C-RAF 2.0 Assessment Framework Overview
The C-RAF 2.0 assessment is a structured, three-step process designed to provide a comprehensive evaluation of an institution's cyber resilience. The core logic of the framework is to align the required level of cybersecurity maturity with the institution's inherent risk exposure. The three steps are as follows:
- Inherent Risk Assessment: This initial step determines the institution's inherent risk level by evaluating its risk exposure across five categories.
- Cybersecurity Maturity Assessment: Based on the inherent risk level, this step assesses the institution's cybersecurity maturity across seven domains.
- Intelligence-led Cyber Attack Simulation Testing (iCAST): For institutions with moderate or high maturity levels, iCAST is a mandatory test that simulates real-world cyberattacks.
The Seven Domains of Cybersecurity Maturity
The following table provides a high-level overview of the seven domains and their key components, which form the core of the C-RAF 2.0 assessment:
| Level | Domain | Key Components |
|---|
| Governance (Central) | Governance | Cyber resilience supervision, strategy and policy, risk management, audit, and personnel training. |
| Internal Environment | Identification | IT asset identification, risk identification, and assessment. |
| Internal Environment | Protection | Infrastructure protection, access control, data security, and patch management. |
| Internal Environment | Detection | Vulnerability detection, anomalous activity detection, and threat monitoring. |
| Internal Environment | Response and Recovery | Response planning, incident management, escalation, and reporting. |
| External Environment | Situational Awareness | Threat intelligence and information sharing. |
| External Environment | Third-Party Risk Management | External connections, third-party management, and continuous monitoring. |
- Inherent Risk Assessment Categories
The inherent risk assessment evaluates an institution's risk exposure across five distinct categories: technologies, delivery channels, products and technology services, business scale and organizational characteristics, and records of cyber threats. The purpose of this assessment is to determine the institution's overall risk profile, which in turn dictates the minimum required maturity level.
iCAST is a mandatory requirement for institutions with moderate and high maturity levels. It is an intelligence-driven red-team/blue-team exercise that simulates real-world attack scenarios. C-RAF 2.0 has introduced a blue-team requirement and a more flexible threat intelligence reporting mechanism, making the test more comprehensive and realistic.
Three Key Changes in Version 2.0
C-RAF 2.0 introduces several changes, but three, in particular, have a significant impact on the assessment process. These changes reflect the evolving regulatory focus and the need for a more robust approach to cyber risk management.
- Introduction of the "Upward Override" Mechanism in Inherent Risk Assessment
C-RAF 2.0 has redefined the "Upward Override" rule for inherent risk assessment. If the number of low-risk indicators does not exceed the sum of medium and high-risk indicators, the overall risk level will be adjusted upwards . This change, along with more detailed indicator standards and calculation methods, is intended to prevent institutions from underestimating their risk exposure.
- Elevation of Governance Responsibility to the Board
A significant change in C-RAF 2.0 is the explicit requirement for the board of directors and senior management to be accountable for cyber risk management . This shift addresses the common industry pitfall of viewing cyber risk as a purely technical issue rather than a business risk . From an assessment standpoint, institutions must now provide evidence of board-level engagement, not just technical control measures.
- Enhanced Third-Party Risk Management Requirements
In line with the HKMA's December 2023 circular on managing third-party cyber risk, C-RAF 2.0 has strengthened the requirements for third-party risk management in Domain 7 . The assessment now covers the identification and management of external connections, risk-based control testing of third parties, and continuous monitoring of third-party risks. This aligns with the upcoming OR-2 operational resilience requirements, which have a compliance deadline of May 2026 .
Common Weaknesses in Assessments
Based on industry observations, several common weaknesses have emerged during C-RAF assessments. Recognizing these pitfalls can help institutions better prepare for their self-assessment and identify areas for improvement.
- Governance and Organizational Level
In practice, some institutions may need to improve in several areas at the governance level. These include ensuring the independence of the Chief Information Security Officer (CISO) and the head of technology risk management, establishing a formalized process for cybersecurity budgeting, and creating a regular review mechanism for cyber risk at the board level . These issues often stem from a governance structure that does not fully reflect the business importance of cyber risk.
- Detection and Response Capabilities
Commonly observed weaknesses in detection and response include insufficient coverage of Endpoint Detection and Response (EDR) tools on critical servers, inadequate scenario planning for high-impact, low-probability cyber events, and a lack of regular drills for recovery procedures . The maturity assessment focuses not only on whether tools are deployed but also on whether they are operating effectively and have been validated.
- Third-Party Risk Management
With the increasing reliance on cloud services and outsourcing, third-party risk management has become a key area of focus in assessments. Common weaknesses include incomplete mapping of data flows for critical applications, infrequent cybersecurity control testing of third parties, and a lack of risk-based, differentiated management mechanisms . Some institutions may mistakenly believe that outsourcing a service also transfers the associated cybersecurity responsibility. However, from a regulatory perspective, the responsibility always remains with the authorized institution.
Five Core Questions Before Self-Assessment
Before embarking on the C-RAF 2.0 self-assessment, it is helpful to reflect on a few core questions. These questions are designed to align your thinking with the key assessment dimensions of the framework.
- Does our inherent risk assessment reflect the latest business realities? Have new cloud service deployments, third-party connections, and changes in delivery channels been incorporated into the assessment?
- Has cyber risk management become a regular agenda item for the board? Can the institution demonstrate regular review and decision-making on cyber risk at the governance level?
- Does our maturity assessment go beyond a "compliance checklist"? Can we articulate the objective, effectiveness, and continuous improvement mechanism for each control measure?
- Is third-party risk given the same level of attention as internal risk? Are data flow mapping, control testing, and continuous monitoring of key third parties in place?
- Has our incident response capability been tested against realistic scenarios? Do our contingency plans cover high-impact, low-probability events, and are they regularly drilled?
Conclusion
The core philosophy of C-RAF 2.0 is to elevate cyber resilience from a technical issue to a governance priority. With the issuance of the TM-C-1 statutory guideline and the approaching OR-2 compliance deadline in May 2026, proactively understanding and preparing for the assessment requirements is a pragmatic choice for financial institutions to meet evolving regulatory expectations.
Associated Services by DQS HK
