and recoverability; and Deploying strong authentication to protect customer data, transactions and systems.

ISO/IEC 27001: 2013 Information Technology - Security Techniques - Information Security Management Systems - Requirements

The ISO/IEC 27001 standard provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining and continually improving an information security management system. Conformity with ISO/IEC 27001 means that an organization or business has put in place a system to manage risks related to the security of data owned or handled by the company, and that this system respects all the best practices and principles enshrined in this International Standard.

ISO/IEC 27002: 2013 Information Technology - Security Techniques - Code of Practice for Information Security Controls

ISO/IEC 27002: 2013 gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization’s information security risk environment(s).

Guide to Industrial Control Systems (ICS) Security, NIST SP 800-82 Rev. 2

This document provides guidance on how to secure Industrial Control Systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC), while addressing their unique performance, reliability, and safety requirements.

NERC Critical Infrastructure Protection Standards, CIP-014-2 - Physical Security

The Critical Infrastructure Protection Standards provide guidance to utilities for protecting transmission stations, transmission substations and control centers, which if rendered inoperable or damaged as a result of a physical attack, could result in widespread instability, uncontrolled separation, or cascaded interconnection.

FFIEC IT Examination Handbook - Management, November 2015

IT management is critical to the performance and success of a financial institution. ITRM involves more than containing costs and controlling operational risks and does not work in isolation. A financial institution capable of aligning its IT infrastructure to support its business strategy adds value to the institution and positions itself for sustained success. Financial institutions face many challenges in today’s marketplace, including cybersecurity threats, increasing the need for effective IT management and ITRM.

NERC Critical Infrastructure Protection Standards, CIP-004-6 - Cyber Security - Personnel & Training

Standard CIP-004 exists as part of a suite of CIP Standards related to cyber security, which require the initial identification and categorization of BES Cyber Systems and require a minimum level of organizational, operational, and procedural controls to mitigate risk to BES Cyber Systems.

NERC Critical Infrastructure Protection Standards, CIP-006-6 - Cyber Security - Physical Security of BES Cyber Systems

This standard addresses operational and physical controls for a physical security plan, visitor control program, and maintenance and testing program: Physical security plan.

NERC Critical Infrastructure Protection Standards, CIP-009-6 - Cyber Security - Recovery Plans for BES Cyber Systems

To recover reliability functions performed by BES Cyber Systems by specifying recovery plan requirements in support of the continued stability, operability, and reliability of the BES.

NERC Critical Infrastructure Protection Standards, CIP-007-6 - Cyber Security - Systems Security Management

To manage system security by specifying select technical, operational, and procedural requirements in support of protecting BES Cyber Systems against compromise that could lead to mis-operation or instability in the Bulk Electric System (BES).

NERC Critical Infrastructure Protection Standards, CIP-011-2 - Cyber Security - Information Protection

To prevent unauthorized access to BES Cyber System Information by specifying information protection requirements in support of protecting BES Cyber Systems against compromise that could lead to mis-operation or instability in the Bulk Electric System (BES).

FFIEC IT Examination Handbook - Retail Payment Systems, April 2016

The FFIEC IT Examination Handbook (IT Handbook), “Retail Payment Systems Booklet” (booklet), provides guidance to examiners, financial institutions, and technology service providers (TSPs) on identifying and controlling risks associated with retail payment systems and related banking activities.

Regulation (EU) 2016/679 General Data Protection (GDPR)

This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.

FFIEC IT Examination Handbook - Information Security, September 2016

Information security is the process by which a financial institution protects the creation, collection, storage, use, transmission, and disposal of sensitive information, including the protection of hardware and infrastructure used to store and transmit such information. Information security promotes the commonly accepted objectives of confidentiality, integrity, and availability of information and is essential to the overall safety and soundness of an institution. Information security exists to provide protection from malicious and non-malicious actions that increase the risk of adverse effects on earnings, capital, or enterprise value.

