Cybersecurity for Financial Industry: An Analysis of the Cyber Resilience Assessment Framework

49 50 MATURITY ASSESSMENT (MA) Incident response to widely reported events DNSSEC Deployment Security Information Thresholds On-going Third-party Risk Assessment Process to Correlate Event Information Anomalies Activity Detection Thresholds Additional Training for Privileged Users Third-party Due Diligence Before Contract Third-party Responsibility for Notification On-going Third-party Review Security Incidents Third-party Responsibility Establishment [ Exhibit 44 ] Average maturity control percentage attainment [ Exhibit 46 ] Staffing and training maturity component attainment rate [ Exhibit 45 ] Partial adoption of maturity controls 80 0 40 30 20 10 % 70 60 50 55% 55% 64% 67% 68% 68% 68% 70% 71% 71% 71% Average Attainment Percentage (Maturity Control) If we examine the detailed responses, where AIs who have failed to meet the requirement for a control would note down the gap they noticed, we have found that 8 out of 10 AIs responded with a negative answer have indeed partially adopted relevant measure. This is a similar case to many other controls in the Maturity Assessment, where we have found that of the top five controls with the most “No” answers, four of them have been partially adopted by at least half of the AIs. We believe the Maturity Assessment could benefit from a similar three-level system to the Inherent Risk Assessment. Instead of allowing only binary “Yes” and “No” answers, the AIs could indicate a partial adoption of the measures, which could better reflect the implementation status of the vast maturity controls. Top 5 controls by non-adoption rate Control Total No(s) Partially Adopted Not Adopted/ No Formal Procedure Widely Reported Incident Response 10 80% 20% DNSSEC Deployment 9 11% 89% Security Information Thresholds 8 75% 25% Ongoing Third-party Risk Assessment 7 57% 43% Process to Correlate Event Information* 7 43% 43% * One response was missing Despite the observation above, we believe the Maturity Assessment not only allows HKMA to understand the gaps in the AIs’ practice better, but it also acts as an opportunity for the AIs to conduct a thorough check on their cyber risk profile. Over 90% of participating AIs found the C-RAF useful, especially in identifying previously unrecognized gaps. 7 7. https://www.moodysanalytics.com/regulatory-news/Nov-03-20-HKMA-Enhances-Cybersecurity-Fortification-Initiative RESPONSES IRA: LOW CYBERSECURITY STAFFING RISK FOR HIGH-RISK AIs In the IRA section, we found that high-risk AIs face a lower risk related to cybersecurity staffing, here we investigate the detailed responses between high-risk AIs and their peers. More particularly, we examine controls under the Staffing and Training component in the larger umbrella of the “Governance” domain. Risk Class Staffing and Training Component Average Attainment Rate Low 87% Medium 89% High 98% A quick inspection would reveal that the high- risk AIs have notably higher attainment under the staffing and training component. This confirms our observation in the IRA section that high-risk AIs have put more effort into investing in their cybersecurity and related staff. More specifically, the high-risk AIs have excelled in controls that are still struggled with by many other lower-risk AIs. For example, in acquiring professionals with adequate qualifications and providing annual training to staff with privileged access. The similar findings in both IRA and MA sections have demonstrated that the two self- assessment exercises work coherently together, and the AI’s answers are consistent across both sections. AIs and regulators could then utilize the survey to effectively identify gaps between associated risk and maturity control areas, therefore presenting a tool that allows AIs to target areas in which they notice the biggest gap. MATURITY ASSESSMENT: SUMMARY In this section, we have investigated the Maturity Assessment survey responses using a top- down approach. We first investigated the overall results across the three risk classes of AIs, based on the maturity requirements they are subjected to and then down to the domain component and control levels. We notice that high-risk AIs have performed particularly well in the Maturity Assessment despite being subjected to the highest number of maturity controls. On average, this AI group achieves over 99% of controls at all the three maturity levels and even completely meet all the requirements at the Intermediate level. On the other hand, the medium-risk AIs have underperformed, achieving only 91% and 83% of controls at the Baseline and Intermediate level respectively. Meanwhile, low-risk AIs have also underperformed at the Baseline level, and on average they achieve less than 90% of their required controls. An examination of AIs’ risk profile in terms of Governance, Internal Environment, and External Environment reveals that low-risk AIs struggle the most under the Governance aspect, implying that they commonly fail to take the required measures in aspects related to governance and oversight. Meanwhile, medium-risk AIs have underperformed in the external environment category, indicating these AIs perhaps lack good threat intelligence or have issues managing third-party risk. Finally, high-risk AIs are mostly on target as expected. This reveals that high-risk AIs are rather well-rounded in preventing losses from cyber threats.