Cybersecurity for Financial Industry: An Analysis of the Cyber Resilience Assessment Framework

25 26 INHERENT RISK ASSESSMENT (IRA) Percentage Risk Score High 0% 10% 90% 80% 70% 60% 50% 40% 30% 20% Medium Low [ Exhibit 14 ] Risk class percentage risk score [ Exhibit 15 ] Relationship between AIs’ equity and their overall risk score [ Exhibit 16 ] Survey risk class and equity size mapping Based on the percentage risk score, we observed the following: 1. The Gap in “Technologies” Remains Salient The discrepancy in “Technologies” between medium- and high-risk AIs remain the most salient, with a 16 percentage points difference. 2. “Delivery Channels” Becomes Much Riskier High- and medium-risk AIs face the most potent threat in “Delivery Channels”, each with about a 15 percentage points lead compared to their second riskiest domain. 3. Low-risk AIs Show High Organizational Characteristics Risk On the other hand, low-risk AIs face the highest risk in “Organizational Characteristics” while facing lower risk in “Delivery Channels”, “Technologies”, and “Products and Technology Services”. An absence of obvious risk pattern when comparing across risk classes has suggested that some risk class-dependent factors might lead to the discrepancy, signalling differences in the dynamic of cybersecurity risk across groups. There are serval possibilities to the overall low- risk score to the low-risk group. For example, the observation above either indicates that they are competent in addressing technical and service induced risks; or have a low reliance on technologies and face fewer clients, but might have struggled in aspects such as IT staffing and cybersecurity staff retention. Meanwhile, medium- and high-risk AIs have experienced the highest risk in “Delivery Channels”, which could be driven by the active use of various external communication channels or a more comprehensive range of service provision. To determine the underlying reasons for the observation above, we have conducted a more thorough investigation in a later section. SURVEY RESULT – BY SIZE According to Fitch Rating’s Managing Director Christopher Wolfe, 3 larger banks might face higher cybersecurity risk as they are more likely to have complicated or perhaps legacy IT infrastructure compared to smaller banks. Therefore, we sought to analyse the IRA results by grouping the AIs with equity instead of their risk level. As illustrated in the right-hand chart, when the log of equity increases, the overall score of the AIs rises. More specifically, we found that the log equity has a modest to a high positive relationship with its overall risk scores, and a 1% change in the equity level would, on average, increase the AI’s risk score by 0.11 percentage points. To generalize our analysis, we have grouped the AIs into different equity bins. An AI is said to be small when it has an equity level of below HK$10 billion, and it is classified as large when it has an equity level of over HK$30 billion, with a medium anywhere in between. 3. https://www.fitchratings.com/research/banks/bigger-not-always-better-for-bank-cyber-risk-scores-13-04-2021 Relationship between Equity and Overall Risk Score Interestingly, none of the low-risk AIs is of medium and large size when measured by their equity level, despite as seen in the section above, “Organizational Characteristics” is their worst performing domain percentage-wise. This provides evidence that the low-risk AIs have experienced risk from non-business-size-related risk under the “Organization Characteristics” domain. Exhibit 17 indicates when we break the AIs down into three categories by size, we obtain a similar average score compared to when breaking down by risk class, despite a difference in sample size. Equity Size (HKD$ Billion) Small (<$10bn) Medium ($10bn-$30bn) Large (>$30bn) Risk Class Low 3 0 0 Medium 1 3 3 High 1 1 1 * With data of 13 respondents Overall Score Log Equity 100 80 60 40 07 08 09 10 11 12 Technologies Delivery Channels Products and Technology Services Organizational Characteristics Tracked Records On Cyber Threats Low High Medium