Cybersecurity for Financial Industry: An Analysis of the Cyber Resilience Assessment Framework

13 CYBER RESILIENCE ASSESSMENT FRAMEWORK (C-RAF) 14 INHERENT RISK LEVEL Low Medium High INTRODUCTION Cybersecurity is a growing concern worldwide across various sectors. According to a McAfee report, the global loss from cybercrime is estimated to be approximately US$945 billion in 2020. 1 Meanwhile, the spending on cybersecurity is expected to exceed US$145 billion, putting the total cost related to cybercrime to more than US$1 trillion. Nevertheless, the report above shows that only a handful of organizations have plans to prevent and respond to information technology security incidents. In the 2020 “SSH Hong Kong Enterprise Cyber Security Readiness Index” survey, Hong Kong companies’ overall cybersecurity readiness index fell by 2.4 points from the previous year to 46.9 out of 100. While financial services firms are the most vigilant performers, they have only scored a merely 62.9. [ Exhibit 1 ] Global loss and cost from cybercrime Given the growing cybersecurity risks, the Hong Kong Monetary Authority (HKMA) has been working with the banking industry to oversee and monitor their handling and management of cybersecurity risks. In 2016, HKMA launched a campaign called cybersecurity fortification initiative (CFI), which comprises three components: (1) the Cyber Resilience Assessment Framework (C‐RAF); (2) the Professional Development Program (PDP); and (3) Cyber Intelligence Sharing Platform (CISP). C-RAF is a risk-based cybersecurity assessment framework for authorized institutions (AIs) to assess their risk profiles and the maturity of their cybersecurity measures. Through this process, AIs will be able to better understand and continuously improve their cyber resilience. C‐ RAF further comprises three stages: • Inherent Risk Assessment (IRA) • Maturity Assessment (MA) • Intelligence-led Cyber Attack Simulation Testing (iCAST) This report focuses on the Inherent Risk Assessment (IRA) and Maturity Assessment (MA) under C-RAF, both of which are self-assessment exercises. IRA ensures the AIs in Hong Kong are mindful of their intrinsic risks related to their business size, scope, and variety of services. MA ensures the AIs have the corresponding security controls commensurate with their risk levels. To provide some context, Exhibits 4 and 5 show a few examples of indicators (controls) for the five key domains for the Inherent Risk Assessment and the seven domains for the Maturity Assessment. We will elaborate on the two assessments in later sections. 1. McAfee (2020). The Hidden Cost of Cybercrime. Available at https://www.mcafee.com/enterprise/en-us/assets/ reports/rp-hidden-costs-of-cybercrime.pdf [accessed March 19, 2021]. 2. HKCERT and SSH.com (2020). SSH Hong Kong Enterprise Cyber Security Readiness Index 2020 Survey. Available at https://events.hkpc.org/1613633199/SSH-HKECSRI2020.pdf [accessed March 19, 2021]. Global loss from cybercrime SSH Hong Kong Enterprise Cyber Security Readiness Index McAfee estimates that since 2018, the cost of global cybercrime reached over $1 TRILLION US$523 billion 2018 2020 US$945 billion +80% 2019 2020 46.9 44.5 -2.4 points from 2019 [ Exhibit 2 ] SSH Hong Kong Enterprise Cyber Security Readiness Index INHERENT RISK ASSESSMENT The Als perform an assessment across five domains to reflect their inherent risk level , which in turn determines the expected maturity level . MATURITY LEVEL ASSESSMENT A self-assessment form across seven domains to determine the actual maturity level of the Als MATURITY LEVEL Baseline Intermediate Advanced [ Exhibit 3 ] Inherent risk assessment and maturity assessment introduction