Cybersecurity for Financial Industry: An Analysis of the Cyber Resilience Assessment Framework

31 32 INHERENT RISK ASSESSMENT (IRA) Our Observations: 1. Delivery Channels Risk Driven by Mobile Presence Recall that high- and medium-risk AIs face the most potent risk in “Delivery Channels”. We see that it is mainly driven by their mobile presence risk, which are 56 and 67 percentage points higher than their low-risk counterparts. 2. Relatively Small Gap in Social Media Risk Under “Delivery Channels” domain, low-risk AIs have the smallest gap with their peers in social media presence. This is perhaps because low-risk AIs do not need to provide mobile banking services but would still, albeit to a smaller extent, use social media to interact with their customers. 3. Third-party Risk Caused Technology Risk Gap In previous sections, “Technologies” is the main distinguishing characteristic between medium- and high-risk AIs. Here we found that it is mainly prompted by third-party related risks, perhaps signalling firms with a high-risk classification use more third-party software / hardware or outsource various duties to vendors, making risk control more challenging. 4. Higher Risk AIs See Lower Risk In Cybersecurity Staffing Related Area Intriguingly, the higher the risk class, the lower the cybersecurity staffing risk appears to be. Here we observe that high-risk AIs outperform both the low- and medium-risk peers by 20 and 15 percentage points respectively. This suggests higher risk AIs might be more aware of their own cybersecurity risk and have subsequently taken actions to hire the appropriate professionals to manage their cybersecurity risk. The table in Exhibit 23 also shows that the extent of risks in terms of frequency and variety of threats from the past track records is similar across all AIs. Overall, only one out of the 22 AIs reported three breaches, while all others reported none. Collectively, the responding AIs signal that they experience the lowest risk in social engineering and Denial-Of-Service (DOS) attacks, both with 16 out of 22 AIs reporting low risk. Meanwhile, phishing and malware attacks are deemed riskier, each with over 15 AIs responding with a medium rating, though most supplemented that their anti-virus software could stop those attacks. In addition, some AIs reported other types of attacks that were not captured in the IRA questionnaire. More particularly, in the detailed responses one of the AIs reported a large number of SQL injection attempts while another one AI reported incidences of ransomware attacks. Amid the fast-changing cybersecurity landscape, we suggest adding an “Other Attacks” column in the IRA questionnaire for AIs to report other types of cyberattacks they have faced. This may give a fuller picture and help their peers and regulators to be aware of new forms of cybersecurity threats. ANALYSIS BY SERVICE PROVISION As analyses in the previous section demonstrated, there is a large gap between the sub-domain risks for service provision, where high- and medium-risk AIs show more than 30 percentage- point difference compared to low-risk AIs. To further investigate how they impact their overall cybersecurity risk level, we have conducted some analysis based on the types of services they provide. Among the 22 surveyed AIs, 11 offer payment card services and 11 offer ATM services. (N.B. some AIs could offer both payment card and ATM services simultaneously.) Risk Class Proportion By Service Provided [ Exhibit 24 ] Risk class proportion by service provided As Exhibit 24 shows, service-providing AIs are predominantly high- and medium-risk, while most non-service providing AIs are low-risk. Evidently, AIs that offer a larger variety of consumer services would be more exposed to cybersecurity risk. Since AIs often provide both payment card and ATM services, the two sub-domains are the most salient for both groups. In addition, both groups see a high mobile presence risk, which could be interpreted as they would also offer mobile banking to facilitate service provision. This would magnify their overall risk level. Overall, the observations above have helped us identify the key element of risk for the three groups. By looking at the detailed responses of the AIs, we could rationalize such differences and determine the cause of discrepancies. Therefore, based on the experience of conducting the analysis above, we believe the IRA exercise could allow regulators and AIs alike to easily identify their cybersecurity weaknesses and better establish plans to fill up any gaps. 100% 80% 60% 40% 20% 0% Payment Card ATM Non-Payment Card Non-ATM Low High Medium 9% 18% 64% 64% 27% 18% 18% 9% 18% 82% 73%