Machine learning to overcome C-RAF challenges

Micky Lo (left) and Michael Leung (right) shared their challenges of C-RAFIt has been one year since the Hong Kong Monetary Authority (HKMA) announced the Cyber Fortification Initiative (CFI). With the rise of Fintech, local banks are facing the challenge of meeting the CFI requirements and achieving digital transformation. According to security experts, machine learning could be the answer to this dilemma.

One of the major milestones of CFI takes place this September, when 30 banks are required to complete the first two stages of the Cyber Resilience Assessment Framework (C-RAF). These two stages are inherent risk assessment and maturity assessment—where banks are required to categorize their risk levels and identify the gaps to achieve maturity.

“Most of the banks in Hong Kong, especially the local banks, are pretty much through the second stage [of C-RAF], what we called the maturity assessment,” said Michael Leung, CIOO of China CITIC Bank. At the Fintech Innovation and regulatory framework conference, Leung, together with IT executives from local and global banks shared their experiences in the road to C-RAF.

#1 challenge—scope of assessment

“The first challenge [to meet C-RAF] is to identify the scope of assessment,” said Leung. “These days we are talking about Fintech, where we work as an ecosystem and rely on collaborations. When we make assessment, we are not only assessing our internal systems, but also our collaboration partners.”

Leung noted more local banks are embarking on the Fintech journey and providing new banking services through collaboration and a new ecosystem. These initiatives mean the banks are no longer operating as a closed and isolated system, and they are dealing with a wider scope and blurred perimeters.

Global banks also face similar challenges. Despite the experiences to meet compliance requirements from different markets, global banks face the challenge of defining banking infrastructure that is under Hong Kong’s jurisdiction.

“Some global banks have gone through exercises similar to C-RAF,” said Micky Lo, chief technology risk officer of a global investment management company. “But when we are talking about internet gateway, it is difficult to isolate Hong Kong specifics and concerted effort was spent to determine the scope of Hong Kong’s infrastructure.”

Machine learning in security

The challenge of a widening and blurring security scope is not limited to banks. With more organizations opening their infrastructure for collaboration and crowdsourcing, their scopes of protection are expanding. According to security experts, this is when intelligence and machine learning are expected to help.

"When [an organization] opens its APIs [application programming interface] and allows third party access, they need more intelligence to detect anomalies and people behaving badly," said David Ulevitch, Senior VP, Security Business Group at Cisco.  

In his recent visit to Hong Kong, Ulevitch noted machine learning plays a key role to provide insights and action from the detected abnormalities.

"Lots of industries are still trying to figure out how to use machine learning to solve business problems. But security is many years ahead in using machine learning,” he said. “You can do all the analytics to make sure people are behaving the right way. It’s very hard to hide in the noise."

He added that Cisco’s threat intelligence team Talos is a major user of machine learning. With 250+ researchers, Talos is a centralized intelligence sharing team that allows threats discovered from a specific area to be shared and responses can be applied across Cisco’s portfolio of products. He added that Talos blocks 20 billion threats daily and reduces the time to threat detection to 13 hours.

Security complexity and talent shortage

Another challenge of meeting the C-RAF requirements, according to Leung from China CITIC Bank, is the combination of rising security complexity and talent shortage.