Meeting the C-RAF challenges head-on

photo courtesy of iStockphoto

It has been one year since the Hong Kong Monetary Authority (HKMA) announced the Cyber Fortification Initiative (CFI). With the rise of Fintech, local banks are facing the challenge of meeting the CFI requirements and achieving digital transformation. According to security experts, machine learning could be the answer to this dilemma.

One of the major milestones of CFI takes place this September, when 30 banks are required to complete the first two stages of the Cyber Resilience Assessment Framework (C-RAF). These two stages are inherent risk assessment and maturity assessment—where banks are required to categorize their risk levels and identify the gaps to achieve maturity.

Michael Leung, CIOO, China CITIC International Bank“Most of the banks in Hong Kong, especially the local banks, are pretty much through the second stage [of C-RAF], what we called the maturity assessment,” said Michael Leung (photo right), CIOO of China CITIC Bank. At the Fintech Innovation and regulatory framework conference, Leung, together with IT executives from local and global banks shared their experiences in the road to C-RAF.

#1 challenge—scope of assessment

“The first challenge [to meet C-RAF] is to identify the scope of assessment,” said Leung. “These days we are talking about Fintech, where we work as an ecosystem and rely on collaborations. When we make assessment, we are not only assessing our internal systems, but also our collaboration partners.”

Leung noted more local banks are embarking on the Fintech journey and providing new banking services through collaboration and a new ecosystem. These initiatives mean the banks are no longer operating as a closed and isolated system, and they are dealing with a wider scope and blurred perimeters.

Global banks also face similar challenges. Despite the experiences to meet compliance requirements from different markets, global banks face the challenge of defining banking infrastructure that is under Hong Kong’s jurisdiction.

Micky Lo, chief technology risk officer, BNY Mellon“Some global banks have gone through exercises similar to C-RAF,” said Micky Lo (photo right), chief technology risk officer of a global investment management company. “But when we are talking about internet gateway, it is difficult to isolate Hong Kong specifics and concerted effort was spent to determine the scope of Hong Kong’s infrastructure.”

Machine learning in security

The challenge of a widening and blurring security scope is not limited to banks. With more organizations opening their infrastructure for collaboration and crowdsourcing, their scopes of protection are expanding. According to security experts, this is when intelligence and machine learning are expected to help.