Cybersecurity for Financial Industry: An Analysis of the Cyber Resilience Assessment Framework

20 19 CYBER RESILIENCE ASSESSMENT FRAMEWORK (C-RAF) International Guidance BCBS 13 Banking CPMI- IOSCO 14 Financial Markets Infrastructures Testing as a separate function G7-CEG 15 Financial Sector OECD 16 National policy [ Exhibit 8 ] Cybersecurity frameworks table of comparison While the coverage of cybersecurity maturity of C-RAF is consistent with most internationally well-recognized frameworks, it also offers some unique advantages over its peers. As mentioned above, C-RAF consists of three parts: (1) Inherent Risk Assessment, (2) Maturity Assessment, and (3) Intelligence-led Cyber Attack Simulation Testing (iCAST). The three parts work cohesively to offer a more customisable measure to the organizations. First, IRA allows the entities to identify their own risk, then suggest the corresponding risk level and maturity requirement. Next, the AIs could evaluate their maturity level based on the requirement, identify any gaps for improvement and set the corresponding deadlines. Finally, the iCAST offers an opportunity for organizations to test their cybersecurity level beyond traditional penetration tests. Therefore, it forms a complete and tailored experience to the AIs that reflects their actual risk and maturity to help minimize potential cybersecurity induced losses. National ASD 5 Australia CREST 6 Int GoC 7 Canada FRFI 8 Organizations and Resources FFIEC 9 US Financial Institutions ETSI 10 Int Facilitation mechanisms FINRA 11 Small firms in US Finance IIROC 12 Canada Investment Cyber insurance Gov 1 Risk Data Sec Exp Det Inc Situa Over Cont Scope Unique Framework / Standards C-RAF HK authorized financial institutions NIST Int Business Environment, Supply Chain Risk Management UK NCSC 2 UK NERC CIP 3 US Electricity PCI DSS Payment card NZISM 4 New Zealand ISO Int CIS CSC Int COBIT Int 1. Domain abbreviations: Gov for governance, Risk for risk analysis and assessment, Data for data security, Sec for security control and incident prevention, Exp for expertise and training, Det for detection, Inc for incident management, Situa for situational awareness, Over for oversight for interconnections, Cont for continuous learning/ improvement 2. UK National Cyber Security Centre, Cyber Assessment Framework 3. North American Electric Reliability Corporation - Critical Infrastructure Protection, Cyber Security Standards 4. Government of New Zealand, NZISM Protective Security Requirements 5. Australian Signals Directorate (ASD) Strategies to Mitigate Cyber Security Incidents 6. CREST Maturity Assessment Tools 7. Government of Canada, Cyber Security Self-Assessment Guidance 8. Federally Regulated Financial Institutions 9. Federal Financial Institutions Examination Council's (FFIEC), Cyber Assessment Tool 10. ETSI TR 103 305-1 V3.1.1 11. Financial Industry Regulation Authority (FINRA), small firm cyber security checklist 12. Investment Industry Regulatory Organization of Canada (IIROC), cybersecurity best practices guide & cyber governance guide 13. Basel Committee on Banking Supervision (BCBS), Cyber-Resilience-Range of Practices 14. The Committee on Payments and Market Infrastructures (CPMI) and the Board of the International Organization of Securities Commissions (IOSCO) , the Guidance on cyber resilience for financial market infrastructures 15. G7 Cyber Expert Group (CEG) Fundamental Elements for Cybersecurity 16. Organization for Economic Co-operation and Development (OECD), Recommendation of the Council on Digital Security of Critical Activities