Cybersecurity for Financial Industry: An Analysis of the Cyber Resilience Assessment Framework

23 24 INHERENT RISK ASSESSMENT (IRA) SURVEY RESULT Let us first take a holistic view to understand the differences in risk levels among the three risk classes. Recall that the most common risk level determines the AIs’ overall risk. It is expected that higher-risk AIs would show elevated risk in each domain. The chart in Exhibit 12 helps us identify “Technologies” as the key differentiating domain between medium- and high-risk AIs, while “Products and Technology Services” presents the greatest gap between low-risk AIs and their peers. Lastly, we observed that “Tracked Records on Cyber Threats” is comparable across the three risk classes. However, the risk score does not provide a fair comparison across the five domains as each has a different number of indicators. To provide a standardized view of risk propensity independent of the number of indicators, we computed the percentage risk by dividing the total scores by the maximum possible in each domain. Exhibit 13 shows how a percentage risk score is calculated. Technologies Delivery Channels Products and Technology Services Organizational Characteristics Tracked Records On Cyber Threats Risk Score Comparision Low High Medium [ Exhibit 12 ] Inherent Risk Assessment – risk score comparison [ Exhibit 13] Inherent risk score and percentage risk score calculation Similar across all risk classes Biggest gap between medium- and high- risk AIs Largest gap between low- and medium- risk AIs [ Exhibit 11 ] The five Inherent Risk Assessment domains The “Technologies” domain contains 17 indicators including aspects such as the number of network-connected devices and hardware related issues . This domain also assesses the condition of the software eco-system of an AI by taking the number of suboptimal software systems and the degree to which the AI rely on third parties into considerations. Technologies The “Products and Technology Services” domain comprises 14 indicators , which assess the AI’s risk induced by banking-related services . The three main aspects are related to the provision of payment cards , fund transfer and other services , including treasury, trust and securities trading. Products and Technology Services “Organizational Characteristics” consists of 9 indicators , assessing the AI’s risk in terms of their size and risk areas indirectly related to service provision , including the number of employees. Moreover, this domain also measures the risk related to the lack of cybersecurity staff and the turnover of cybersecurity staff . Organizational Characteristics As the name suggests, the “Cyber Threat Tracked Records” domain hosts a total of 7 risk indicators related to the AI’s history to cyber attack . There are broadly two categories of risk, including the frequency and variety of cyberattacks, recording both successful and failed attempts . Cyber Threat Tracked Records Cyber Threat Tracked Records There are 4 risk indicators under the “Delivery Channels” domain, which measure the AI’s exposure and presence in various channels to interact with their customers , including their internet , social media and mobile presence . Last but not least, this domain also assesses the risk induced by offering ATM services . Delivery Channels For example – Under the “Delivery Channels” domain, which has a total of FOUR indicators Delivery Channels In summary, we found that the overall risk increases as an AI provides a broader range of services under the IRA framework assessment criteria. Simultaneously, the expansion of an AI in size would accelerate the rise in cybersecurity risk. However, we also found that the riskiest and largest of AIs have made self-awareness about the issues they face and have taken actions to mitigate them better when efforts in their less risky counterparts are to be improved. Overall, the IRA framework risk class calculation methodologies effectively categorize the AIs, aligning with both classifications by size and service provision. Lastly, we have made a few suggestions for improving the risk calculation methodology according to our findings. An AI responded with: 1x Low-risk 2x Medium-risk 1x High Risk But the maximum score is the number of indicators multiple by three , i.e. 3 x 4=12 Hence the percentage risk score of: 8/12 = 67% Therefore a risk score of: 1 x 1 + 2 x 2 + 1 x 3 = 8 17 24 32 5 9 9 12 21 21 14 15 17 10 12 11