Cybersecurity for Financial Industry: An Analysis of the Cyber Resilience Assessment Framework

43 44 MATURITY ASSESSMENT (MA) An AI’s level of attainment of the maturity level is calculated by the number of “Yes”, “Alternative Control”, “Risk Accepted”, and “Not Applicable” responses as the percentage of total numbers of control. As evidenced by Exhibit 37, most AIs have identified gaps in their cybersecurity measures. For risk controls that are not accomplished, surveyed AIs responded with the answer “No”. The average number of “No” under the “Baseline” control given by low-risk AIs is 17.6. Only one low- risk AI out of ten successfully fulfilled all the “Baseline” controls. On the other hand, medium- risk AIs noted an average of 17.1 “No” responses under the “Baseline” control and 15.4 at the “Intermediate” level. Of the nine medium-risk AIs, only one has met all the requirements. High- risk AIs have performed the best under the “Maturity” Assessment. Of the three high-risk AIs, two of them have completed all the required controls, while the remaining one has failed in three “Baseline” controls and two “Advanced” controls. Risk Profile in Different Environments A quick examination of the AIs’ risk profile in terms of their Governance, Internal Environment, and External Environment would reveal that low-risk AIs struggle the most under the Governance aspect. This implies that the low-risk AIs commonly fail to take suitable measures in the oversight, strategy, and policy aspects. Meanwhile, medium-risk AIs have struggled the most under the external environment category, implying these AIs perhaps lack good threat intelligence or have issues managing third-party risk. Lastly, high-risk AIs are mostly on target under all three categories, meaning these AIs are rather balanced and well-rounded in preventing losses from cyber threats. [ Exhibit 38 ] Risk profile in different environments by risk class [ Exhibit 39 ] Introduction to the seven maturity assessment domains 83% 89% 90% LOW RISK HIGH RISK 99% 100% 98% 88% 88% 78% MEDIUM RISK External Environment CHART LEGEND Governance Internal Environment Seven Domains of Maturity Assessment Each domain comprises a number of components. Each component has a set of control principles (controls) for AIs to determine if they achieve the required level or extent of implementation for attaining a particular maturity level of that component. The“Governance" domain contains 81 controls across 5 components as defined by the HKMA. This domain aims to encompass measures related to cyber resilience oversight , cyber risk management , as well as audit and aspects related to staffing , training and policies . Governance There are 6 components covering 106 controls under the "Protection" domain, the highest number of all seven domains. These controls are related to aspects such as patch management , data security , infrastructure protection and access control. Protection The "Detection" domain encompasses 4 components which cover a total of 60 controls . The four components are vulnerability detection , anomalies activity detection , cyber incident detection and finally, threat monitoring and analysis. Detection "Response and Recovery" is a maturity domain composed of 51 controls across 3 components . The maturity controls in this domain are related to response planning , incident management and lastly, escalation and reporting . Response and Recovery “Identification" is one of the four internal environments related domain, alongside "Protection, "Detection", "Response and Recovery". In particular, the "Identification" domain consists of 23 controls across 2 components related to aspects such as IT assets identification and cyber risk identification and assessment . Identification "Situational Awareness" is one of the two domains under the External environment umbrella, alongside "Third-party Risk Managament". Under the "Situational Awareness" domain, there are only 18 controls , belonging to either the threat intelligence or the threat intelligence sharing component . Situational Awareness As the name implies, the "Third-party Risk Managament" domain consists of 27 controls across 3 components related to various aspects of third-party risk related measures. These include the ongoing monitoring of third parties , external connections and other third party related measures . Third-party Risk Management