Cybersecurity for Financial Industry: An Analysis of the Cyber Resilience Assessment Framework

67 68 C-RAF AND REAL-LIFE MEASURES [ Exhibit 59b ] Change in SSL certification adoption rate overall time – AIs with full attainment [ Exhibit 59a ] Change in SSL certification adoption rate overall time – All AIs [ Exhibit 59c ] Change in SSL certification adoption rate overall time – AIs without full attainment TIME-SERIES ANALYSIS Apart from allowing the AIs to identify their inherent risk and gaps in their cybersecurity measures, the implementation of C-RAF could also help raise the AIs’ awareness in cybersecurity. Therefore, we analysed if their adoption of SSL certifications changed after participating in the self- assessment exercise. Exhibit 59 shows the plotted average adoption rate of certification, self- signed certificate, and weak hashing algorithm certificates based on the AIs’ responses. The post- C-RAF period was defined from the first half of 2017 to the first half of 2020. Key findings: 1. Strong Trend Only for The Decrease of Weak Hashing Algorithm From our time-series analysis (Exhibit 59a), we see a weak yet increasing trend for the use of certifications and self-signed certifications while finding a strong decreasing trend in using weak hashing algorithms in their SSL certifications. This suggests that the AIs have improved the security of their websites by increasing the use of certifications, eliminating the use of weak hashing algorithms in their certifications, but have adopted slightly more self-signed certificates as a result of the higher overall adoption rate. 2. Increased Adoption of Certifications and Self-signed Certificates from AIs Without Full Attainment Most of the increased adoption of certificates (and self-signed certificates) come from the AIs who have failed to attain the required maturity controls. In comparison, the improvement in the elimination of weak hashing algorithm certificates is from both groups of the AIs (with or without full attainment). 3. No Sudden Changes After C-RAF The AIs’ adoption of SSL certifications has not experienced a sharp change after the C-RAF survey. However, the AIs have seen a steady improvement in their certification implementation, signalling that the AIs are aware of the importance of certifications and have adopted suitable measures. This should be encouraging for the regulator since the inherent risk analysis and the maturity analysis have helped AIs identify the areas to improve. The lack of significant change could be caused by a time lag in the impact or reflected in measures higher up in the organizational perspective, which is not reflected here. Better gauges to understand if C-RAF is SSL Certification Adoption Rate Change Over Time - All AIs SSL Certification Adoption Rate Change Over Time - AIs With Full Attainment SSL Certification Adoption Rate Change Over Time - AIs Without Full Attainment After C-RAF Certification Self-signed Weak Hashing Algoritnm After C-RAF Certification Self-Signed Weak Hashing Algoritnm After C-RAF Certification Self-signed Weak Hashing Algoritnm 1.0 0.8 0.6 0.4 0.2 0.0 H1 H2 2012 H1 H2 2016 H1 H2 2014 H1 H2 2018 H1 H2 2013 H1 H2 2017 H1 H2 2015 H1 H2 2019 H1 2020 1.0 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0.0 H1 H2 2012 H1 H2 2016 H1 H2 2014 H1 H2 2018 H1 H2 2013 H1 H2 2017 H1 H2 2015 H1 H2 2019 H1 2020 1.0 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0.0 H1 H2 2012 H1 H2 2016 H1 H2 2014 H1 H2 2018 H1 H2 2013 H1 H2 2017 H1 H2 2015 H1 H2 2019 H1 2020