Cybersecurity for Financial Industry: An Analysis of the Cyber Resilience Assessment Framework

45 46 MATURITY ASSESSMENT (MA) [ Exhibit 40 ] Maturity control grouping example [ Exhibit 41 ] Maturity assessment domain result comparisons Domain The scope of the maturity assessment covers seven key domains . These domains are categorized in three levels : governance, internal environment, and external environment. Component Each domain comprises a number of "components" , the relationship is defined by the official Maturity Assessment framework. Control The framework has also set out a number of "control principles" which are divided in to different maturity levels . Baseline: 1. IT Asset Management 2. IT Configuration Management Intermediate : 1. IT Asset Management 2. IT Configuration Management Advanced: 1. IT Configuration Management IT Asset Identification Identification Baseline: 1. Cyber Risk Identification 2. Assessment Scope Intermediate : 1. Cyber Risk Identification 2. Assessment Scope Advanced: 1. Cyber Risk Identification 2. Assessment Scope Cyber Risk Identification And Assessment SURVEY RESULT With the components and controls of the maturity assessment in mind, we began to analyse the performance of different risk classes. Exhibit 41 presents a chart that allows us to examine if there are any areas of improvement for AIs in various risk classes. Note the percentage is calculated in terms of the total number of controls on each maturity level for every domain. For example, under the “Governance” maturity assessment domain, there are a total of 30 baseline controls. If an AI attained 27 of which, it would achieve a score of 90%. Again, we only show the results for the required maturity level for each group of AIs; hence there are only high-risk AIs in the “Advanced” section, and only medium and high risks in the “Intermediate” section. Low Medium High Medium HIgh HIgh Governance Detection Identification Response and Recovery Protection Situation Awareness Third-party Risk Management 100 0 10 20 30 40 50 60 70 80 90 Maturity Assessment Domain Results Baseline Advanced Intermediate % Key findings: 1. High-Risk AIs Outperform The previous section shows that high-risk AIs have adopted almost all controls across the three maturity levels. More specifically, only one high-risk AI does not meet all the requirements. Yet, the AI only has a slight shortfall in “Governance”, “Protection”, and “Situation Awareness” and has stated reasonable timelines to fill in the gaps to mitigate those risks. This suggests that high-risk AIs have proactively taken actions to minimize the cyber risk induced by their day-to- day operations and characteristics and are fast-acting in closing any gaps. This echoes our finding in the Inherent Risk Assessment, where high-risk AIs face lower cyber staffing risk. 2. Most Medium-Risk AIs Fail to Meet the Target By contrast, medium-risk AIs perform less well, with an overall attainment rate of 87% across the Baseline and Intermediate maturity levels. This group of AIs has underperformance in “Governance”, “Protection”, and “Third-party Risk Management”. On average, they have failed to meet six or more controls in the domain above across the two required maturity levels. In particular, the lack of third-party controls might be caused by their low exposure to third-party In the following section, we will examine the Maturity Assessment responses, assess the landscape of cyber risk control maturity level of the AIs, and investigate the common weakness for improvement. Similar to our work in the Inherent Risk Assessment analysis section, we will examine the domain level, the component (i.e. subcategory) level and the individual control level in an attempt to identify the cause of gaps in their maturity level. In short, the results align with the statistics above, where we found high-risk AIs perform the best while medium-risk AIs are the worst. The underperformance is partly driven by their low attainment rate under the “Third-party Risk Management” domain, which could be due to the relatively low Third-party Risk as shown in the IRA analysis. Nonetheless, when we used the MA results to check against the AIs’ actual security measures, we found that the results are somewhat effective in understanding the real-life implementation of SSL certifications of the AIs.