Cybersecurity for Financial Industry: An Analysis of the Cyber Resilience Assessment Framework

41 42 MATURITY ASSESSMENT (MA) [ Exhibit 36 ] The seven domains of the maturity assessment 5 [ Exhibit 37 ] Percentage maturity control attainment by risk class OVERVIEW The Maturity Assessment (MA) covers seven key domains, with over 360 controls across three maturity levels, which are: “Baseline”, “Intermediate”, and “Advanced”. The MA is designed to provide a comprehensive review of the operating environment and emphasizes a sound governance framework. As introduced in HKMA’s C-RAF consultation paper, the seven domains are split into three levels, depicted in Exhibit 36. The centre represents the governance aspect; the inner circle consists of areas of controls related to the internal environment; and lastly, the outer circle shows the controls related to the external environment. The level of maturity required for each AI depends on the risk classification of the Inherent Risk Assessment. For low-risk AIs, they need to attain the “Baseline” maturity level as a minimum requirement. Correspondingly, medium-risk AIs need to attain an “Intermediate” maturity level, and the “Advanced” level is required for high-risk AIs. In general, the risk controls adopted by all AIs are consistent with their inherent risk level, where higher-risk AIs adopt more controls. Surveyed AIs' Maturity Assessment Population [ Exhibit 35 ] Maturity Assessment population of surveyed AIs Advanced 14% Intermediate 41% Baseline 45% While the AIs can respond to parts of the survey they are not required to, we only conducted analyses on those assessments 5. HKMA (2016). Cyber Resilience Assessment Framework Consultation Draft. S i t u a t i o n a l A w a r e n e s s T h i r d P a r t y R i s k M a n a g e m e n t R e s p o n s e a n d R e c o v e r y P r o t e c t i o n I d e n t i f i c a t i o n D e t e c t i o n Governance Percentage Attainment Low Medium High Baseline 88.0% 90.7% 99.6% Intermediate 82.8% 100.0% Advanced 99.1% Not Required All Requirements Met Partially Attained the AIs are subjected to. Therefore, this section will only report the “Baseline” control responses for low-risk AIs, both “Baseline” and “Intermediate” controls for medium-risk AIs, and finally, all three “Baseline”, “Intermediate”, and “Advanced” controls for high-risk AIs. MATURITY ASSESSMENT (MA)