Cybersecurity for Financial Industry: An Analysis of the Cyber Resilience Assessment Framework

29 30 INHERENT RISK ASSESSMENT (IRA) Most Risky Indicators by Risk Score Least Risky Indicators by Risk Score [ Exhibit 20 ] Most and least risky indicators by risk score INDICATOR AND SUB-DOMAIN ANALYSIS To better understand which area AIs often struggle with, we have sorted the top and bottom five risk indicators out of the 51 IRA indicators in terms of total risk score, subject to the same score calculation rule above. The charts in Exhibits 20 and 21 reveal some interesting characteristics of the surveyed AIs. For example, Exhibit 20 helps identify that many of the respondents have a strong internet presence, indicating their use of the internet to provide online retail banking, wholesale banking and other banking services, instead of merely a channel that is just for providing information and not services. Again, the high risk in treasury services indicates that the surveyed AIs offer a large range of treasury services, including lockbox, currency services and online investing. Number of Network Devices 77% 3% 83% 3% 85% 6% 88% 15% 88% 15% Number of Clould Computing Services Internet Presence Prepaid Cards Treasury Services Risk Host IT Service Asset Value Risk Dedicated Connection Wire Transfer Channel Risk Merchant Acquirer Model Risk Relevance of Risk Indicators to AIs Another observation we have made is how risky a risk indicator is depended partly on the applicability of the indicator to the AIs. For example, we observe an exceptionally low risk score for “Cloud Computing Services” and “Prepaid Cards” mainly because many AIs have indicated that these risk indicators are not applicable to them, hence a risk score of zero. Exhibit 21 shows the top five risk indicators by their number of “Not Applicable” response. The red dotted line is the maximum number possible, i.e. the number of surveyed AIs. The high “Not Applicable” rate, however, does not mean these risk indicators are redundant. Using cloud computing services risk as an example, with the increased progression of technology and increase in popularity of cloud computing services, AIs could in the future adopt the use of various cloud computing services, and the Inherent Risk Assessment would have acted as a benchmark to help AIs identify how much additional risk might be added and to incentivize them to implement the necessary measures. [ Exhibit 22 ] Inherent risk indicator grouping example [ Exhibit 23 ] Risk sub-domain percentage-point difference between low-risk AIs and its peers Grouping of Related Risk Indicators into Sub-domains Next, we shall analyse the indicators and see how the risk varies between risk classes. To simplify the analytical process, we have grouped related indicators within a domain into various sub-domains. For example, for the “Technologies” risk domain, we have grouped the 17 indicators into three sub-domains: (1) Network risks, (2) Third-party risks and (3) Internal risks. A complete mapping is provided in the appendix (appendix 1). Cyber Threat Tracked Records The official catagory of the Inherent Risk Assessment, which takes into account various business and operational aspects of the AIs. DOMAIN A sub-catagory grouping done within this report, to simplify the analytical process and reduce data dimension. SUB-DOMAIN For each assessment indicators, the AIs select the most appropriate description under "low", "medium" or "high" inherent risk. INDICATOR Cyber Threat Frequency 1. Number of Attempted Cyber Attacks 2. Number of Successful Attacks 3. Number of Breaches Cyber Threat Variety 1. Phishing Attempts 2. Denial-of-Service (DoS) Attacks 3. Social Engineering 4. Malware Percentage Point Difference Risk sub-domain Medium - Low High - Low Network risks 8% 14% Third-party risks 7% 54% Internal risks 26% 16% Internet presence 23% 30% Mobile presence 56% 67% Social media presence 16% 23% ATM 38% 38% Payment card risks 32% 36% Fund transfer risks 11% 20% Client services 28% 5% Size risks 8% 11% Service risks 12% 31% Cybersecurity staffing risks -5% -20% Frequency -3% 9% Variety -11% 2% * in percentage points Bottom 3 in each column Top 3 in each column Technologies Delivery Channels Products and Technology Services Organizational Characteristics Tracked Records On Cyber Threats Prepaid Card Risk Cloud Computing Services Risk Host IT Services Risk Merchant Acquier Model Risk Merchant Acquier Merchant Risk 20 20 19 16 16 [ Exhibit 21 ] Top “Not Applicable” risk indicators 20 25 0 15 10 5