Resilience

Control Risks released their predictions for the top business risks for 2025, calling out Digital Concentration Risk as companies outsource their specialist IT services to external providers, such as cloud and security. “The concentration of risk in centralised technological ecosystems in a worsening threat landscape will be a top risk for organisations in 2025.” Global technology disruptions such as the July 2024 Crowdstrike outages shows how human error or system misconfigurations can create a correlated industry-wide impact to customer organisations. And as these companies pass control to external tech vendors, they may be losing the in-house skills needed to respond to future incidents and outages. ...

The Cyber Resilience Assessment Framework (C-RAF) was designed to help Hong Kong financial services organisations evaluate their ability to prepare for, respond to, and recover from cyber threats and incidents. C-RAF 2.0 provides a systematic approach for assessing critical systems, processes, and governance, focusing on strengthening resilience against evolving cyber risks. C-RAF was developed by the HKMA and is applicable for all Authorised Institutions, known as AIs, the banks and financial services organisations under HKMA supervision. ...

Cyber resilience frameworks provide practitioners with a structured approach to manage and mitigate cybersecurity risk, ensuring organisations can identify, respond and recover from a range of evolving threats. Frameworks such as the NIST Cybersecurity Framework (CSF) and ISO 27001, offer best practices, example controls, and guidelines to strengthen security posture, align with regulatory requirements, and build operational resilience. By adopting a suitable framework, organisations can improve governance, increase the ability to respond to incidents, safeguarding critical systems, data, and processes. ...

The EU Digital Operational Resilience Act (DORA) aims to ensure the resilience of digital services in the financial sector and prevent and mitigate cyber threats. Further reading Digital finance: Council adopts Digital Operational Resilience Act | European Council Operational Resilience: It’s a global issue | The International Banker Operational resilience in the UK, EU and US: A comparison | White and Case Operational Resilience | Herbert Smith Freehills Principles for Operational Resilience | BIS The EU’s Digital Operational Resilience Act for financial services | Deloitte Introducing the Digital Operational Resilience Act | PwC Related pages Operational Resilience OR-2 | HKMA

A single point of failure, in the context of operational resilience, can be defined as a component that, if it fails, will cause the entire system to fail. This makes it a critical vulnerability that needs to be remediated to ensure the availability and reliability of the system overall. Further reading Single Point of Failure - Wikipedia