HKMA C-RAF
Cyber Resilience Assessment Framework for Hong Kong banks
The Hong Kong Monetary Authority Cyber Resilience Assessment Framework, currently at version 2.0, sets the cyber resilience expectation for Authorised Institutions in Hong Kong. C-RAF runs in three sequential phases (inherent risk, maturity, and intelligence-led testing) under the wider Cyber Fortification Initiative, with iCAST applied to the highest-tier institutions. This page covers the structure, the maturity domains, the iCAST profile, and the evidence pack a workspace-driven cycle keeps in one place.
No credit card required. Free plan available forever.
C-RAF in context: HKMA Cyber Resilience Assessment Framework
The Cyber Resilience Assessment Framework, currently at version 2.0, is the structured cyber resilience expectation that the Hong Kong Monetary Authority sets for Authorised Institutions in Hong Kong. C-RAF is one pillar of the wider Cyber Fortification Initiative, alongside the Professional Development Programme covering workforce development and the Cyber Intelligence Sharing Platform covering structured threat intelligence sharing between institutions and HKMA. C-RAF runs in three sequential phases: an Inherent Risk Assessment, a Maturity Assessment across seven control domains, and (for the institutions whose tier and maturity profile make it proportionate) an intelligence-led Cyber Attack Simulation Test known as iCAST.
C-RAF sits inside a wider international picture for financial-sector cyber resilience. For European entities, the TIBER-EU framework sets a comparable intelligence-led red team methodology, and the Digital Operational Resilience Act introduces threat-led penetration testing as a formal expectation. For UK entities, the CBEST scheme plays the same role under the Bank of England and the Financial Conduct Authority. For Australian entities, the APRA CPS 234 prudential standard sets the comparable obligation, and for Singapore-licensed entities the MAS TRM Guidelines operate the equivalent technology and cyber risk programme under the Monetary Authority of Singapore. C-RAF is the equivalent expectation in Hong Kong, with iCAST as the intelligence-led testing component.
Who C-RAF applies to
C-RAF applies to Authorised Institutions supervised by HKMA, with the depth of application calibrated by the inherent risk tier the institution scores in phase one. The framework is structured to scale: smaller institutions with lower inherent risk complete a lighter cycle, while larger institutions with high inherent risk run the full sequence including iCAST. The summary below is the working categorisation; HKMA-published guidance remains the authoritative reference for any scope question.
Authorised Institutions: licensed banks
Banks licensed under the Hong Kong Banking Ordinance, including locally incorporated banks and the Hong Kong branches of overseas-incorporated banks. Licensed banks anchor the C-RAF population because customer payments, deposit-taking, and foreign exchange clearing services drive most of the inherent risk profile that determines the C-RAF tier.
Restricted licence banks and deposit-taking companies
Restricted licence banks and deposit-taking companies authorised under the Banking Ordinance fall inside the C-RAF population at a tier proportionate to their inherent risk. The framework scales with the size of the institution, the systemic relevance of its services, and the connectivity profile of its technology estate.
Stored Value Facility licensees and selected payment-related entities
Stored Value Facility licensees regulated by HKMA, and selected payment system operators inside HKMA supervisory remit, are pulled into the cyber resilience expectation through related guidance even where C-RAF mechanics are calibrated differently. The cyber resilience principles propagate across the HKMA-regulated population through C-RAF and adjacent supervisory communications.
Group functions and intra-group dependencies
Group functions, intra-group service providers, and offshore booking centres that operate or process information assets on behalf of an Authorised Institution sit inside the third-party risk domain. The institution remains accountable for the cyber resilience of services delivered through group entities, with the assessment and evidence pack tracked at the regulated entity level.
The three phases of a C-RAF cycle
C-RAF is structured as three sequential phases, each calibrated to the output of the previous one. The inherent risk tier from phase one sets the target maturity for phase two, and the combined output of phases one and two determines whether and how iCAST applies in phase three. Treating C-RAF as a single bundle rather than as three connected decisions is the most common structural mistake; the workings of phase one are what makes phases two and three defensible.
Phase 1: Inherent Risk Assessment
The Inherent Risk Assessment scores the institution against six categories: technology, connectivity, delivery channels, products and services, organisational characteristics, and external threats. Each category has questions calibrated to the institution profile, and the aggregated score sets the inherent risk tier (low, medium, or high). The IRA is the upstream decision: the tier sets the target maturity for phase two and determines whether iCAST applies in phase three.
