In HKMA’s Cyber Fortification Initiative (CFI) – Part 1, I have commented that there is NO urgent needs and in appropriate for HKMA to create the Professional Development Programme (PDP) under the CFI. Now, I am going to discuss another component of the CFI – a Cyber Resilience Assessment Framework (C-RAF).
Unlike the iCAST which is incompletely copied from the CBEST (implemented by UK Bank of England), the C-RAF is borrowed from various frameworks of: (a) the Guidance of Cyber Resilience for Financial Market Infrastructures (the “Guidance”), issued by International Organization of Securities Commissions (IOSCO) and Bank for International Settlements (BIS), (b) Cybersecurity Assessment Tool (the “Tool”), issued by Federal Financial Institutions Examination Council (FFIEC, USA) and (c) Framework for Improving Critical Infrastructure Cybersecurity (the “Framework”), issued by National Institute of Standard and Technology (NIST, USA).
It is acceptable to design a cyber resilience framework by aligning to leading standards. However, simply copying and rewriting different parts from selected benchmark frameworks, guidelines or recommendations as our new cyber resilience solution is not a correct approach in managing cyber threats for Hong Kong’s financial industries. The worst and risky scenario will be the case that if we are trying to insert some un-necessary component (like PDP) then pretended it is a tailor-made solution for us.