Artificial Intelligence (AI) is on everyone’s mind of late and is a concern for FI’s wanting to be proactive in addressing AI-related risks. The NIST Cybersecurity Framework (CSF) 2.0 doesn’t provide AI-specific guidelines, however, it encourages organizations of all types to adapt and enhance their cybersecurity practices to address the evolving AI-related risk environment. 

Specifically for FIs, this requires visibility into existing third-party relationships and products/services that may incorporate AI. Incorporating AI use-related questions into your due diligence strategies for third parties is a great start. For example, many core providers utilize AI in fraud detection software solutions. This is in addition to specifying standards for internal employees when entering NPI and proprietary information into MS Copilot, Chat GBT, etc. In general, FIs should incorporate AI considerations into their IT/IS risk assessment, threat modeling, and security control strategies to safeguard against potential vulnerabilities and threats associated with AI systems. Until federal regulatory agencies provide more definitive guidance, efforts to address AI risk will require an evolving and flexible best practices approach. In the interim, keeping your eyes and ears open to change and engaging trusted TSPs and Compliance advisors can help assist your organization with proactive strategies to address this evolving arena of risk. 

The CSF 2.0 framework provides a comprehensive approach for understanding, assessing, prioritizing, and communicating cybersecurity risks. This starts with creating CSF Organizational Profiles that describe an institution’s current and target cybersecurity postures. By leveraging CSF Tiers, community banks and credit unions can gauge the maturity of their cybersecurity risk management practices:

• Tiers: Ranging from Tier 1 (Partial) to Tier 4 (Adaptive), Tiers help describe how formally and rigorously an organization manages cybersecurity risks.

Profiles and Tiers encourage a systematic method for identifying gaps between current and desired cybersecurity outcomes and prioritizing actions for improvement.

NIST provides an expansive suite of online resources to assist in the adoption and use of CSF 2.0. These resources are continually updated and include:

• Informative References: Guidance linking CSF outcomes to established standards, guidelines, and regulations.
• Implementation Examples: Action-oriented steps to achieve specific cybersecurity outcomes.
• Quick Start Guides (QSGs): Brief, actionable documents aimed at facilitating the implementation of the CSF for various audiences and contexts.

These resources are accessible via the NIST CSF website and are invaluable for structuring and streamlining cybersecurity efforts.

One of the key strengths of CSF 2.0 is its capacity to improve risk communication within and outside an organization. The framework provides a common language that facilitates better communication between executives, managers, and practitioners. By aligning cybersecurity activities with strategic business objectives, community banks and credit unions can ensure that cyber risks are effectively communicated and managed at all organizational levels. The standardized terminology and structured approach aid in making informed decisions about cybersecurity expenditures and actions, whether for internal governance or third-party oversight.

CSF 2.0 is designed to complement existing frameworks and risk management programs, including enterprise risk management (ERM). It aids in translating cybersecurity terminology into a general risk management language that executives can understand, making it easier to integrate cybersecurity into the broader risk management portfolio. The resources below can guide on choosing frameworks and tools and achieving integration:

• NIST Interagency Report (IR) 8286
• Cybersecurity Framework (CSF) 2.0
• Cybersecurity Resource Guide for Financial Institutions, September 2022 (Revised November 2022) (ffiec.gov)
• Beyond the FFIEC CAT (safesystems.com)