Phase 2: Maturity Assessment
The Maturity Assessment is structured across seven control domains: governance, identification, protection, detection, response and recovery, situational awareness, and third-party risk management. Each domain has component-level criteria scored on a defined maturity scale (typically baseline, evolving, intermediate, advanced, innovative), with the target maturity benchmarked to the inherent risk tier. The assessment is evidence-based: each component score is supported by the artefact, the policy reference, the control owner, and the assessment date.
Phase 3: iCAST
iCAST is intelligence-led Cyber Attack Simulation Testing applied to Authorised Institutions whose inherent risk and maturity profile make controlled offensive testing proportionate. iCAST follows the same structural pattern as TIBER-EU and CBEST. Accredited threat intelligence providers produce institution-specific threat scenarios, accredited red team providers execute against live production with controlled access, the white team retains commission and pause authority, and the closure phase covers replay with the blue team and a joint attestation that goes to HKMA.
Phase 1: Inherent Risk Assessment in detail
The Inherent Risk Assessment scores the institution against the technology, connectivity, delivery channels, products and services, organisational characteristics, and external threat exposure that drive cyber risk before any control is applied. The assessment is evidence-based: each scoring line is supported by the artefact (architecture diagram, product catalogue, customer-facing channel inventory, third-party register) that justifies the answer. The aggregated score lands the institution in a tier (low, medium, or high) that gates the rest of the cycle.
For institutions with a complex group structure, the IRA reflects the operating reality rather than the legal entity reality alone. Assets operated by group functions, offshore booking centres, or shared service providers are visible to the IRA through the third-party lens even when they sit outside the directly operated estate. The pentest evidence management workflow keeps the supporting artefacts attached to the IRA scoring, so the workings survive the next cycle review and the HKMA examination.
Phase 2: the seven maturity domains
The Maturity Assessment is the heart of C-RAF in operational terms. The seven domains below are the framework structure that the assessment scores against; each domain has component-level criteria scored on a defined maturity scale, with the target maturity benchmarked to the inherent risk tier. The assessment is documented per component, not in summary form: the score, the supporting evidence, the control owner, and the assessment date all live on the same record.
Governance
Board accountability for the cyber resilience programme, the named accountable executive, the cyber risk appetite, the budget and resourcing decision, the policy framework, and the reporting cadence to senior management. Governance maturity is the upstream decision that gates resourcing and authority for the rest of the programme; HKMA reads the board minutes and the reporting record alongside the technical artefacts.
Identification
Asset register, classification, business impact analysis, the threat picture against the institution, and the third-party register that feeds third-party risk management. The identification domain is the working catalogue that drives every downstream control; a stale asset register propagates as missed coverage in the protection and detection domains and as gaps the maturity assessment surfaces directly.
Protection
Access management, secure configuration, vulnerability management, software development security, data protection, encryption posture, and the supporting policy framework. Protection maturity is where the institution evidences the controls it has applied to identified assets, with the assessment looking at design, operation, and the evidence the controls produce on a continuous basis rather than at audit-time only.
Detection
Monitoring, alerting, log aggregation, anomaly detection, threat-hunting cadence, and the integration with the situational awareness domain. Detection maturity gates the institution capability to surface incidents in time to act on them; iCAST scenarios in phase three are designed to probe the detection capability the maturity assessment claims to operate.
Response and Recovery
Incident response programme, runbook library, communications, recovery time targets, the post-incident review discipline, and the integration with the wider business continuity programme. The domain covers tabletop exercises, the lessons learned cycle, and the named recovery objectives for critical services. iCAST attestation reads back to this domain as the operational test of the response capability.
Situational Awareness
Threat intelligence consumption, peer information sharing through the Cyber Intelligence Sharing Platform, integration of external intelligence into internal decisions, and the analytical capability that converts intelligence into action. Situational awareness maturity feeds the iCAST scenario design when iCAST applies, and feeds the threat picture refresh that drives recurring inherent risk assessment cycles.
Third-Party Risk Management
Assessment of the cyber resilience capability of vendors, service providers, intra-group entities, and offshore booking centres that operate or process information assets on the institution behalf. The domain captures the third-party register, the assessment evidence, the contractual remediation rights, the exit planning, and the residual risk decisions. HKMA holds the institution accountable for assets it does not directly operate.
