Cybersecurity for Financial Industry: An Analysis of the Cyber Resilience Assessment Framework

EXECUTIVE SUMMARY 7 8 Correlation of Risk with Equity of AIs We grouped the AIs by their size (equity) to assess their risk level. The hypothesize is that larger AIs will show a higher inherent risk. Our observations: 1. Despite showing high risk in the Organiza- tional Characteristics domain, all low-risk AIs are small in size, i.e. with total equity of less than HK$10 billion. 2. As we expect, the AIs’ inherent risk level increases as their equity level goes up. 3. While we expect large AIs to show high risk in the Technologies domain due to the potential of having more difficulties in managing IT systems, it turns out not the case. 4. The group with the highest total equity reported to have a lower level of suboptimal software systems and reliance on third parties than some of its smaller counterparts, hence a lower risk in the Technologies domain. 5. The risk from the Products and Technology Services domain is more salient for large- and medium-sized AIs. The high risk appears to be caused by the wide range of services these AIs offer. 6. The narrow gap in the Organizational char- acteristics domain between low-risk AIs and their peers were partially caused by the lower number of cybersecurity staff. Risk Indicator and Sub-domain Level Each domain comprises a number of risk indicators that reflect various business and operational aspects of AIs. We found that the AIs’ risk level depends partly on how widely applicable the risk indicators are. For risk indicators such as Prepaid Card Risk and Cloud Computing Services Risk, most AIs responded with “Not Applicable”, hence a low-risk score. We further analyzed risk indicators in details to see how the risk varies between risk classes. To simplify the analytical process, we have grouped related indicators within a domain into various sub-domains. Our observations: 1. When measured by percentage risk score, high- and medium-risk AIs have a high risk in Delivery Channels (domain) while low-risk AIs do not. The gap is mostly driven by a discrepancy in their mobile presence (sub-domain risk indicator), indicating that high- and medium-risk AIs offer a much wider range of mobile banking services than low-risk AIs. 2. The large gap in Technologies (domain) between high- and medium-risk AIs is mainly prompted by third-party related risk (sub-domain risk indicator). This perhaps shows that firms with high-risk classification use more third-party software/hardware or outsource various duties to vendors, making risk control more challenging. 3. The higher the risk class, the lower the cybersecurity staffing risk (sub-domain risk indicator). High-risk AIs outperform both low- and medium-risk peers, suggesting that AIs with higher risk might be more aware of their own cybersecurity risk and have hired appropriate professionals to mitigate their risk. Correlation of Risk with Service Offerings by AIs At the sub-domain level, we found that service provisions account for a large gap between different risk groups. Hence, we conducted further analysis to investigate how service provision impacts risk level. Our observations: 1. Half of the surveyed AIs reported that they are offering either payment card or ATM service or both services at the same time. 2. Many of the AIs provide both services at the same time, therefore risk score in both services is closely linked together. For the service-providing AIs, we found a high risk in their mobile presence. These observations indicate that many risk indicators are interconnected and prompted our study with exploratory factor analysis, which is discussed in more details in a later section of this report. Correlation of Risk with AIs’ Business Nature and Target Customers To identify any hidden characteristics among the AIs, which are not directly captured in the IRA, we identified three groups of AIs using hierarchical cluster analysis. Group A is composed of low- and medium-risk AIs, Group B contains five medium risk and one high-risk AIs , and Group C consists of AIs from all three risk classes. 61 <$10bn (Low) 89 $10bn - $30bn (Medium) 92 >$30bn (High) Risk Score Comparison between Equity Size and Risk Class Size Risk Class Top "Not Applicable" Risk Indicator Prepaid Card Risk Cloud Computing Services Risk Host IT Services Risk Merchant Acquier Model Risk Merchant Acquier Merchant Risk 20 20 19 16 16 Risk Class Proportion By Service Provided 100% 80% 60% 40% 20% 0% Payment Card ATM Non-Payment Card Non-ATM Low High Medium 9% 18% 64% 64% 27% 18% 18% 9% 18% 82% 73% 20 25 0 15 10 5