Cybersecurity for Financial Industry: An Analysis of the Cyber Resilience Assessment Framework

39 40 INHERENT RISK ASSESSMENT (IRA) INHERENT RISK ANALYSIS: SUMMARY As described in this section, we have conducted a thorough investigation on the Inherent Risk Assessment results of the 22 AIs. In summary, when comparing the AIs with the classification rule set out in the IRA framework, we found that “Technologies” is the main difference between high- and medium-risk AIs, which is mainly driven by third-party risk, with a difference of 47 percentage points, and the largest gap in any sub-domains. We also found that low-risk AIs differ from their riskier peers due to low risk in “Products and Technology Services”, driven by the narrower range of services the low-risk AIs provide. Comparing the AIs by their equity size, we found a similar risk score as the one under risk classification rule. Nevertheless, there are a few interesting observations. More specifically, we found that the “Technologies” risk score for large AIs is lower compared to medium-sized AIs, suggesting that largest AIs have put in some effort to reduce their technology-related risk. The similarity in risk profile suggests that the IRA classification rule is effective in classifying the AIs, based on our finding that the size of an AI correlates with their risk level. Next, the key takeaway of the service provision analysis is that many of the indicators are interconnected despite being in different domains. For example, mobile risk presence is highly related to payment card services, which means AIs who issue payment cards often have an accompanying mobile application for their clients. This has led us to investigate the unobserved latent factors on the survey responses using Exploratory Factor Analysis. Using EFA, we found that the risk specific to our 22 AIs is mainly caused by banking and payment service provision, which is correlated to internal and size risk areas. When we clustered our AIs together by using the hierarchical clustering algorithm, we found three distinct groups. Essentially, the findings form a coherent picture with the factor analysis results. The three groups show differences in characteristics in their internal technology risk, size risk, and service provision risk. Overall, we believe that the IRA has helped the AIs identify their risk. The classification rule provides a clear guideline to the AIs while also revealing some interesting characteristics about the surveyed AIs. As an extension of our study, we also investigated the classification rule of the C-RAF 2.0. C-RAF 2.0 CLASSIFICATION HKMA released a revised version of the Cyber Resilience Assessment Framework (C-RAF 2.0) in November 2020. Here we would like to take a quick look at how our findings are impacted if we use the updated classification rule: “If the number of Low risk assessment criteria is less than or equal to the total number of Medium and High risk level, the inherent risk level should be adjusted to Medium.” After applying the additional IRA classification rule, two out of ten low-risk AIs are upwardly adjusted to medium risk. As the scatter chart above indicates, the two AIs score the highest within the low-risk AIs in terms of overall risk score. This indicates that the additional rule is able to better reflect the overall risk score in this scenario. Low High Medium AIs' Risk Class Population [ Exhibit 33 ] AIs’ risk class population under the updated classification rule 14% 36% 50% Low High Medium Overall Risk Score by Banks and Risk Classification C-RAF | C-RAF 2.0 | [ Exhibit 34 ] AIs’ risk score under the C-RAF 2.0 classification rule 40 Overall Risk Score | 60 80 100