Cyber resilience assessment framework craf risk based approach for banks to assess, and 2. It security guidance for hong kong monetary authority avanade. First, a central element of the cfi is a cyber resilience assessment framework, which seeks to establish a common riskbased framework. Cyber resilience ensures that system recovery occurs by considering interconnected hardware, software and sensing components of cyber. In response to the latest cyber threats, hkma published a circular in september 2015 highlighting the growing importance of cybersecurity. Cyber resilience cyber vigilance cyber security cyber strategy foreword next deloittes own cyber strategy framework the next page contains details on the framework cyber strategy, transformation, and assessment key differentiators the deloitte cyber strategy framework measures cyber. The cfi, announced by the hkma in may 2016, consists of three pillars, namely i the cyber resilience assessment framework craf. We discussed with trustees international principles and guidelines on cybersecurity. The hkma said it had told all major retail banks, some selected global banks and a few smaller local banks that they would be the first to complete the craf assessment.
Around 30 banks in hong kong have been told by the hong kong monetary authority hkma to complete a cyber resilience assessment before the end of september next year. We are pleased to announce the availability of our hong kong monetary authority hkma cyber fortification initiative cfi cyberresilience assessment framework craf tool. Launch of the cybersecurity fortification initiative by. Cyber resilience assessment framework craf under the cybersecurity fortification initiative cfi.
Cyber resiliency and the risk management framework rmf are two broad constructs, which at first glance appear to be orthogonal. Org provide this first assessment of observed cyber resilience practices at authorities and firms. This tools is designed to simplify life for hong kong financial institutions mandated to complete the craf assessment. The hong kong monetary authority hkma finalized and announced the implementation details of the cybersecurity fortification initiative cfi on 21 december 2016. The cfi, announced by the hkma in may 2016, consists of three pillars, namely i the cyber resilience assessment framework.
Inherent risk profile part one of the assessment identifies the institutions inherent risk. It is intended to be used either by the responsible organisation itself. Governments, organizations and individuals must all play their part in building an ecosystem that is resilient to cyber threats. Chan, chief executive, hong kong monetary authority. Cybersecurity fortification initiative kpmg international. Major hong kong banks to complete cyber defence evaluation. The hkma will issue a formal circular next week to all banks setting out that it is a supervisory requirement for them to implement the cfi. Certified cyber attack simulation professional ccasp. Regulatory requirement ia, sfc and pcpd with some hkma and. Cyber resilience assessment framework craf inherent risk assessment low medium high an assessment on ais overall cyber risk exposures based on defined criteria measurements that reflects the values, types, volumes and complexity of its business operations cyber maturity assessment baseline intermediate advanced a comprehensive control assessment program defining the.
The cfi is an initiative on which the hkma has been working to strengthen cyber resilience i. Ffiec cybersecurity assessment tool users guide may 2017 3 part one. No g020 project no 05msr160jt the views, opinions andor findings contained in this report are those of the mitre corporation and should not be construed as an official government position. Pdf cyber resilience fundamentals for a definition. Deloittes cyber risk capabilities cyber strategy, secure. It is based on the recommendation of sebis high powered steering committee where it was decided that the framework prescribed vide sebi circular cirmrddp2015 dated july 06, 2015 on cyber security and cyber resilience. Cybersecurity summit 2016 the cyber resilience assessment. The cyber resilience assessment framework pdf file, 330. Cybersecurity fortification initiative cfi 6 cyber resilience assessment framework craf launched in dec 2016 establish a common risk assessment framework for banks offer training and certifications in cybersecurity facilitate sharing of cyber threat intelligence professional development programme pdp cyber. Communicate a deeper understanding of the cybersecurity fortification initiative and its elements. Enhance security architecture to guard against advanced cyberattacks.
Inherent risk assessment low medium high an assessment on ais overall cyber risk exposures. Hkma cyber resilience assessment lead assessor course. Launch of cybersecurity fortification initiative by hkma. The following is a summary of the requirements under the october 27, 2017 guidelines for reducing and mitigating hacking risks associated with internet trading published by the hong securities and kong. The cfi features the common core competences required of cybersecurity. Lead or be a project team member on an hkma cfi craf assessment.
