Cybersecurity for Financial Industry: An Analysis of the Cyber Resilience Assessment Framework

35 36 INHERENT RISK ASSESSMENT (IRA) [ Exhibit 28 ] Hierarchical cluster grouping risk score Correlation of Risk with AIs’ Business Nature and Target Customers By examining the detailed responses in the survey, we have identified a few key statistics that might help us endow meaning to the three clusters. Exhibit 27 shows a full table of comparisons. An immediate observation we can make from the data is that, on average, Group B is the largest amongst the three groups, followed by Group C. The former is the largest in terms of multiple monetary measures, the number of branches, staff, and customers. Next, Group C is mostly defined by the high number of third-party, in-house applications, without commercial support Open-Source Software (OSS) and End-of-Life (EOL) systems, signalling that their risks are mainly from their weakness in managing technical risk. Intriguingly, Group A is the smallest on average by almost all measures. AIs in this group have only issued a small number of payment cards and have a weak presence in the P2P transaction space, yet they are almost as competitive in the treasury service space as Group C. The observation above indicates that Group A is mostly small-sized retail banks with a low number of branches and employees. They also have a limited outreach in terms of their digital presence and service provision. On the other hand, Group B appears to be large banks with mature internal technology systems and high outreach in their internet presence and P2P transaction. The high average deposit from customers indicates they might have a certain degree to support higher net worth customers or corporate clients. Meanwhile, Group C, being smaller than Group B but with a noticeably higher presence as a merchant acquirer, could be AIs that focus on the payment system side and support businesses on payment solutions. Overall, the clustering result reveals that an AIs’ overall risk might be closely related to its business nature and target audience, which are not directly captured in the IRA framework. While we cannot conclusively suggest how the type of AIs impact their risk, the analyses above have provided evidence for such possibilities. Technologies Delivery Channals Products and Technology Services Organizational Characteristics Tracked Records on Cyber Threats Technologies Delivery Channals Products and Technology Services Organizational Characteristics Tracked Records on Cyber Threats Technologies Delivery Channals Products and Technology Services Organizational Characteristics Tracked Records on Cyber Threats Group A Average Group B Average Group C Average 0.29 0.51 0.54 0.42 0.79 0.58 0.27 0.63 0.39 0.50 0.63 0.53 0.47 0.54 0.54