Cybersecurity for Financial Industry: An Analysis of the Cyber Resilience Assessment Framework

EXECUTIVE SUMMARY 5 6 EXECUTIVE SUMMARY The Hong Kong Monetary Authority (HKMA) has developed the Cybersecurity Fortification Initiative (CFI) to strengthen the cyber resilience of authorized institutions (AIs) in Hong Kong. One of the CFI’s components is the Cyber Resilience Assessment Framework (C-RAF). Between January 2019 and June 2021, we compiled a detailed list of Cyber Resilience Assessment Framework (C-RAF) measures, surveyed 22 AIs and collected public data on the participating banks for a comprehensive assessment using different models of analysis to study the effectiveness of the C-RAF and the banks’ cybersecurity performance relative to industry peers. Through a survey conducted with the participating AIs, we assessed the two processes of the C-RAF – Inherent Risk Assessment (IRA) and Maturity Assessment (MA). In the IRA process, AIs performed self-assessment under five domains to reflect their cybersecurity threat level, which is mapped to their expected maturity level of cyber resilience. In the MA process, they assessed cybersecurity controls under seven domains to determine their maturity level. I. KEY FINDINGS OF INHERENT RISK ASSESSMENT (IRA) The surveyed AIs selected the most appropriate inherent risk level (Low, Medium or High) for each risk indicator in the five domains of IRA: Technologies, Delivery Channels, Products and Technology Services, Organizational Characteristics and Tracked Records on Cyber Threats. An AI’s overall risk level is determined by the most common risk level. The inherent risk level is identified to be low for the majority of AIs (45%), implying they tend to face lower cybersecurity risk. On the contrary, 14% of the surveyed AIs are identified as high-risk AIs with the highest risk exposure among the three classes. To provide a better understanding of the correlation of AIs’ risk profile with their business operations and underlying causes of their cyber risk, we conducted detailed analyses from various dimensions. Inherent Risk Score We calculated a risk score for each AI by converting its survey responses on an ordinal scale to quantify the results. Our observations: 1. The Technologies domain contributes to the biggest difference between high- and medium- risk AIs. 2. The Products and Technology Services domain sees the largest gap between low- and medium-risk AIs. 3. As indicated by the Tracked Records on Cyber Threats domain, the inherent risk related to past cyberattacks is similar to AIs at all the risk levels. Percentage Risk Score As the number of indicators (security controls) in each domain is not the same, we used a percentage risk score to provide a standardised view of risk propensity independent of the number of indicators. Our observations: 1. The Technologies domain remains to have the most noticeable gap between high- and medium-risk AIs. 2. The Delivery Channels domain appears to pose the highest inherent risk to both high- and medium-risk AIs. Each has about a 15 percentage point difference to its second riskiest domain. 3. Low-risk AIs do not appear to suffer from the risk posed by the Delivery Channels domain. Organizational Characteristics is the most prominent risk for them. Technologies Delivery Channels Products and Technology Services Organizational Characteristics Tracked Records On Cyber Threats Inherent Risk Assessment - Risk Score Comparison by Domain Low High Medium Inherent Risk Assessment – Percentage Risk Score by Risk Class by Domain High Medium Low Technologies Delivery Channels Products and Technology Services Organizational Characteristics Tracked Records On Cyber Threats