Cybersecurity for Financial Industry: An Analysis of the Cyber Resilience Assessment Framework

21 22 INHERENT RISK ASSESSMENT (IRA) OVERVIEW As the first part of the C-RAF framework, the Inherent Risk Assessment is designed to reflect AIs’ cybersecurity threat level, determine their cyber risk exposure, and decide which threshold they should be subject to in the Maturity Assessment. For each of the 51 indicators in the Inherent Risk Assessment, AIs would report their self-assessed risk levels, which are “Low”, “Medium”, “High”, or “Not Applicable”. By default, an AI’s overall risk level is determined by the most common risk level in the survey. An AI also can indicate an alternative classification by considering other relevant factors, including its size and business model. We calculated a risk score for each AI by converting its response on an ordinal scale to quantify the results better, where we assigned a score of one to a low-risk response, two to a medium- risk response, three to a high-risk response, and zero when a risk indicator is deemed “Not Applicable” by the AI. To extract any insights, we first grouped the AIs in terms of their overall risk level and broke the domains down by various indicator groupings. We then categorized the AIs by attributes such as business size and the type of services they provide. Lastly, we applied a clustering algorithm to identify hidden groupings based on their survey responses and utilized factor analysis to extract latent factors. INHERENT RISK ASSESSMENT (IRA) Low High Medium Risk Class Population [ Exhibit 10 ] Risk class population of surveyed AIs [ Exhibit 9 ] Key statistics of surveyed AIs AIs’ Business Size Average (HK$) Total Assets $227.3bn Deposits from Customers $132.4bn Total Equity $29.2bn Capital Ratio 26.7 45% 14% 41%