Vulnerability scanning evidence, penetration test findings, and configuration assessment records sit at the centre of the protection, detection, and response domains. The penetration testing workflow keeps engagement, findings, and remediation tied to a single record. The scanner result triage workflow covers turning raw scanner output into assessor-ready findings without losing the audit trail. For the analytical view of how a maturity gap becomes a remediation backlog over cycles, the aging pentest findings research covers why a maturity gap that lingers across cycles reads to HKMA as a programme weakness rather than a delivery delay.
Phase 3: iCAST preparation, execution, and closure
iCAST is the intelligence-led red team test for the Authorised Institutions whose inherent risk and maturity profile make controlled offensive testing proportionate. iCAST is structurally aligned to TIBER-EU and CBEST, with the HKMA control team in the oversight role. Preparation, testing, and closure are the three phases inside iCAST itself, with role separation, accredited providers, and a joint attestation forming the defining features.
Preparation phase
- Engage early with the HKMA control team to confirm timelines, the scope expectation, and any institution-specific guidance for the cycle
- Define the engagement scope around critical services, the systems and third parties supporting them, and the rationale for inclusion or exclusion
- Form the white team with explicit board mandate, authority to commission and pause the engagement, a documented contact tree, and clear segregation from the in-scope blue team
- Procure an accredited threat intelligence provider and an accredited red team provider, with credential evidence and conflict-of-interest checks captured on the engagement record
- Agree the legal pack: rules of engagement, authorisation letter, data handling commitments, indemnity, and the closure attestation template
- Hold the launch meeting with the HKMA control team, the white team, and the providers, and lock the scope specification before testing begins
Testing phase
- The threat intelligence provider produces a targeted threat assessment tailored to the institution, the in-scope critical services, and the threat actors realistically targeting Hong Kong financial services
- The red team builds the test plan from the targeted threat report, with attack scenarios, flags, the proposed attack paths, and the rules of engagement aligned to the scope
- The white team approves the test plan, the flags, and the rules of engagement, then triggers the controlled red team execution against live production
- The red team executes against live production with controlled access, prearranged escalation paths, and a live communication channel back to the white team and the HKMA control team
- Operator notes, screenshots, attack timestamps, and evidence per flag are captured during execution so the post-test record is the working record rather than a rebuilt one
Closure phase
- The red team produces the test report covering scope, methodology, attack paths, observations, and findings against the agreed flags and scenarios
- The replay phase pairs the red team and the blue team, walks the attack path together, identifies the detection and response gaps, and agrees the remediation actions in writing
- The white team consolidates the remediation plan with owners, deadlines, and retest conditions tied to the engagement record
- The institution, the red team provider, and the threat intelligence provider sign the closure attestation, which is provided to HKMA as part of the post-engagement record
- The closure pack (targeted threat report, test plan, red team report, replay notes, remediation actions, attestation) is retained in full so the next cycle and any HKMA follow-up are addressable from a single record
For the workflow that runs the test from scope to attestation on a single engagement record, the threat-led penetration testing workflow covers the cycle end to end, and the red teaming workflow keeps timestamps, attack paths, and operator notes structured so the closure record is the working record rather than a rebuilt one.
C-RAF and adjacent frameworks: SWIFT CSP, ISO 27001, NIST
Most Authorised Institutions in Hong Kong run more than one framework at the same time. The institution may operate the SWIFT Customer Security Programme for the messaging infrastructure, the ISO 27001 information security management system at the entity level, the NIST Cybersecurity Framework as a control catalogue reference, and the PCI DSS standard on the payment card environments. C-RAF maturity scoring reads against the controls these frameworks already operationalise; the same evidence pack often satisfies more than one regime when the mapping is built into the workspace from the start rather than rebuilt at audit time.
For the wider operational context that a Hong Kong Authorised Institution may run alongside C-RAF, the banking and fintech security consultancies workspace covers how a service provider delivering C-RAF, SWIFT CSP, ISO 27001, and PCI DSS work across multiple regulated clients keeps the evidence record consistent without writing the same finding three times.
Evidence the supervisor (and your board) expect
C-RAF programmes that fail review usually fail because the artefacts are scattered across drives, secure email threads, and screenshots. Build the evidence pack as the work happens, retain raw evidence alongside the structured record, and tie every artefact back to the phase, the domain, and the control owner who produced it. The HKMA examination reads the way the underlying record reads.
