Cybersecurity for Financial Industry: An Analysis of the Cyber Resilience Assessment Framework

55 56 INHERENT RISK AND MATURITY [ Exhibit 49 ] Group A scatterplots – “Technologies” risk score versus four traditional maturity domains Situational Awareness Situational Awareness Inherent Risk Score 20 15 10 5 50 100 Low High Medium Benchmark Response and Recovery Response and Recovery Inherent Risk Score 60 40 20 50 100 Third-party Risk Management Third-party Risk Management Inherent Risk Score 30 20 10 0 50 100 Key findings: 1. Align with General Trend - Higher Risk Score Often Accom- panies with Higher Maturity Score Similar to the main scatter plot at the beginning of this section, a high overall risk tends to mean a higher maturity score in each domain. They indicate to us that for all the Maturity Assessment domains, riskier AI would have taken the corresponding actions in each domain. 2. Most Low- and Medium-Risk AIs Fail to Reach Target on a Domain Level As seen in Exhibit 48, only about half of non-high-risk AIs manage to reach or get close to their corresponding target for each domain. This suggests that the underperformance of the groups is often caused by a group of AIs failing to reach target instead of a few anomalies. More worryingly, some medium-risk AIs perform worse than low-risk AIs despite having a higher number of maximum controls, particularly in “Third-party Risk Management” and “Identification”. Fortunately, the MA exercise includes fields for AIs to set deadlines to implement these measures. Regulators could utilize this information and investigate the underlying reason for such underperformance and provide support and guidance to these AIs. (cont.) [ Exhibit 48 ] Relationship between the seven maturity domain and inherent risk score DOMAIN COMPARISON To better understand if the AIs have put sufficient resources into addressing various risks they face, we created various scatterplots based on the Inherent Risk and Maturity Assessment Domains. We first examine the relationship between the AIs’ “Technologies” and “Cyber Threat Track Records” risk against the “Identification”, “Protection”, “Detection” and “Third- party Management” maturity domains. We focus on these four domains in particular as they are deemed the traditional or typical steps advocated for cybersecurity risk management, as depicted in cybersecurity risk management frameworks such as the US National Institute of Standards and Technology (NIST) Security Framework. 8 DIFFERENT PERSPECTIVES IN MEASURING RISK VS REQUIRED MATURITY 8. There are five domains under the US National Institute of Standards and Technology (NIST) Security Framework, which are “Identify”, “Protect”, “Detect”, “Respond”, and “Recover”. The five domains above corresponds to four of our Maturity Assessment domains, namely “Identification”, “Protection”, “Detection” and “Respond and Recovery”. Identification Technologies Risk Score 20 10 0 10 20 30 Maximum Maturity Score Baseline + Intermediate Baseline Low Risk Average Medium Risk Average High Risk Average Detection Technologies Risk Score 60 40 20 10 20 30 Protection Technologies Risk Score 100 80 60 40 10 20 30 Response and Recovery Technologies Risk Score 60 40 20 10 20 30 Group A (1) - Technologies Risk Score versus Four Traditional Maturity Domains