Guide for Cybersecurity Event Recovery, NIST SP 800-184

This publication provides tactical and strategic guidance regarding the planning, playbook developing, testing, and improvement of recovery planning. It also provides an example scenario that demonstrates guidance and informative metrics that may be helpful for improving resilience of information systems.

NERC Critical Infrastructure Protection Standards, CIP-002-5.1a - Cyber Security - BES Cyber System Categorization

To identify and categorize BES Cyber Systems and their associated BES Cyber Assets for the application of cyber security requirements commensurate with the adverse impact that loss, compromise, or misuse of those BES Cyber Systems could have on the reliable operation of the BES.

FFIEC Cybersecurity Assessment Tool (CAT), May 2017

In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council1 (FFIEC) developed the Cybersecurity Assessment Tool (Assessment), on behalf of its members, to help institutions identify their risks and determine their cybersecurity maturity. The Assessment consists of two parts: Inherent Risk Profile and Cybersecurity Maturity. The Inherent Risk Profile identifies the institution’s inherent risk before implementing controls.

OWASP Top 10, 2017

This major update adds several new issues, including two issues selected by the community – A8:2017Insecure Deserialization and A10:2017-Insufficient Logging and Monitoring. Two key differentiators from previous OWASP Top 10 editions are the substantial community feedback in addition to the extensive data assembled from dozens of organizations (possibly the largest amount of data ever assembled in the preparation of an application security standard).

23 NYCRR 500 Cybersecurity Requirements for Financial Services Companies

The New York State Department of Financial Services (“DFS”) has been closely monitoring the ever-growing threat posed to information and financial systems by nation-states, terrorist organizations and independent criminal actors. Recently, cybercriminals have sought to exploit technological vulnerabilities to gain access to sensitive electronic data. Cybercriminals can cause significant financial losses for DFS regulated entities as well as for New York consumers whose private information may be revealed and/ or stolen for illicit purposes. The financial services industry is a significant target of cybersecurity threats. DFS appreciates that many firms have proactively increased their cybersecurity programs with great success.

ISA-62443-4-1:2018 Security for industrial automation and control systems - Part 4-1: Secure product development lifecycle requirements

ANSI/ISA-62443-4-1 specifies process requirements for the secure development of products used in industrial automation and control systems. It defines a secure development life-cycle (SDL) for the purpose of developing and maintaining secure products.

ISA-62443-4-2:2018 Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components

The ISA-62443 series provides detailed technical control system component requirements (CRs) associated with the seven foundational requirements (FRs) described in ISA-62443-1-1 including defining the requirements for control system capability security levels and their components, SL C(component).

Payment Services Directive (PSD2) Directive (EU) 2015/2366

This directive seeks to improve the existing EU rules for electronic payments. It takes into account emerging and innovative payment services, such as internet and mobile payments. Touches on the rights and obligations of users and providers of payment services.

Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1

The Framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes. The Framework consists of three parts: the Framework Core, the Implementation Tiers, and the Framework Profiles. The Framework Core is a set of cybersecurity activities, outcomes, and informative references that are common across sectors and critical infrastructure.

PCI Data Security Standard (DSS) Requirements and Security Assessment Procedures v3.2.1

PCI Security Standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The standards apply to all entities that store, process or transmit cardholder data – with requirements for software developers and manufacturers of applications and devices used in those transactions. The Council is responsible for managing the security standards, while compliance with the PCI set of standards is enforced by the founding members of the Council: American Express, Discover Financial Services, JCB, MasterCard and Visa Inc.

NERC Critical Infrastructure Protection Standards, CIP-005-6 - Cyber Security - Electronic Security Perimeter(s)

To manage electronic access to BES Cyber Systems by specifying a controlled Electronic Security Perimeter in support of protecting BES Cyber Systems against compromise that could lead to mis-operation or instability in the BES.

NERC Critical Infrastructure Protection Standards, CIP-010-3 - Cyber Security - Configuration Change Management and Vulnerability Assessments

NERC Critical Infrastructure Protection Standards, CIP-010-3 – Cyber Security – Configuration Change Management and Vulnerability Assessments.