- Inherent Risk Assessment workings: the answers, the supporting evidence per question, the calculated tier, and the rationale where qualitative judgement applied
- Maturity Assessment scoring against the seven domains, with the component-level criteria, the supporting artefact reference, the control owner, and the assessment date
- Gap register tied to the maturity assessment, with each gap linked to the target maturity, the remediation owner, the deadline, and the next reassessment trigger
- iCAST scope specification covering critical services, systems, third parties, threat actors in scope, and rationale for inclusion or exclusion (where iCAST applies)
- iCAST procurement records for the threat intelligence provider and the red team provider, including credential evidence and conflict-of-interest checks
- iCAST targeted threat assessment, the red team test plan, and the rules of engagement signed by the white team
- iCAST operator notes and per-flag evidence captured during execution, retained alongside the structured engagement record
- iCAST red team test report, replay notes, gap analysis, and the remediation plan with owners and deadlines
- iCAST closure attestation signed by the institution, the red team provider, and the threat intelligence provider
- Board reporting record showing the cadence and content of cyber resilience updates to the board, with the escalation path operating before an incident rather than assembled during one
- Third-party register and assessment evidence for vendors, service providers, intra-group entities, and offshore booking centres that operate or process information assets
- Vulnerability scanning evidence and penetration test findings tied to the asset register, with severity, remediation owners, retest evidence, and SLA progress per finding
Where SecPortal fits in a C-RAF cycle
SecPortal is the operating layer for the C-RAF cycle, not a replacement for HKMA, the accredited threat intelligence provider, or the accredited red team. The platform handles scope, role records, findings, replay notes, attestation artefacts, and the closure pack so the work runs as a structured workflow rather than a long encrypted email thread. Compliance tracking maps the C-RAF evidence pack to ISO 27001, SWIFT CSP, and NIST CSF for institutions that have to satisfy more than one regime from the same body of work.
- Engagement management dedicated to the C-RAF cycle, with the IRA, the maturity assessment, and the iCAST programme tracked as workstreams rather than as separate filings
- Findings management with CVSS 3.1 scoring, MITRE ATT&CK tagging, and 300+ templates so each iCAST or maturity-gap finding ties to the affected domain, the asset, and the remediation owner
- Compliance tracking that maps C-RAF maturity components to the controls actually implemented, alongside related frameworks (ISO 27001, SWIFT CSP, NIST) the institution may already operate against
- AI report generation that turns IRA workings, maturity scoring notes, iCAST findings, and remediation actions into the audit-ready report and the board-ready narrative without manual rewriting
- External and authenticated scanning to feed the protection and detection maturity domains with continuous evidence, rather than a single audit-time snapshot
- Continuous monitoring with scheduled scans so the asset register and the maturity evidence carry a coverage record across the cycle
- Findings audit trail with reasons and re-evaluation dates so suppressions, deviations, and risk acceptances are defensible at internal audit, at board review, and at HKMA examination
C-RAF is a multi-month programme rather than a single attestation. The first cycle for a new institution typically takes longer than later cycles because the asset register, the third-party register, and the maturity baseline are built from scratch. Subsequent cycles run faster because the white team, the providers, and the evidence patterns are reusable. Running the work as a managed workflow pays off most over time: prior IRA workings, prior maturity scoring, and prior iCAST findings stay linked, so each cycle is an iteration rather than a rebuild. For consultants delivering C-RAF work to multiple Authorised Institutions, the banking and fintech security consultancies workspace bundles the platform with branded client portals and AI report generation so the deliverable looks as polished as the work behind it.
For programmes that want continuous detection and trend evidence between C-RAF cycles, the continuous monitoring capability and attack surface management capability produce the cadence and coverage record that the protection and detection maturity domains read most easily.
Scope and limitations
C-RAF is the framework operated by HKMA and applied by the Authorised Institution. SecPortal is the workspace that holds the engagement, the IRA workings, the maturity scoring, the iCAST evidence pack, and the audit trail. Submissions to HKMA and any examination response remain actions the institution takes through HKMA-prescribed channels; SecPortal holds the supporting record so the submission is grounded in the evidence pack rather than reconstructed from email and shared drives at the deadline moment.
C-RAF is principles-based at the framework level and prescriptive at the maturity component level. This page describes the structure of C-RAF and how a workspace-driven cycle plays against it; the authoritative reference for the obligations and the maturity criteria remains the HKMA-published C-RAF documentation. The control catalogue an institution selects to meet C-RAF maturity targets is the institution decision, evidenced through the asset register, the maturity assessment, and the iCAST programme where iCAST applies.
Key control areas
SecPortal helps you track and manage compliance across these domains.
