Custom print

CRA-5.8.25A

Past version: Effective from 01 Jan 2020 to 31 Mar 2023
To view other versions open the versions tab on the right

A licensee must conduct a periodic assessment of cyber security threats for the purpose of analysing and assessing cyber security threats, the licensee must take into account the factors detailed below:

(a) Surveys and audit findings, and all current information that could be indicative of weaknesses in the relevant controls;
(b) Collection and analysis of external data that could be indicative of potential vulnerabilities or lead to the detection of risk exposures that were not identified in the past;
(c) Collection and analysis of data regarding cyber security incidents within the licensee;
(d) Mapping of business processes for the purpose of exposing specific risks, interdependencies between risks, and areas of weakness in controls or risk management;
(e) Use of metrics for the purpose of quantifying the exposure to cyber security risks, use of qualitative and/or quantitative assessment indicators, in a manner that should make it possible to monitor changes in these values from time to time;
(f) Use of Key Risk Indicators (KRIs) and Key Process Indicators (KPIs), in order to provide insights on the status of control mechanisms and the cyber security program;
(g) Analysis of scenarios, in licensee with business line managers and risk managers in order to detect potential incidence of risk materialization, to assess their potential impact, and to enhance the ability to detect and respond to those incidents.
Added: January 2020