Cybersecurity for Financial Industry: An Analysis of the Cyber Resilience Assessment Framework

57 58 INHERENT RISK AND MATURITY [ Exhibit 50 ] Group A scatterplots – “Tracked Records on Cyber Threats” risk score versus four traditional maturity domains [ Exhibit 51 ] Group B scatterplots – “Products and Technology Services” and “Organizational Characteristics” versus “Governance” and “Situational Awareness” Group A (2) - Tracked Records on Cyber Threats Risk Score versus Four Traditional Maturity Domains Group B (2) - Organizational Characteristics versus Governance and Situational Awareness Identification Technologies Risk Score 20 10 0 Maximum Maturity Score Baseline + Intermediate Baseline Low Risk Average Medium Risk Average High Risk Average 10 15 Governance Products and Technology Services 100 50 0 Maximum Maturity Score Baseline + Intermediate Baseline Low Risk Average Medium Risk Average High Risk Average 10 20 30 Group B (1) - Products and Technology Services versus Governance and Situational Awareness Situational Awareness Products and Technology Services 20 15 10 5 0 10 20 30 Protection Technologies Risk Score 100 80 60 40 10 15 Detection Technologies Risk Score 60 40 20 10 15 Response and Recovery Technologies Risk Score 60 40 20 10 15 By examining Exhibits 49 and 50, we see that the overall trend persists, where high-risk AIs often perform better in the various maturity domains. Interestingly, we also observe that, on average high-risk AIs are more mature compared to medium-risk AIs under the four traditional maturity control domains, despite having better track records in terms of their cybersecurity threats. The above finding reinforces that AIs facing low risk in certain areas are not excused from implementing the appropriate measures and likely indicate that AIs could see lower cyber threats levels as they implement tougher security measurements. Next, we take an organization and governance perspective by plotting the AIs’ “Product and Technology Services Risk” and “Organizational Characteristics” against their maturity level in “Governance” and “Situation Awareness.” This grouping allows us to identify gaps between the AIs’ risk induced from organizational planning and the measures taken at an organizational management level. By examining the Group B plots, we noticed while high- and medium-risk AIs have the same average score under the “Products and Technology Services” risk domain, they have adopted more controls in the “Governance” and “Situational Awareness” maturity domain, both in terms of the total number of required controls and percentage of controls. Meanwhile, results in the two bottom charts with “Organizational Characteristics” are mostly in line with our expectations. The number of controls adopted was mostly consistent within each group, with a few medium- and low-risk AIs failing to meet their targets. Nevertheless, it also allows us to identify that some medium- and low-risk AIs have adopted a high number of required controls despite a low “Organizational Characteristics” risk score. We have plotted a final set of charts on all the five domains of the AIs and “Response and Recovery” maturity domain. This grouping shows the performance of the AIs in terms of their Governance Organizational Characteristics 100 50 0 10 15 30 Situational Awareness Organizational Characteristics 20 15 10 5 0 10 15 30