The Cyber Resilience Assessment Framework (C-RAF) was designed to help Hong Kong financial services organisations evaluate their ability to prepare for, respond to, and recover from cyber threats and incidents. C-RAF 2.0 provides a systematic approach for assessing critical systems, processes, and governance, focusing on strengthening resilience against evolving cyber risks. C-RAF was developed by the HKMA and is applicable for all Authorised Institutions, known as AIs, the banks and financial services organisations under HKMA supervision.
Key components of the C-RAF include:
- the Inherent Risk Assessment
- Maturity Assessment; and the
- Intelligence-led Cyber Attack Simulation Testing, known as iCAST.
C-RAF is an ongoing iterative process of evaluation and improvement, and is designed to help AIs benchmark their cyber resilience against their peers and the regulator’s expectations.
C-RAF is one pillar of the Cyber Fortification Initiative (CFI) which the HKMA launched in 2016 with a view to raising the cyber resilience of Hong Kong’s banking system.
Further reading
- Cyber Resilience Assessment Framework (C-RAF) 2.0 | (Deloitte). Deloitte provide a concise overview of the C-RAF requirements, outlining what senior management should expect when undertaking this regulatory exercise.
- TM-C-1 Supervisory Approach on Cyber Risk Management (HKMA) - 29 November 2024