Cybersecurity for Financial Industry: An Analysis of the Cyber Resilience Assessment Framework

59 60 INHERENT RISK AND MATURITY risk against how well they can minimize or mitigate losses arising from potential cybersecurity- related incidences. For riskier AIs, we wish to see a higher score in “Response and Recovery”, which signals that they could better respond to their cybersecurity flaws or vulnerabilities. Otherwise, inappropriately reacting to cybersecurity incidents could deepen losses. [ Exhibit 52 ] Group C scatterplots – All inherent risk domains versus the “Response and Recovery” maturity domain Group C - All Five Inherent Risk Domains versus Response and Recovery Maturity Domain Maximum Maturity Score Baseline + Intermediate Baseline Low Risk Average Medium Risk Average High Risk Average Response and Recovery Technologies 60 40 20 10 20 30 Response and Recovery Products and Technology Services 60 40 20 10 0 20 30 Response and Recovery Response and Recovery Delivery Channels 60 40 20 5 10 Response and Recovery Organizational Characteristics 60 40 20 10 15 20 Tracked Records on Cyber Threats 60 40 20 10 15 The Group C plots (Exhibit 52) have revealed that high-risk AIs have met all controls on post- event risk mitigation while most other AIs have failed to do so. This is an interesting observation as high-risk AIs experience same or lower risk in “Delivery Channel”, “Products and Technology Services”, and “Tracked Records on Cyber Threats” compared to medium-risk AIs. It appears that the main motivation for such increased controls could be largely driven by their higher technology and organizational characteristics related risks. INHERENT RISK AND MATURITY ANALYSIS SUMMARY As mentioned at the beginning of this report, the C-RAF framework is unique because it offers an assessment framework tailored to their cybersecurity risk level. In this section, we have investigated the connection and correlation between the two self-assessment exercises. One of the main findings in this section is a positive relationship between the AIs’ inherent risk score and their maturity. We also found that the underperformance of low and medium-risk AIs appears to be a group-wide phenomenon where most low- and medium-risk AIs have failed to meet the required maturity level in each of the seven maturity domains. To better understand if the AIs have put sufficient resources into addressing various risks they faced, we then took three different perspectives in examining the AIs’ risk and maturity in more detail. The three groups of additional scatterplots are able to demonstrate the relationship in (1) The traditional cybersecurity measurement perspective, (2) An organizational planning and characteristics view, and (3) A response and recovery perspective. Essentially, under the three groupings, we found that high-risk AIs are more mature than medium-risk AIs under many of the maturity control domains, despite having better track records regarding their cybersecurity threats and having an equal or lower risk in many inherent risk domains.