NERC Critical Infrastructure Protection Standards, CIP-013-1 - Cyber Security - Supply Chain Risk Management

To mitigate cyber security risks to the reliable operation of the Bulk Electric System (BES) by implementing security controls for supply chain risk management of BES Cyber Systems.

California Consumer Privacy Act of 2018 (CCPA)

The CCPA regulations govern compliance with the California Consumer Privacy Act. They provide guidance to businesses on how to inform consumers of their rights under the CCPA, how to handle consumer requests, how to verify the identity of consumers making requests, and how to apply the law as it relates to minors.

FedRAMP Security Controls Baseline, 2018

Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of access control policy and procedures.

NERC Critical Infrastructure Protection Standards, CIP-008-6 - Cyber Security - Incident Reporting and Response Planning

Purpose is to mitigate the risk to the reliable operation of the BES as the result of a Cyber Security Incident by specifying incident response requirements.

EBA Guidelines on Outsourcing Arrangements

An Act to support and promote electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances, by providing for the use of electronic means to communicate or record information or transactions and by amending the Canada Evidence Act, the Statutory Instruments Act and the Statute Revision Act.

Canada Personal Information Protection Electronic Documents Act (PIPEDA)

The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law for private-sector organizations. It sets out the ground rules for how businesses must handle personal information in the course of their commercial activity.

NERC Critical Infrastructure Protection Standards, CIP-003-8 - Cyber Security - Security Management Controls

To specify consistent and sustainable security management controls that establish responsibility and accountability to protect BES Cyber Systems against compromise that could lead to mis-operation or instability in the Bulk Electric System (BES).

Australian Prudential Regulation Authority (APRA)
Prudential Standard CPS 234 Information Security, CPS 234

This Prudential Standard aims to ensure that an APRA-regulated entity takes measures to be resilient against information security incidents (including cyberattacks) by maintaining an information security capability commensurate with information security vulnerabilities and threats.”

Cloud Security Alliance (CSA)
Cloud Controls Matrix (CCM) V3.0.1

The CCM, the only meta-framework of cloud-specific security controls, mapped to leading standards, best practices and regulations. CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to cloud computing. CCM is currently considered a de-facto standard for cloud security assurance and compliance.

International Standards Organization (ISO)
Extension to ISO/IEC 27001 and ISO/IEC 27002 for Privacy Information Management
Requirements and Guidelines

This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.

FFIEC IT Examination Handbook - Business Continuity Management, November 2019

The BCM booklet describes principles and practices for IT and operations for safety and soundness, consumer financial protection, and compliance with applicable laws and regulations. The BCM booklet also outlines BCM principles to help examiners evaluate how management addresses risk related to the availability of critical financial products and services. This booklet discusses BCM governance and its related components, including resilience strategies and plan development; training and awareness; exercises and tests; maintenance and improvement; and reporting for all levels of management, including the board of directors.

Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management, Version 1.0

The Privacy Framework is a tool developed in collaboration with stakeholders intended to help organizations identify and manage privacy risk to build innovative products and services while protecting individuals’ privacy.

Federal Financial Institutions Examination Council (FFIEC)
Statement on Pandemic Planning

Pandemic preparedness is an important part of a financial institution’s business continuity planning. The guidance provides the Council’s prudent expectations that regulated institutions should periodically review related risk management plans, including continuity plans, to ensure their ability to continue to deliver their products and services in a wide range of scenarios and with minimal disruption.

California Privacy Rights Act of 2020

In enacting this Act, It is the purpose and intent of the people of the State of California to further protect consumers’ rights, including the constitutional right of privacy. The implementation of this Act shall be guided by the following principles: Consumer Rights, The Responsibilities of Businesses, and Implementation of the Law.

