Cybersecurity for Financial Industry: An Analysis of the Cyber Resilience Assessment Framework

33 34 INHERENT RISK ASSESSMENT (IRA) IRA Response Dendrogram Hierarchical Clustering Group Attributes [ Exhibit 26 ] IRA Response dendrogram and hierarchical cluster groupings [ Exhibit 27 ] Hierarchical clustering group attributes [ Exhibit 25 ] Risk sub-domain percentage-point difference between service-providing and non-service-providing AIs Percentage Point Difference Risk sub-domain ∆ ATM & Non-ATM ∆ Payment & Non-Payment Network risks 12% 14% Third-party risks 7% 17% Internal risks 14% 21% Internet presence 15% 21% Mobile presence 45% 58% Social media presence 15% 21% ATM 55% 48% Payment card risks 38% 41% Fund transfer risks 18% 19% Client services 17% 17% Size risks 15% 15% Service risks 7% 14% Cybersecurity staffing risks -3% -6% Frequency 0% 2% Variety -2% 3% Bottom 3 in each column Technologies Delivery Channels Products and Technology Services Organizational Characteristics Tracked Records On Cyber Threats Top 3 in each column Correction of Risk with AIs’ Service Offerings While service-providing AIs should show a higher risk under the sub-domain on the relevant services, the AIs often show high-risk scores in other possibly related sub-domains. The key takeaway is that under the design of the Inherent Risk Assessment, many areas of risk could be interrelated, which explains the large gap between service-providing and non-service providing AIs. Hence we utilize factor analysis in a later section to identify any unobserved factors that lead to the higher cybersecurity risk. HIERARCHICAL CLUSTERING While most AIs adhere to their default risk level, the rule does not categorize the AIs by their characteristics manifested in their survey responses. To identify any hidden groupings with the AIs, we utilized hierarchical clustering. We applied the clustering algorithm on the total scores over the five inherent risk domains for each AI. As seen in the heat map in the appendix (appendix 2), each AI has been sorted, and similar AIs are clustered closer together. By examining the dendrogram in Exhibit 26, we have identified three clusters. Group A is composed of low- and medium-risk AIs, Group B contains five medium-risk and one high-risk AIs, and Group C consists of AIs from all three risk classes. While the risk classifications are mixed, we can see from the charts in Exhibit 28 that the domains’ inherent risk scores and percentage scores within a group are mostly similar. Hierarchical clustering, or hierarchical cluster analysis (HCA), divides a dataset into clusters iteratively and creates a tree-like structured dendrogram. The dendrogram is then used to explain the relationship between all data points in the sample. The chart below shows that the surveyed AIs have been grouped into three clusters, where the x-axis is the AIs, and the y-axis represents how c l ose t he A I s a re in terms of their survey response. AI 50 - Closeness 0 - 10 - 20 - 30 - 40 - Dendrogram Colour Code Group Low Medium High A 7 2 - B - 5 1 C 3 2 2 Indicators (on average) Group A Group B Group C Equity $3.9bn $51.6bn $14.5bn Deposits from customers $48.8bn $301.2bn $83.2bn Overall Percentage Risk 54.4 90.3 76.5 # Third parties 3.9 5.8 6.5 # in-house application 4.8 9.7 25.0 # EOL System 1.4 4.7 4.2 # OSS no commercial support 0.0 0.8 2.8 # Network device 76.8 1311.5 354.3 # Branches 8.9 43.7 15.2 # Employees 289.0 2106.7 872.2 Social Media Presence 0.1 1.5 1.3 # Cards issued 2,000 466,000 43,000 # P2P cosmotrons 0.0 70,000 3,000 # Treasury clients 3,000 45,000 3,000 # Correspondent banks 110 490 30 # Entities the AI act as a merchant acquirer for 90 200 400