Embracing the New HKMA Cyber Fortification Initiative (CFI)

Time to put cybersecurity in action

Three pillars to uplift Cyber Resilience

The Hong Kong Monetary Authority (HKMA) finalized and announced the implementation details of the Cybersecurity Fortification Initiative (CFI) on 21 December 2016. The CFI program consists of three key pillars aiming to improve the cyber resilience of Authorized Institutions (AI):

Cyber Resilience Assessment Framework

Inherent Risk Assessment (Low / Medium / High) – an assessment on AI’s overall cyber risk exposures based on defined criteria measurements that reflects the values, types, volumes and complexity of its business operations
Cyber Maturity Assessment (Baseline / Intermediate / Advanced) – a comprehensive control assessment program defining the targeted control requirements for different maturity levels with 7 key cyber domains

The AI is required to determine the targeted cyber maturity state/status based on the inherent risk assessment result and conduct the maturity assessment. Based on the gaps identified, the AI is expected to analyze, summarize and prioritize their improvement actions through a roadmap
Intelligence-led Cyber Attack Simulation Testing (iCAST)
An end-to-end cyber-attack simulation testing framework aiming to evaluate AI’s capability to identify and respond to cyber-attacks based on intelligence-led cyber-attack scenarios
[For Medium and High risk institutions only]

Professional Development Programme (PDP)

Vocational training and certification programme – An program developed in partnership with the Hong Kong Institute of Bankers (HKIB) aiming to increase the supply of qualified cybersecurity professionals in Hong Kong.

Cyber Intelligence Sharing Platform (CISP)

A new element of financial market infrastructure is developed in partnership with the Hong Kong Association of Banks (HKAB) to allow inter-bank sharing of cyber threat intelligence in order to enhance collaboration and systemic resilience.


Knowing where you are in the C-RAF assessment implementation

Taking into consideration resources availability and overseas experience, the HKMA had adopted a phased approach to implement the C-RAF assessments where around 30 AIs (i.e. all major retail banks, selected global banks and smaller AIs) were selected for the first phase rollout to complete the Cyber Inherent Risk Assessment and maturity assessment by September 2017 and iCAST by June 2018 (if applicable).

C-RAF assessment components

First Phase

2nd Phase

Inherent Risk Assessment

By September 2017

By December 2018

Maturity Assessment

By September 2017

By December 2018


By June 2018

To be determined by HKMA


How Deloitte helps you put cybersecurity into action

Deloitte offers end-to-end cyber security services to support your C-RAF implementation journey from conducting the assessment to developing a roadmap and implementing the solution:

Click to enlarge image

Why Deloitte?

The Deloitte Difference

Leaders in Information and Cyber Security

We have more than 3600 dedicated cyber professionals operating in 46 countries. In 2016, we took up around 2500 cyber projects globally. With a client base including 223 of the Fortune 500 companies and 163 governments, we can bring in fresh insight from your industry and make a difference with our methodologies.

Strong capabilities on cyber intelligence

We have over 20 Cyber Intelligence and Operations Centers around the world, integrating state-of-the-art technology with industry insights to provide you with round-the-clock business-focused operational security. With 24x7 coverage and professional threat contextualization, you will be able to determine the risks to your business and stakeholders, swiftly and effectively mitigate them and strengthen your cyber resilience.

Cyber Security Certification and Achievements

We are committed in delivering a team that has the right knowledge, skills and experience to provide an exceptional level of service. Deloitte is CREST & CBEST Certified and actively participated in the NATO Locked Shields exercise as offensive red team. Our Netherlands team is also the reigning world champion (2016) of the Global CyberLympics, in which it emerged as winner for five times.

Maximize value for money for a tailored solution

We recognize that every organization is unique and requires a tailor-made solution. You can choose any combination of our services; feel free to contact us should you have any enquiries.

Did you find this useful?