Consensus Assessment Initiative Questionnaire (CAIQ) v3.1

The Consensus Assessments Initiative Questionnaire (CAIQ) v3.1. offers an industry-accepted way to document what security controls exist in IaaS, PaaS, and SaaS services, providing security control transparency. It provides a set of Yes/No questions a cloud consumer and cloud auditor may wish to ask of a cloud provider to ascertain their compliance to the Cloud Controls Matrix (CCM).

Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53 Rev. 5

This publication provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks.

Technology Risk Management Guidelines January 2021

The aim of the MAS Technology Risk Management Guidelines (hereafter referred as “the Guidelines”) is to promote the adoption of sound and robust practices for the management of technology risk.

FFIEC IT Examination Handbook - Architecture, Infrastructure, and Operations, June 2021

This booklet discusses enterprise-wide, process-oriented approaches that relate to the design of technology within the overall business structure, implementation of IT infrastructure components, and delivery of services and value for customers.

Cloud Security Alliance (CSA)
Cloud Controls Matrix (CCM) v4.0.4

The CSA Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing.It is composed of 197 control objectives that are structured in 17 domains covering all key aspects of cloud technology. It can be used as a tool for the systematic assessment of a cloud implementation, and provides guidance on which security controls should be implemented by which actor within the cloud supply chain.

OWASP Application Security Verification Standard (ASVS) v.4.0.3

Welcome to the Application Security Verification Standard (ASVS) version 4.0. The ASVS is a community-driven effort to establish a framework of security requirements and controls that focus on defining the functional and non-functional security controls required when designing, developing and testing modern web applications and web services.

Guidance for New York Domestic Insurers on Managing the Financial Risks from Climate Change

DFS expects insurers to take a strategic approach to managing climate risks that considers both current and forward-looking risks and identifies actions required to manage those risks in a manner proportionate to the nature, scale, and complexity of insurers’ businesses.

OWASP Top 10, 2021

This installment of the Top 10 is more data-driven than ever but not blindly data-driven. We selected eight of the ten categories from contributed data and two categories from the Top 10 community survey at a high level. We do this for a fundamental reason, looking at the contributed data is looking into the past. AppSec researchers take time to find new vulnerabilities and new ways to test for them.

Consensus Assessment Initiative Questionnaire (CAIQ) v4.0.2

Composed of 197 control objectives that are structured in 17 domains covering all key aspects of cloud technology. It can be used as a tool for the systematic assessment of a cloud implementation, and provides guidance on which security controls should be implemented by which actor within the cloud supply chain.

ISO/IEC 27002:2022 Information Security, Cybersecurity and Privacy Protection - Information Security Controls

This document provides a reference set of generic information security controls including implementation guidance. This document is designed to be used by organizations: within the context of an information security management system (ISMS) based on ISO/IEC27001; for implementing information security controls based on internationally recognized best practices; for developing organization-specific information security management guidelines.

HITRUST Common Security Framework (CSF) v9.6.0

The HITRUST CSF provides the structure, transparency, guidance, and cross-references to authoritative sources that organizations globally need to be certain of their data protection compliance. The initial development of the HITRUST CSF leveraged nationally and internationally accepted security and privacy-related regulations, standards, and frameworks–including ISO, NIST, PCI, HIPAA, and GDPR–to ensure a comprehensive set of security and privacy controls, and continually incorporates additional authoritative sources.

DOJ Guidance on the Evaluation of Corporate Compliance Programs

This document is meant to assist prosecutors in making informed decisions as to whether, and to what extent, the corporation’s compliance program was effective at the time of the offense, and is effective at the time of a charging decision or resolution, for purposes of determining the appropriate (1) form of any resolution or prosecution; (2) monetary penalty, if any; and (3) compliance obligations contained in any corporate criminal resolution (e.g., monitorship or reporting obligations).

CIS Controls v8

The CIS Critical Security Controls (CIS Controls) are a prioritized set of Safeguards to mitigate the most prevalent cyber-attacks against systems and networks. They are mapped to and referenced by multiple legal, regulatory, and policy frameworks. CIS Controls v8 has been enhanced to keep up with modern systems and software.