Phase 1: Inherent Risk Assessment
The Inherent Risk Assessment scores the Authorised Institution against the technology, connectivity, delivery channels, products and services, organisational characteristics, and external threat exposure that drive cyber risk before any control is applied. The output is an inherent risk tier (low, medium, or high) that determines how deep the maturity assessment and the iCAST programme go for the institution. The IRA is the upstream decision that calibrates the rest of C-RAF, so the documentation behind each scoring line is part of the evidence pack from the start.
Phase 2: Maturity Assessment across seven domains
The Maturity Assessment scores controls across seven domains: governance, identification, protection, detection, response and recovery, situational awareness, and third-party risk management. Each domain has component-level criteria scored on a defined maturity scale, with the target maturity level set against the inherent risk tier from phase one. The assessment is performed against documented evidence, with gaps captured against the target maturity rather than against an absolute baseline.
Phase 3: iCAST intelligence-led Cyber Attack Simulation Testing
iCAST is the intelligence-led red team test applied to the Authorised Institutions whose inherent risk tier and maturity profile make controlled offensive testing proportionate. iCAST follows the same structural pattern as TIBER-EU and CBEST: a generic threat landscape adapted into entity-specific threat intelligence, an accredited threat intelligence provider, an accredited red team provider, role separation between the white team, the control team at HKMA, the blue team, and the providers, plus a closure phase covering replay and joint attestation.
Governance: board accountability and the C-RAF programme
The board and senior management of the Authorised Institution are accountable for the C-RAF programme. The cyber resilience programme operates as a working obligation rather than an annual filing exercise, with the board reporting cadence, the named accountable executive, and the resourcing decision documented and refreshed across the cycle. HKMA examines whether the programme is run by the institution rather than delegated to a single advisor or to a one-off project team.
Identification and protection domains
The identification domain covers the asset register, classification, the threat picture against the institution, and the third-party register that drives the third-party risk domain. The protection domain covers the controls applied to the identified assets: access management, secure configuration, vulnerability management, software security, data protection, and the supporting policy framework. The two domains together produce the working catalogue against which the maturity assessment is scored.
Detection, response, and recovery domains
Detection covers the controls and capability that surface a cyber incident in time to act on it: monitoring, alerting, anomaly detection, and the threat-hunting cadence the institution operates. Response and recovery covers the incident response programme, the runbook library, the cross-functional response capability, the recovery time targets, and the post-incident review discipline. The two domains drive the scenarios that iCAST will eventually probe.
Situational awareness and third-party risk management
Situational awareness covers the institution capability to read the threat picture in real time: threat intelligence consumption, peer information sharing, and integration of external intelligence into internal decisions. Third-party risk management covers the assessment of the cyber resilience capability of vendors, service providers, and intra-group entities that operate or process information assets on behalf of the institution. Both domains feed the iCAST scenario design when iCAST applies.
CFI context: PDP, CISP, and the wider Cyber Fortification Initiative
C-RAF is one pillar of the wider Cyber Fortification Initiative. The Professional Development Programme covers the cyber security workforce development expectation, and the Cyber Intelligence Sharing Platform covers the structured intelligence sharing between Authorised Institutions and HKMA. The three pillars operate together: maturity grows from people, intelligence sharpens detection and response, and C-RAF is the recurring assessment that ties the picture together.
Cycle cadence and re-assessment
C-RAF runs as a recurring cycle rather than as a single attestation. The Inherent Risk Assessment and Maturity Assessment are refreshed on a regular cadence and on material change (acquisition, divestiture, new product line, new third-party relationship, significant control change). iCAST runs at a lower frequency than the maturity assessment but on a documented cadence for the institutions in scope. Each cycle inherits the prior evidence pack and the prior gap closure record so the trail continues rather than restarting.
Evidence retention and HKMA examination
HKMA examines the C-RAF programme through structured submissions, on-site reviews, and thematic exercises. The institution retains the evidence pack across the cycle in a form HKMA can examine without reconstruction: the IRA workings, the maturity scoring against component-level criteria, the iCAST closure pack where iCAST applied, the gap remediation timeline, and the board reporting record. The pack is the artefact that defends the programme posture to the supervisor and to the internal audit function.
Run a C-RAF cycle on one defensible record
Hold the inherent risk workings, the maturity scoring, the iCAST closure pack, and the HKMA evidence record in one workspace. Start free.
No credit card required. Free plan available forever.