Under the hkma cyber resilience assessment framework, banks which aim to attain the intermediate or advanced maturity level are required to conduct icast. The focus of the circular is on cyber security and cyber resilience. Cyber resiliency engineering framework mitre corporation. Under the hkma cyber resilience assessment framework, banks. Concurrently the hkma will conduct a threemonth consultation with the banking industry on the proposed cyber resilience assessment framework.
Hong kong monetary authority cybersecurity fortification. Cyber resilience assessment framework the hkma has taken into account of the industrys comments received during the consultation in the finalisation of cyber resilience assessment framework c. See annexure a for an example of a cyber risk assessment framework. But when advanced cyber threats are considered, cyber. Cyber resilience oversight guidelines for the arab countries. Cybersecurity fortification initiative flyer moore stephens.
A central element of the cfi is the cyber resilience assessment framework, which seeks to establish a common riskbased framework for banks to assess their own risk profiles and determine the level of defence and resilience required. A proven cost effective and repeatable approach to c. Embracing the new hkma cyber fortification initiative cfi deloitte. As cyber threats are a continual threat to organizations, it may be useful to consider. The scottish public sector action plan on cyber resilience set out a commitment to develop a public sector cyber resilience framework. Cyber resiliency assessments are intended to identify where, how, and when cyber resiliency techniques can be applied to improve architectural resiliency against advanced cyber threats. The resilience, adaptation and transformation assessment. Security and resilience framework for mutual funds and amcs. Update on enhanced competency framework on cybersecurity.
Hong kong will focus on cybersecurity in 2019 opengov asia. The cfi is a new, comprehensive initiative which aims to raise the level of cybersecurity of banks in hong kong through a threepronged approach. It security guidance for hong kong monetary authority hkma. May 24, 2016 the first pillar of the initiative is to establish a cyber resilience assessment framework the assessment framework. Cyber security lessons from hong kong by stephen scharf, dtcc chief security officer. Cyber resilience assessment framework craf 1 s t 3 r d 2 n d maturity assessment intelligenceled cyber attack simulation testing icast inherent risk assessment 2 3 1 1 craf. Check out the cybersecurity framework international resources nist. To further enhance the cyber resilience of the banking sector in hong kong, the hong kong monetary authority hkma announced today the launch of a cybersecurity fortification initiative cfi at the cyber.
Oct 02, 2018 we also reminded trustees to set cybersecurity strategies and urged them to conduct regular self assessment and testing on cyber resilience for withstanding and recovering from disruption caused by cyber attacks. Embracing the new hkma cyber fortification initiative cfi. Influence of the nist cybersecurity framework on hong kong. Is the hong kong monetary authoritys hkma cyber resilience. Rbi guidelines for cyber security framework rbi guidelines for cyber security framework in a race to adopt technology innovations, banks have increased their exposure to cyber incidents attacks thereby underlining the urgent need to put in place a robust cyber security and resilience framework. Cybersecurity fortification initiative cfi 6 cyber resilience assessment framework craf launched in dec 2016 establish a common risk assessment framework for banks offer training and certifications in cybersecurity facilitate sharing of cyber threat intelligence professional development programme pdp cyber intelligence. It targets all the authorized institutions ais, in other words the banks of hong kong. The cybersecurity fortification initiative was announced by the hkma in may 2016 and consists of three pillars. Under the pdp, the hkma is working with hong kong institute of bankers. The caf a tool for assessing cyber resilience the cyber assessment framework caf provides a systematic and comprehensive approach to assessing the extent to which cyber risks to essential functions are being managed by the organisation responsible.
Hong kong monetary authority launch of the cybersecurity. In response to the latest cyber threats, hkma published a. Under the hkma cyber resilience assessment framework. Cybersecurity with growing concern over cybersecurity issues, we shared views with hong kong monetary authority hkma and briefed trustees on the importance of cybersecurity risk management. The cfi program consists of three key pillars aiming to improve the cyber resilience. The caf a tool for assessing cyber resilience the cyber assessment framework caf provides a systematic and comprehensive approach to assessing the extent to which cyber risks to essential. Major hong kong banks to complete cyber defence evaluation by.
