Cybersecurity for Financial Industry: An Analysis of the Cyber Resilience Assessment Framework

15 CYBER RESILIENCE ASSESSMENT FRAMEWORK (C-RAF) 16 The Five Domains of the Inherent Risk Assessment Domain Sample Indicators Technologies • The number of Internet service provider connections connected to the corporate network • Wholesale customers with dedicated connections Delivery Channels • Internet presence (customer) • Automated Teller Machines (ATM) (Operation) Products and Technology Services • Issue debit or credit cards • Global remittances Organizational Characteristics • Total number of branches • Changes in IT and cybersecurity staffing Tracked Records on Cyber Threats • Reported cyberattacks impacting the AI for Hong Kong businesses (last 12 months) The Seven Maturity Domains of the Maturity Assessment Domain Sample Indicators Governance • Cyber resilience oversight • Strategy and policies Identification • IT asset identification • Cyber risk identification and assessment Protection • Infrastructure protection controls • Access control Detection • Vulnerability detection • Anomalies activity detection Response and Recovery • Response planning • Incident management Situational Awareness • Threat intelligence (information about emerging or existing threats) • Threat intelligence sharing Third-party Risk Management • External connections • Third-party management [ Exhibit 4 ] The five domains of inherent risk assessment and their sample indicators [ Exhibit 5 ] The seven domains of maturity assessment and their sample indicators Twenty-two AIs including licensed banks, restricted licensed banks and deposit-taking companies participated in a survey to capture the self-assessed classification and detailed responses of AIs. For example, for each of the IRA indicators, the AIs would note down one of the “Low”, “Medium” and “High” answers based on the threshold set in the survey, and to provide additional detailed information in both writing and numbers (when applicable). With the Maturity Assessment, the AIs would respond to whether the maturity controls are met while providing information on the implementation and any gaps noted. This allows us to conduct an investigation using the categorical responses and examine the detailed responses to gain a more in-depth understanding. CYBERSECURITY ASSESSMENT Before we analyse the C-RAF assessment survey data, we first review the motivation, purpose, and state of cybersecurity regulation and assessment development. We then report on other popular cybersecurity assessment frameworks and tools, and draw a comparison with C-RAF. Cybersecurity regulation can be broadly classified into three categories: (1) Self-regulation, (2) Co-regulation, and (3) Statutory regulation, depending on the balance between government intervention and voluntary industry participation. Unlike co-regulation, which includes state participation and enforcement, self-regulation is represented by non-hierarchical private actors, such as industry associations and organizations that implement different mechanisms to regulate the security practices within the industry. The involvement of these actors in fighting cybercrime and providing cybersecurity varies from ad hoc collaboration upon police request to sustainable self-regulation, for example, private hotlines for reporting illegal content (Tropina & Callanan, 2015). Another form of self-regulation is alliances. Companies have started entering cybersecurity alliances, such as operational alliances and normative alliances. Built around small groups of companies, an operational alliance shares information about cyberattacks and threats to raise the collective level of cybersecurity (Dobrygowski, 2019). Examples of such operational alliances include the Cyber Threat Alliance, the Global Cyber Alliance, and the Trusted Computing Group. On the other hand, a normative alliance strives to proactively spur collective action in favour of digital peace and non-aggression. They explicitly call for government support and limit the use of private systems and networks against citizens (especially by a nation-state) (Dobrygowski, 2019). The Charter of Trust, initiated by Siemens, and the Cybersecurity Tech Accord, originated by Microsoft and other leading technology companies, are two examples of normative alliances.