Cybersecurity for Financial Industry: An Analysis of the Cyber Resilience Assessment Framework

12 11 IV. AI’S CYBERSECURITY PRACTICE IN REAL LIFE To understand how well the maturity assessment reflects the surveyed AIs’ actual security practices, we examined the AIs’ adoption of Secure Sockets Layer (SSL) and suboptimal certificates. SSL certificate is a digital certificate that authenticates a website identity. Suboptimal certificates make AIs more vulnerable to cyberattacks. Our observations: 1. The AIs’ overall maturity level and particularly the maturity level in the Protection domain appears to be significantly correlated to the adoption rate of SSL certificates. 2. AIs with high maturity attainment rate appear to show a higher adoption rate of security certifications and a low adoption rate of suboptimal certificates such as self-signed or weak hashing algorithm certificates. 3. The Maturity Assessment reflects the AIs’ actual cybersecurity measures. AIs that perform better in the Maturity Assessment in terms of their attainment percentage rate tend to take adequate cybersecurity measures to safeguard their assets. AI’s Cyber Resilience Over Time We analysed the AIs’ adoption of SSL certifications to gain a better understanding on how the AIs’ cyber resilience has changed over time after the C-RAF survey and how the self- assessment exercise impacts the AIs’ intention in implementing cybersecurity measures. Our observations: 1. We found a steady improvement in AIs’ SSL certification adoption rate. The improvement comes from those who have not attained all the required maturity measures. 2. There is a decrease in the adoption of weak hashing algorithm certificates among the AIs. For AIs whose attainment rate is 100%, the drop is even more than those AIs without full attainment. 3. In order to understand the impact of C-RAF in improving AIs’ cyber resilience over time, we suggest the C-RAF framework to further examine if AIs have taken additional cybersecurity measures or compare the number of cybersecurity incidents they face after the C-RAF self- assessment exercise. CYBER RESILIENCE ASSESSMENT FRAMEWORK (C-RAF)