Cyber Resilience Assessment Framework (C-RAF) 2.0
The Hong Kong Monetary Authority (the "HKMA") released the Cyber Resilience Assessment Framework (C-RAF) 2.0 in November 2020. The C-RAF is a risk-based framework for Authorized Institutions ("AIs") to assess their own risk profiles and benchmark the level of defence and resilience that would be required to accord appropriate protection against cyberattacks.
Banks will need to begin their implementation efforts now – please refer to the below timetable for details. Surely, we are here to help.
Inherent Risk Assessment
The inherent risk assessment comprise five categories. The result of the inherent risk assessment will reflect AIs' cybersecurity threat level, determine its cyber risk exposure, and required cybersecurity controls.
The maturity assessment covers seven key domains which are designed to provide a comprehensive review of the entire operating environment, and places emphasis on a sound governance framework.
Intelligence-led Cyber Attack Simulation Testing ("iCAST")
The HKMA has made reference to overseas practices and regulations in enhancing the iCAST approaches. AIs which aim to attain "intermediate" or "advanced" maturity level are required to conduct the iCAST exercise.