Cybersecurity for Financial Industry: An Analysis of the Cyber Resilience Assessment Framework

APPENDIX 70 69 effective in improving the AI’s cybersecurity measures would be to (1) identify how much of the improvement the AI claimed to make in security has been implemented, or (2) to compare the cybersecurity incidents before and after participating in the C-RAF exercise. C-RAF AND REAL-LIFE MEASURES: SUMMARY To verify if the Maturity Assessment reflects the AI’s actual maturity practice, we have conducted some studies on the relationship between the maturity assessment results and the AI’s SSL certification implementation status. While the use of SSL certifications is a small part of the cybersecurity measures the AIs ought to take, we found that the Maturity Assessment risk scores and the “Protection” domain show a mild but statistically significant positive relationship with the SSL certificates adoption rate. Lastly, when we checked if the maturity results are related to the use of suboptimal SSL certification, we found that the Maturity Assessment results are not able to reflect them properly. However, we believe the Maturity Assessment survey has acted well as a checklist and tool to help AIs identify their security measure gap. Lastly, we have conducted a time-series analysis on the AI’s change in the adoption of SSL certificates. We hypothesize that the C-RAF exercise is able to impact the AIs in adopting more cybersecurity measures positively. While we did not find evidence supporting our hypothesize, we found that the AIs have progressively improved their adoption rate before the implementation of C-RAF, which might have limited the impact the C-RAF could bring. Indeed, the impact of the C-RAF exercise could have been more towards the bigger picture and have driven the AI to implement more rigorous and robust policies and measures. A better gauge to measure its impact would be to examine the additional measures the AIs take or the change in their cybersecurity incidents after their participation. Self-assessment is commonly adopted in cybersecurity risk management. The C-RAF is a thoughtful self-assessment framework that combines risk with control measure assessments to help AIs in the financial industry evaluate their risks and address the gaps in protection. This research synthesizes the survey findings from 22 AIs to provide a holistic view of the cybersecurity status of the Hong Kong financial industry. It provides an informative benchmark for AIs and organizations in other industries about the state of cybersecurity, and raises public awareness about the importance of addressing cybersecurity gaps. CONCLUSION APPENDIX 1 INHERENT RISK SUB-DOMAIN MAPPING Technologies risk indicators Network Risks Third-party risks Internal risks ISP connections Non-corporate devices (2) Internally hosted and in-house developed applications Unsecured external connections Third-party access to internal systems (2) Internally hosted vendor- developed applications Wireless network access Wholesale devices User developed technologies Network devices (e.g., routers, and firewalls) Individuals and/or third-party service providers supporting critical activities End-of-life systems Cloud computing services hosted externally to support critical activities (2) Open-source software Delivery Channels risk indicators Internet presence Mobile presence Social media presence ATM Internet presence Mobile presence Social media presence ATM Products and Technology Services risk indicators Payment card risks Fund transfer risks Client services Issue debit or credit cards P2P Treasury services and clients (2) Prepaid cards Wire transfers (2) Trust services Merchant acquirer (2) Global remittance Securities trading Act as a correspondent bank