Cybersecurity for Financial Industry: An Analysis of the Cyber Resilience Assessment Framework

65 66 C-RAF AND REAL-LIFE MEASURES [ Exhibit 57 ] Percentage suboptimal SSL certifications versus maturity assessment scores Self-signed Certificates and Maturity Assessment Score Weak Hashing Algorithm Certificates and Maturity Assessment Score Percentage of Self-signed Certificates Maturity 0.20 0.15 0.10 0.05 0.00 100 250 150 300 200 350 400 Percentage of Weak Hashing Algorithm Certificates Maturity 0.4 0.3 0.2 0.1 0.0 100 250 150 300 200 350 400 Low High Medium Low High Medium As the charts in Exhibit 57 indicate, while a few low-risk AIs have a relatively high adoption rate of weak certifications, the relationship is unclear. By conducting a regression, we found that neither the inherent risk of AI nor the maturity scores have significant statistical power in explaining the use of such certifications. Upon closer examination of the detailed Maturity Assessment response, we have found that while many have stated the use of SSL certifications, Full attainment (100%) High attainment (90%+) Yes No Yes No Number of AIs 4 18 12 10 Certification Adoption Rate* 0.79 0.67 0.72 0.66 Adoption Rate of Self-signed Certificates** 0.00 0.11 0.08 0.11 Adoption Rate of Weak Hashing Algorithm Certificates** 0.29 0.31 0.30 0.31 Number of Self-signed Certificates** 0.00 0.17 0.11 0.16 Number of Weak Hashing Algorithm Certificates** 0.93 1.60 2.08 0.76 Average over the 17 six-month periods * Higher the better; ** Lower the better [ Exhibit 58 ] Certification adoption in full attainment AIs and AIs with high attainment rate (90%+) For the purpose of our analysis, we have obtained the number of self-signed and weak hashing algorithm SSL certificates of the 20 AIs which adopted any SSL certificate during the investigation period. If AIs with higher maturity does take more adequate measures to ensure cybersecurity, we should see the percentage of suboptimal SSL certification used decrease with a higher maturity score. there was no mention of the type of hashing algorithm used or whether a CA signed the certifications. This has shown that while the Maturity Assessment is able to reflect holistically if the AIs have implemented the appropriate measures, the quality and to what extent it is implemented remain unclear. Nevertheless, we believe the level of details set out in the survey is adequate and is filled with insightful information about the AIs’ cybersecurity measures. Maturity Level Attainment vs Security Certification Adoption To better understand whether AIs with higher cybersecurity maturity controls performs better, we checked the certification adoption status for AIs with a full attainment rate in their required controls and compared the result against those who have failed to meet their requirements. Here we report on the average adoption rate of these AIs and check for the average number of suboptimal certificates and the adoption rate of such certificates. Again, the attainment percentage is calculated concerning maturity controls that the AIs are subjected to, based on their inherent risk level. Exhibit 58 shows that AIs with full attainment have a higher average adoption rate of certificates over the 17 six-month periods than other AIs. In addition, they have not adopted any self-signed certifications. These AIs have also adopted less weak hashing algorithm certificates compared to their peers. These findings are similar for the high attainment grouping, though to a small extent, where the group of AIs with higher maturity control attainment often performs better. This has demonstrated the groupings and classification of the maturity assessment is able to explain to some extent the real-life implementation of cybersecurity measures of the AIs and shows AIs with higher attainment percentage have indeed handled their cybersecurity more appropriately.