Act on Corporate Due Diligence Obligations in Supply Chains

The Act on Corporate Due Diligence Obligations in Supply Chains (Lieferkettensorgfaltspflichtengesetz, LkSG) places enterprises that have their central administration, principal place of business, administrative headquarters, statutory seat or branch office in Germany under the obligation to respect human rights by implementing defined due diligence obligations.

The core elements of the due diligence obligations include the establishment of a risk management system to identify, prevent or minimise the risks of human rights violations and damage to the environment. The Act sets out the necessary preventive and remedial measures, makes complaint procedures mandatory and requires regular reports.

Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is a EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025.

It aims at strengthening the IT security of financial entities such as banks, insurance companies and investment firms and making sure that the financial sector in Europe is able to stay resilient in the event of a severe operational disruption.

DORA brings harmonisation of the rules relating to operational resilience for the financial sector applying to 20 different types of financial entities and ICT third-party service providers.

2024 Directive On Corporate Sustainability Due Diligence

Fostering sustainable and responsible corporate behaviour for a just transition towards a sustainable economy.

On 23 February 2022, the European Commission adopted a proposal for a Directive on corporate sustainability due diligence. On 24 May 2024 the Council of the European Union approved the political agreement, thereby completing the adoption process. The aim of this Directive is to foster sustainable and responsible corporate behaviour in companies’ operations and across their global value chains. The new rules will ensure that companies in scope identify and address adverse human rights and environmental impacts of their actions inside and outside Europe.

Regulatory Responses

U.S. Department of the Treasury: Uses, Opportunities, and Risks of Artificial Intelligence in the Financial Services Sector

The U.S. Department of the Treasury issued a Request for Information (RFI) seeking input on the uses, opportunities, and risks associated with the development and application of artificial intelligence (AI) within the financial services sector. The RFI aims to gather insights from a wide range of stakeholders, including financial institutions, consumer advocates, and technology providers, to better understand how AI is being integrated into financial services and the potential implications for security, innovation, and consumer protection. Shared Assessments provided detailed answers to questions 15, 16, and 17, which focus specifically on third-party risk management (TPRM) in the context of AI. These questions address the challenges financial institutions face in managing risks related to the use of AI developed or provided by third-party vendors, the specific concerns over data confidentiality, and the enhancements necessary in operational risk management frameworks to ensure resilience in AI-driven operations. The response highlights the importance of robust TPRM practices to mitigate these emerging risks and ensure that AI technologies are implemented securely and effectively within the financial sector.

P26/23 – Operational resilience: Critical third parties to the UK financial sector – Bank of England Prudential Regulation Authority and the Financial Conduct Authority (FCA) Joint Consultation Paper 26/23 ꞁ FCA Consultation Paper 23/30

This consultation paper (CP) is issued jointly by the Prudential Regulation Authority (PRA), the Financial Conduct Authority (FCA), and the Bank of England (Bank) (collectively ‘the regulators’). It sets out the proposed requirements to be established in rules and accompanying expectations for critical third parties (CTPs). For the purpose of this CP, a CTP is an entity that will be designated by HM Treasury (HMT) by a regulation made in exercise of the power in section 312L(1) of the Financial Services and Markets Act 2000Opens in a new window (FSMA) as amended by the Financial Services and Markets Act 2023Opens in a new window (FSMA 2023). Shared Assessments appreciates the opportunity to submit comments to the Bank of England Prudential Regulation Authority and the Financial Conduct Authority joint Consultation Paper on Operational Resilience: Critical Third Parties to the UK Financial Sector.

