Cybersecurity for Financial Industry: An Analysis of the Cyber Resilience Assessment Framework

53 54 INHERENT RISK AND MATURITY OVERVIEW While the rule for minimum maturity attainment gives a clear and concise guideline to AIs, we could expand the idea further by examining the relationship between risk and maturity. As more cybersecurity efforts are required for the riskier entities, we hope to see a positive relationship between an AI’s risk and its maturity, or better yet, AIs with low risk would still attain a high maturity level to minimize chances of cybersecurity-related losses. Here, we have calculated the percentage maturity attainment for the AIs and plotted it against the overall risk score, reflecting each AI’s level of maturity under their required measures. [ Exhibit 47 ] Relationship between inherent risk and maturity score AI Inherent Risk and Maturity Score Maturity Score Maximum Maturity Score Inherent Risk Score 400 350 300 250 200 150 100 40 60 80 100 As shown in the figure above, there exists a positive relationship between the AIs’ inherent risk score and their maturity, which is a reassuring sign. To further investigate how each maturity domain varies with respect to the AIs’ inherent risk, we have plotted the seven domains (y-axis) against the overall risk scores of the AIs (x-axis). In Exhibit 48, we have also added the risk class average as a reference to allow a clear comparison between the risk class. In addition, we have drawn dotted lines to indicate the maximum number of control principles for each maturity level. The blue line represents the Baseline level, the yellow line for Baseline and Intermediate level, and the red dotted line acts as the maximum possible value, i.e. the number of indicators in a domain. The AI should reside on its corresponding dotted line and in fact above its corresponding dotted line in the ideal scenario. Governance Governance Maximum Maturity Score Baseline + Intermediate Baseline Inherent Risk Score Low Risk Average Medium Risk Average High Risk Average 100 50 0 50 100 Protection Protection Inherent Risk Score 100 80 60 40 50 100 Identification Identification Inherent Risk Score 20 10 0 50 100 [ Exhibit 48 ] Relationship between the seven maturity domain and inherent risk score Low High Medium Low High Medium Benchmark Detection Detection Inherent Risk Score 60 50 40 30 20 50 100