Cyber Resilience Assessment Framework (C-RAF) 2.0

The Hong Kong Monetary Authority (the "HKMA") released the Cyber Resilience Assessment Framework (C-RAF) 2.0 in November 2020. The C-RAF is a risk-based framework for Authorized Institutions ("AIs") to assess their own risk profiles and benchmark the level of defence and resilience that would be required to accord appropriate protection against cyberattacks.

Banks will need to begin their implementation efforts now – please refer to the below timetable for details. Surely, we are here to help.

Inherent Risk Assessment

The inherent risk assessment comprise five categories. The result of the inherent risk assessment will reflect AIs' cybersecurity threat level, determine its cyber risk exposure, and required cybersecurity controls.

Maturity Assessment

The maturity assessment covers seven key domains which are designed to provide a comprehensive review of the entire operating environment, and places emphasis on a sound governance framework.

Intelligence-led Cyber Attack Simulation Testing ("iCAST")

The HKMA has made reference to overseas practices and regulations in enhancing the iCAST approaches. AIs which aim to attain "intermediate" or "advanced" maturity level are required to conduct the iCAST exercise.

Download the flyer for details.

Contact Us

Yat Man CHAN
Partner, Risk Advisory
Tel: 852 2238 7268

Luke MA
Partner, Risk Advisory
Tel: 852 2852 1086

Did you find this useful?