Context
For technology and risk professionals working within Hong Kong’s banking sector, the C-RAF is the inevitable baseline for cyber compliance. Understanding its structure is not just a regulatory requirement for the institution, but a core competency for those managing governance or operational risk. This note outlines the framework’s architecture and the regulator’s expectations.
The Cyber Resilience Assessment Framework (C-RAF) is the mechanism by which the Hong Kong Monetary Authority (HKMA) measures the cyber maturity of Authorised Institutions (AIs).
Introduced as part of the wider Cybersecurity Fortification Initiative (CFI), C-RAF moved beyond simple checklist compliance. Instead, it obliges banks to conduct a risk-based analysis of their own defences. The current iteration, C-RAF 2.0, applies to all AIs under HKMA supervision, though the intensity of the assessment varies based on the institution’s size and risk profile.
The framework is structured around three interdependent components:
- Inherent Risk Assessment: A diagnostic to determine the institution’s risk exposure level (Low, Medium, or High).
- Maturity Assessment: A granular review of actual controls and governance against the determined risk level.
- iCAST (Intelligence-led Cyber Attack Simulation Testing): For those with higher risk profiles, paper assessments are insufficient. iCAST requires red-teaming exercises based on current threat intelligence to test defences in a live environment.
The process is cyclical, not a one-off audit. It forces institutions to benchmark their capabilities against both the regulator’s standards and their industry peers.
Further reading
-
Cyber Resilience Assessment Framework (C-RAF) 2.0 (Deloitte) A useful summary of the compliance requirements. It offers a clear view of what senior management must anticipate during the assessment cycle.
-
Supervisory Approach on Cyber Risk Management (HKMA) (29 November 2024) The regulator’s 2024 circular regarding the supervision of cyber risk.