Cybersecurity for Financial Industry: An Analysis of the Cyber Resilience Assessment Framework

51 52 MATURITY ASSESSMENT (MA) At a domain level, we found that the slight shortfall in the high-risk AIs comes from a single AI, who falls short slightly in the “Governance”, “Protection”, and “Situation Awareness” domains, but has established a reasonable timeline to implement the missing measures. By contrast, medium-risk AIs perform worse in “Governance”, “Protection”, and “Third-party Risk Management”. For low-risk AIs, they are mostly on target in terms of “Protection”, “Situation Awareness”, “Response and Recovery”, and “Third-party Risk Management” but have failed to meet expectations under the other three domains. This again signifies that many low-risk AIs have not met the minimum standard and underperformed in the internal environment and governance controls. Next, we seek to understand the best and worst components out of the total 25 components. We found that none of the components is fully adopted by all the AIs. Still, the Data Security component is by far the best performing with an attainment rate of over 99%, suggesting the AIs have taken as much control as possible to safeguard their sensitive information and data. All the components reached at least 80% attainment rate, with the three worst components being from the “Third-party Risk Management” domain. Upon further investigation, we found it is mainly driven by the fact that many of the infidel controls in the “Third-party Risk Management” domain have a low attainment score. Almost half of the twelve worst performing controls are in this domain. Finally, we cross-checked a finding from the IRA section to draw links between the Inherent Risk Assessment and the Maturity Assessment. In particular, in the IRA section we found that AIs with a “High” overall risk experience the lowest cybersecurity staffing risk. We believe they have conducted the adequate measure in staffing and training their staff. To check if the findings in the maturity assessment align with the abovementioned findings, we investigated a particular maturity component specific to cybersecurity staffing and training. As we expected, we found that the high-risk AIs excel in that component, which is consistent with our IRA finding. The two self-assessment exercises work coherently together, and the AI’s answers are consistent across both sections. INHERENT RISK AND MATURITY