Financial Stability Board Consultative Document FSB 622-23. Enhancing Third-Party Risk Management and Oversight: A toolkit for financial institutions and financial authorities

The FSB invited comments on the toolkit it has developed for financial authorities and financial institutions as well as service providers for their third-party risk management and oversight. The toolkit also aims to reduce fragmentation in regulatory and supervisory approaches across jurisdictions and different areas of the financial services sector, thereby helping mitigate compliance costs for both financial institutions and third-party service providers, and facilitate coordination among relevant stakeholders. Financial institutions rely on third-party service providers for a range of services, some of which support their critical operations. These dependencies have grown in recent years as part of the digitalisation of the financial services sector and can bring multiple benefits to financial institutions including flexibility, innovation and improved operational resilience. However, if not properly managed, disruption to critical services or service providers could pose risks to financial institutions and, in some cases, financial stability. The importance of cross-border supervisory cooperation and information sharing is underscored and the toolkit sets out certain ways to explore greater convergence of regulatory and supervisory frameworks around systemic third-party dependencies, options for greater cross-border information-sharing, and cross-border resilience testing and exercises.

NYS-DFS Proposed 2nd Amendment to 23 NYCRR500 Cybersecurity Requirements for Financial Services Companies

Effective March 1, 2017, the Superintendent of Financial Services promulgated 23 NYCRR Part 500, a regulation establishing cybersecurity requirements for financial services companies. The individuals and entities required to comply with the Cybersecurity Regulation include, but are not limited to, partnerships, corporations, branches, agencies, and associations operating under, or required to operate under, a license, registration, charter, certificate, permit, accreditation, or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law. Here, Shared Assessments responds to an amendment to the original regulation with recommendations and reasoning.

U.S. SECURITIES AND EXCHANGE COMMISSION 17 CFR Parts 275 and 279: Proposed Rule § 275.206(4)-11 [Release Nos. IA-6176; File No. S7-25-22] RIN 3235-AN18—Outsourcing by Investment Advisers

The Securities and Exchange Commission is proposing a new rule under the Investment Advisers Act of 1940 to prohibit registered investment advisers (“advisers”) from outsourcing certain services or functions without first meeting minimum requirements. The proposed rule would require advisers to conduct due diligence prior to engaging a service provider to perform certain services or functions. It would further require advisers to periodically monitor the performance and reassess the retention of the service provider in accordance with due diligence requirements to reasonably determine that it is appropriate to continue to outsource those services or functions to that service provider. We also are proposing corresponding amendments to the investment adviser registration form to collect census-type information about the service providers defined in the proposed rule. In addition, we are proposing related amendments to the Advisers Act books and records rule, including a new provision requiring advisers that rely on a third party to make and/or keep books and records to conduct due diligence and monitoring of that third party and obtain certain reasonable assurances that the third party will meet certain standards.

UK Prudential Regulatory Authority Operational Resilience DP3/22 Discussion Paper

The UK financial sector is a complex, interconnected system in which financial services firms and financial market infrastructure firms increasingly rely upon third-party services to support their operations. Technology services such as cloud computing and data analytics can bring multiple benefits – enabling digital transformation, catalysing innovation, and providing greater resilience than firms’ and FMIs’ own technology infrastructure. However, this increasing reliance on third parties also poses growing risks. A discussion paper set out how the supervisory authorities could use their proposed powers in the FSM Bill to assess and strengthen the resilience of services provided by CTPs to firms and FMIs, thereby reducing the risk of systemic disruption. Shared Assessments responds to the discussion.

Proposed Interagency Guidance on Third-Party Relationships: Risk Management; Docket No. OP-1752 (Board), FDIC RIN 3064-ZA026 (FDIC), Docket ID OCC-2021-0011 (OCC)

The Board, FDIC, and OCC (together, the agencies) invite comment on proposed guidance on managing risks associated with third-party relationships. The proposed guidance would offer a framework based on sound risk management principles for banking organizations to consider in developing risk management practices for all stages in the life cycle of third-party relationships that takes into account the level of risk, complexity, and size of the banking organization and the nature of the third-party relationship. The proposed guidance sets forth considerations with respect to the management of risks arising from third-party relationships. The proposed guidance would replace each agency’s existing guidance on this topic and would be directed to all banking organizations supervised by the agencies.