Cybersecurity for Financial Industry: An Analysis of the Cyber Resilience Assessment Framework

27 28 INHERENT RISK ASSESSMENT (IRA) The bar chart in Exhibit 18 helps identify the best and worst performing domains for each group and allows us to compare the grouping with the overall risk class. Based on the percentage risk scores across equity categories, we observe the following: 1. Outperformance in “Technologies” “Technologies” is the least risky domain for the large AIs with 50% risk score, compared to the 63% for the high-risk AIs as seen in the previous section. 2. “Products and Technology Services” Becomes More Salient Large- and medium-sized AIs face higher risk in “Products and Technology Services” when mapped against large- and medium- risk AIs, while AIs with lower than HK$10 billion equity have little changes compared to the low-risk AIs. 3. Narrow Gap in “Organizational Characteristics” Despite containing risk indicators that measure an AI’s size, in the “Organizational Characteristics” domain, we found the smallest gap between small-sized AIs and their peers. 61 <$10bn (Low) 89 $10bn - $30bn (Medium) 92 >$30bn (High) Risk Score Comparison between Equity Size and Risk Class Size Risk Class 100 0 20 40 60 80 [ Exhibit 17 ] Risk score comparison between equity size and risk class Percentage Risk Score (By Size) Large 0% 10% 90% 80% 70% 60% 50% 40% 30% 20% Medium Small [ Exhibit 18 ] Percentage risk score across the three equity categories [ Exhibit 19 ] Large AIs’ “Technologies” risk profile Strikingly, technology risk is among the best performing risk areas for AIs across all three sizes, while medium-sized AIs face higher risk compared to their larger peers. This contradicts our beliefs that larger AIs might face higher cyber risk due to more complex and challenging IT infrastructure. Indeed, we found that larger AIs have lower suboptimal software systems and a lower number of applications and reliance on third-party service providers. This suggests that largest banks might have already taken the initiative to move away from their legacy system, put substantial effort into digital transformation, and structurally organize their software systems to mitigate their technology risk. The large gap in “Products and Technology Services” and “Delivery Channels” between a small AI and its larger counterpart suggests that smaller AIs offer a narrower range of services to their customers and hence face lower cybersecurity risks. Lastly, by examining the detailed responses, we believe that the lack of cybersecurity staff could partially explain the narrow gap in “Organizational Characteristics”. As most small AIs reported a high risk in the number of cybersecurity staff, where the answers are predominantly medium risk or below for their larger peers. Overall, the results above suggest that while larger AIs face a higher risk for offering a more comprehensive range of services, they have also invested in mitigating technology-related / induced risks. Meanwhile, smaller AIs face lower risk partly due to their smaller exposure but are not equally invested in reducing the risk they face. While the similarity in risk levels between the two classification methods reveals little new insight about the AIs, it provides support to the effectiveness of the IRA framework’s risk classification methodology, given that business size is correlated to the firm’s overall risk score, as shown above. Although large AIs have notably more network devices , including servers, routers and firewall (both physically and virtual) Compare to medium-sized AIs, large AIs have less: - End Of Life applications - Without commercial-support open-source software - Amount of third parties Compare to both medium- and low-risk AIs: - Less in-house applications Low “Technologies” risk score in large AIs Technologies Delivery Channels Products and Technology Services Organizational Characteristics Tracked Records On Cyber Threats