2018-06-12
Added · Updated
The Hong Kong Monetary Authority issues this letter to outline the phased implementation schedule for the Cyber Resilience Assessment Framework among Authorized Institutions. It establishes a second phase for 60 higher-risk institutions and a third phase for the remaining 90 institutions, while also accepting qualified professionals without specific PDP certification to conduct assessments. The regulator further mandates that institutions address identified control gaps and maintain robust governance to ensure ongoing cybersecurity effectiveness.
Our Ref.: B1/15C B9/29C 12 June 2018 The Chief Executive All Authorized Institutions (AIs) Dear Sir/Madam, Implementation of Cyber Resilience Assessment Framework I am writing to provide you with additional information about the implementation of the Cyber Resilience Assessment Framework (C-RAF) under the Cybersecurity Fortification Initiative (CFI). The Hong Kong Monetary Authority (HKMA) launched the first phase of the C-RAF implementation in December 2016. 30 authorized institutions (AIs) including all the major retail banks were requested to complete the C-RAF Inherent Risk Assessment and Maturity Assessment by end-September 2017 and the Intelligence-led Cyber Attack Simulation Testing (iCAST) by end-June 2018. The HKMA has recently sought the feedback of the industry regarding the experience in undertaking the C-RAF assessments. While AIs generally consider the exercise to be very useful in raising the level of their cyber resilience, there is a practical concern regarding whether there will be a sufficient supply of qualified C-RAF assessors if all the remaining AIs are asked to undertake the C-RAF Inherent Risk Assessment and Maturity Assessment at the same time. The industry proposes that priority to undertake the C-RAF assessments be given to AIs assessed to be of “High” or “Medium” inherent risk. Taking into account the industry’s feedback, the HKMA considers it appropriate to implement the C-RAF by two more phases as follows: (i) Second phase – This phase will cover 60 AIs with a relatively higher inherent risk or a larger scale of operation among the remaining AIs not covered in the first phase. These AIs will be notified by the HKMA individually. The expected timeline for these AIs to complete the C-RAF assessments is set out below:
Inherent Risk Assessment and Maturity Assessment End-December 2018 iCAST (applicable for AIs with a “High” or “Medium” inherent risk level) End-September 2019 (ii) Third phase – This phase will cover all the remaining AIs (around 90 AIs) to be notified by the HKMA individually. They will be expected to complete the CRAF Inherent Risk Assessment and Maturity Assessment by end-September 2019, and iCAST (if applicable) by mid-2020. For newly authorized AIs, the HKMA will inform them of the timeline within which they should complete the C-RAF assessments. At the time of rolling out the first phase of C-RAF implementation, the HKMA, on the advice of an industry expert group, adopted a list of professional qualifications which were considered to be equivalent to the certifications provided under the Professional Development Programme (PDP) of the CFI. We understand from the industry that there are professionals who have the required expertise and are highly experienced in performing cybersecurity maturity assessments or cyber attack simulation tests, but do not currently possess the corresponding PDP certification or an equivalent qualification specified in the list. The HKMA is prepared to accept the appointment of these qualified professionals by AIs to perform the C-RAF Inherent Risk Assessment, the Maturity Assessment or the iCAST, provided that a careful assessment of their expertise and experience is performed and the assessment result is properly documented. The list of equivalent qualifications will be reviewed in due course. Taking this opportunity, we would like to remind those AIs which have completed the C-RAF assessments to devote adequate management attention and resources to rectifying all the control gaps identified in the C-RAF assessments. They should put in place proper governance arrangements and processes to monitor the implementation process closely and keep their board of directors and senior management informed. They are also expected to evaluate the ongoing adequacy and effectiveness of their cybersecurity controls, having regard to the C-RAF and the latest cyber risk landscape. Should you have any questions regarding the implementation schedule of the C-RAF and the above-mentioned matters, please feel free to contact Mr Alvin Li on 2878-1458 or Ms Kerrie Chan on 2878-1426. Yours faithfully, Raymond Chan Executive Director (Banking Supervision)