Cybersecurity for Financial Industry: An Analysis of the Cyber Resilience Assessment Framework

PREFACE 3 4 PREFACE Cyberattacks have been on the rise globally. The COVID-19 pandemic saw many organizations across the world shifting to remote work, giving ways to new opportunities for cybercrime, along with other cybersecurity threats such as phishing and ransomware. Financial institutions such as banks and credit agencies continue to be popular targets. Many governments and organizations have proposed initiatives to strengthen cybersecurity such as filtering tools which limit access by malicious content. Their effectiveness, however, remains unclear. In 2016, the Hong Kong Monetary Authority (HKMA) launched a Cybersecurity Fortification Initiative (CFI), a key component of which is the Cyber Resilience Assessment Framework (C-RAF), where financial institutions (FIs) are required to assess its cybersecurity risk and determine the adequacy of its cybersecurity measures. While FIs should formulate necessary plans and strengthen their security to address any gaps, are their investments worth the cost? To understand the effectiveness of the security measures undertaking by FIs under the C-RAF and to assess the impact of C-RAF adoption on security in the industry, we have conducted a comprehensive research over the course of 24 months. This report documents our findings on the detailed assessment and analysis of the C-RAF measures that would provide additional views on how these measures can expose the state of security development of financial institutions. We hope the findings presented in this report provide useful insights for financial institutions, practitioners, and regulators on whether their current security measures, policies and regulations are sufficient and worthy of investments so that we can continue to develop good practices and cybersecurity protection schemes for the financial institutions in Hong Kong. Kai-Lung Hui School of Business and Management The Hong Kong University of Science and Technology Wei Thoo Yue Department of Information Systems City University of Hong Kong This report documents the findings and insights from research conducted by HKUST Business School as part of the Fintech Theme-based Research Project, “Contributing to the Development of Hong Kong into a Global Fintech Hub” (Project No. T31-604/18-N), funded by the Research Grants Council (RGC). Editorial: Fintech Research Project, HKUST Business School Artwork and Design: Andrew Tang @JamFactory Print production: Media Technology and Publishing Center, HKUST Enquiries: fintech@ust.hk About HKUST Business School Founded in 1991, the HKUST Business School is young, innovative and committed to advancing global business knowledge. The School has forged an international reputation for world-class education programs and research performance, and has received many top global rankings. It is one of the first Asian business schools accredited by both AACSB and EQUIS. The School strives to contribute to the economic and social advancement of the region by developing future leaders who possess an innovative and entrepreneurial spirit as well as a strong sense of responsibility. We also take active steps to promote knowledge advancement in many significant business areas. For more information, please visit www.bm.ust.hk . About Fintech Research Project The Fintech Research Project is funded by the Research Grants Council (RGC) under the Theme-based Research Scheme 2018-19, titled “Contributing to the Development of Hong Kong into a Global Fintech Hub”. The project aims to provide a roadmap for transforming Hong Kong into a global fintech hub through the delivery of policy recommendations, scholarly contributions, and industrial impact. A team of researchers from HKUST and other universities with expertise spanning finance, information systems, statistics, computer science, accounting, and economics are tackling eight major research tasks that cover blockchain, cybersecurity, risk preference, robo-advising, artificial intelligence / machine learning, systemic risk, financial innovation policy, and manpower development. © February 2022 HKUST Business School, The Hong Kong University of Science and Technology All Rights Reserved.