The inherent risk profile identifies activities, services, and products organized in the following categories. Question set with guidance self assessment question set along with accompanying guidance. The hong kong monetary authority hkma announced the launch of the cybersecurity fortification initiative cfi, a new scheme designed to enhance the resilience of hong kong banks to cyber attacks. Regulatory approaches to enhance banks cybersecurity frameworks. A central element of the cfi is the cyber resilience assessment framework, which seeks to establish a common riskbased framework for banks to assess their own risk profiles and determine the level of defence and resilience. It security guidance for hong kong monetary authority. The hong kong monetary authority hkma recently announced the launch of the cybersecurity fortification initiative cfi, a new scheme designed to enhance the resilience of hong kong banks to cyber attacks.
The hong kong monetary authority hkma, governed by the exchange fund ordinance and the banking ordinance of hong kong, is responsible for maintaining monetary and banking stability. Cyber resilience assessment framework craf risk based. Cyber resilience oversight guidelines for the arab. Communicate in detail the components of the cyber resilience assessment framework craf. Mar 31, 2017 is the hong kong monetary authority s hkma cyber resilience assessment framework c raf only relevant for banks. The initiative is intended to raise the level of cyber security through a threepronged approach, the hkma said. The new cybersecurity initiative is underpinned by a wellstructured assessment framework for assessing banks inherent risks assessing banks maturity levels, and helping banks reach the appropriate maturity level of cyber resilience industry consultation on the assessment framework will start next week. In december 2016, the hong kong monetary authority hkma announced the implementation details of. Cyber resilience should be considered in the context of complex systems that comprise not only physical and information but also cognitive and social domains smith, 2005.
Cyber resilience assessment framework craf risk based approach for. Regulatory approaches to enhance banks cybersecurity. Does the organisation have a map of evolution that describes its cyber resilience journey. It is a voluntary examination of operational resilience and cyber security practices offered at no cost by dhs to the operators of critical infrastructure and state, local, tribal, and territorial governments. Be able to developfurther develop an hkma cfi craf assessment tool. The cfi features the common core competences required of cybersecurity practitioners in the hong kong banking industry. Benchmark resilience against cybersecurity attacks.
Cyber resilience the ability to recover fully from any cyber disaster has many moving parts. Cyber resilience assessment framework the hkma has taken into account of the industrys comments received during the consultation in the finalisation of cyber resilience assessment framework craf and also having regard to experience from other jurisdictions, the hkma has announced that it will adopt a phased approach to. This document presents a general process for architectural assessment. Hong kong launches a cybersecurity program for its banking. The objective of this report is to identify, describe and compare the range of observed bank, regulatory. Has management developed a cyber risk matrix, and is cyber risk integrated into the overall risk assessment and management process. Cybersecurity fortification initiative pdf file, 85. With the aim to further enhance the cyber resilience of the banking sector in hong kong, the hong kong monetary authority hkma has announced the cybersecurity fortification initiative cfi in may 2016. The cfi program consists of three key pillars aiming to improve the cyber resilience of authorized institutions ai. The hong kong monetary authority hkma is the government authority in hong. The cyber resilience assessment framework hong kong. The inherent risk rating is mapped to its respective maturity level of cyber resilience as expected by the hkma. Regulatory requirement ia, sfc and pcpd with some hkma. This framework meets the requirements of the world economic forum and is designed to be flexible enough to be able to evolve with the everchanging nature of this field.
The process can be applied to an operational or asis architecture, to identify first steps or quick wins for improving resilience against. Cyber fortification initiative cfi to further strengthen the cyber resilience of banks in hong kong, the hong kong monetary authority hkma announced the launch of the cyber fortification initiative cfi in may 2016, which comprises three components. Our ref b115c 12 june 2018 the chief executive all. This is a riskbased framework for ais to assess their inherent risk profile and benchmark the level of defence and resilience. Craf is a threepart assessment instrument that helps ai evaluate cyber resilience.
966 204 63 660 1263 399 1263 915 636 1020 1074 412 362 536 995 929 269 478 1050 480 148 835 500 1219 89 1545 367 689 346 540 1343 464 1446 150 955 546 1186 18 1049 975 695 1212