Cybersecurity for Financial Industry: An Analysis of the Cyber Resilience Assessment Framework

EXECUTIVE SUMMARY 9 10 Best Performing Components Data Security Incident Management Escalation And Reporting Access Control Threat Monitoring And Analysis Response Planning 99.1% 97.3% 96.7% 96.5% 96.3% 95.8% Our observations: 1. AIs in each group appear to have a similar risk score. While the risk classifications are mixed, inherent risk scores and percentage scores within a group are mostly similar. 2. Upon examining the key characteristics between the groups, we found that the overarching difference among the three groups is on their service provision and overall size – perhaps in terms of the number of staff, assets or total amount of client deposits. 3. While we cannot conclusively suggest how the type of AIs impacts their risk level, the clustering result reveals that the AIs’ overall risk might be closely related to their business nature and target audience. II. KEY FINDINGS OF MATURITY ASSESSMENT (MA) The inherent risk levels of the AIs identified in the IRA process are mapped to their required maturity levels of cyber resilience: Baseline, Intermediate and Advanced. They assessed applicable security controls according to their corresponding maturity level. INHERENT RISK LEVEL Low Medium High MATURITY LEVEL Baseline Intermediate Advanced Not All AIs Reach Required Maturity Levels Overall, we found that not all the AIs have reached their required maturity level. Gaps are identified in their cybersecurity measures and there are areas of improvement for them to enhance cyber resilience. The AIs conducted assessment under the seven domains of MA: Governance, Identification, Protection, Detection, Response and Recovery, Situational Awareness and Third-party Risk Management. Our observations: 1. High-risk AIs have adopted almost all security controls and hence high attainment rate of cybersecurity measures across the three maturity levels. 2. Medium-risk AIs perform less well. Their underperformance mostly comes from the Governance, Protection and Third-party Risk Management domains. 3. Low-risk AIs have mixed results. They are mostly on target in terms of Protection, Situational Awareness, Response and Recovery and Third-party Risk Management. However, they do not meet the minimum standard in three other domains, which are related to governance and internal environment. Common Strengths and Weaknesses Each domain comprises a number of components. We have identified the best and worst performing maturity components to reflect the strengths and weaknesses of AIs in taking cybersecurity measures. Worst Performing Components Audit Anomalies Activity Detection Cyber Risk Identification And Assessment External Connections Ongoing Monitoring On Third-party Risk Third-party Management 90.8% 90.8% 89.1% 88.2% 84.9% 82.9% Our observations: 1. Data security is the best performing component with over 99% attainment rate, showing that all surveyed AIs have taken as many controls as possible to safeguard their sensitive information and data. 2. Overall, the AIs do the best under the Response and Recovery domain in which three of its components (Incident Management, Escalation and Reporting, and Response Planning) are among the best performing ones. This shows that most AIs perform well in implementing follow-up measures in case of cybersecurity incidents. 3. The average maturity attainment rate is over 80% for all of the worst performing components, which is an encouraging finding. III. OVERALL RELATIONSHIP BETWEEN INHERENT RISK LEVEL AND MATURITY LEVEL 1. After a thorough investigation and analysis, we found a positive relationship between the AIs’ inherent risk score and their maturity level. A high overall risk tends to mean a higher maturity score in each domain. 2. Many medium-risk AIs have failed to reach their target maturity level. Their underperformance is not due to outliers but a group-wise issue. 3. High-risk AIs are more mature than medium-risk AIs under many maturity domains, despite having better track records in terms of their cybersecurity threats and having an equal or lower risk in many inherent risk domains.