Cybersecurity for Financial Industry: An Analysis of the Cyber Resilience Assessment Framework

47 48 MATURITY ASSESSMENT (MA) risk, as seen in the Inherent Risk Assessment section, where the average medium-risk AIs are only seven percentage points riskier than their low-risk peers. Although low-risk exposure in a certain area is no excuse for omitting adequate measures, it also highlights that AIs might prioritize areas where they face a higher risk when resources are scarce. Regulators could perhaps keep this in mind when adjusting a later iteration of the survey assessment or provide incentives for the AIs to bridge those gaps as a precautionary measure. 3. Low-Risk AIs See Mixed Result Across Domains For low-risk AIs, they are mostly on target in terms of “Protection”, “Situation Awareness”, “Response and Recovery”, and “Third-party Risk Management” but have failed to meet expectations under all three other domains. This again signifies that many low-risk AIs have not met the minimum standard and underperformed in terms of internal environment and governance control. CONTROLS AND SUB-DOMAIN ANALYSIS As the maturity assessment covers a wide range of cybersecurity measures, it allows us to identify the common weaknesses and strengths of the responding AIs. Below are some of the best- and worst-performing maturity components out of the total 25 components. The percentage score is calculated by the average attainment rate across the maturity controls inside the components, and only the required maturity controls according to the AIs risk class are considered. Data Security Incident Management Esclation And Reporting Access Control Threat Monitoring And Analysis Response Planning Audit Anomalies Activity Detection Cyber Risk Identification and Assessment External Connections Ongoing Monitoring On Third-party Risk Third-party Management [ Exhibit 42 ] Best performing maturity components [ Exhibit 43 ] Worst-performing maturity components 98 86 100 92 90 99 88 0 0 94 78 % % 97 84 96 82 95 80 99.1% 97.3% 96.7% 96.5% 96.3% 95.8% 90.8% 90.8% 89.1% 88.2% 84.9% 82.9% Key findings: 1. Near Full Attainment in Data Security The data security control has an attainment rate of over 99%, indicating that all surveyed AIs have taken as much control as possible to safeguard their sensitive information and data. Controls related to end point data security, data protection, and data disposal are of high importance to the AIs, allowing them to avoid data breaches. In fact, CybelAngel, a digital risk protection organization, has found that over 90% of data breaches are due to negligence, and by enforcing such data protection measures, the AIs could greatly reduce potential losses related to data breaches. 2. The AIs Have Performed Particularly Well in Components Under “Response and Recovery” We notice that half of the top six performing maturity components are related to the “Response and Recovery” domain. The components are Incident Management, Escalation and Reporting, and Response Planning. This shows that most of the surveyed AIs have generally performed well and are quite all-rounded in implementing follow-up measures in case of a cybersecurity incident. This is a somewhat surprising finding as we see in the previous section, medium-risk AIs struggle with controls under this domain. Upon inspecting individual maturity control results, we found that the “Incident response to widely reported events” 6 control under the “Response and Recovery – Response Planning” component has the single most negative answers out of all 365 controls. The main reason AIs have underperformed in this domain perhaps has to do with the relatively strict condition of this control, where an AI has to meet three different categories to warrant a “Yes” response. 6. Definition of “Incident response to widely reported events”: If widely reported events such as massive destruction or alternation of data are used to improve incident detection and response. Key findings: 1. Over 80% Attainment Rate for all 25 Maturity Components We notice at least 80% attainment rate for all 25 maturity components, which is encouraging. 21 of the 25 components achieve over 90% average attainment rate, and only four components’ with an attainment rate below 90%. 2. Components Under The “Third-party Risk Management” Maturity Domain Performed the Worst Components under the “Third-party Risk Management” domain appear to be the worst of the underperformers. The three components in this domain (External Connections, Ongoing Monitoring on Third-party Risk, and Third-party Risk Management) scored the lowest in the level of attainment by the surveyed AIs. 3. Underperformance in “Third-party Risk Management” Due to Low Attainment in Individual Controls We plotted the attainment rate for the worst-performing controls out of the total 365 maturity controls and have found that the underperformance in “Third-party Risk Management” appears to be due to a wide base underperformance where many individual risk controls show a low attainment rate. This is particularly significant for the “Third-party Risk Management” as it only has 27 controls, some of the lowest in the seven domains.