Cyber Risk
Having better conversations on cyber
www.pwc.com/sg/risk-assurance
PwC
Contents
Putting Cyber Security into perspective 3
Engaging C-Suite executives on cyber security 8
C-Suite – key messages & discussion points
Chief Executive Officer 9
Chief Financial Officer 11
Chief Risk Officer 13
Chief Audit Executive 15
Chief Information Security Officer 17
Chief Privacy Officer 19
Chief Compliance Officer 21
Chief Technology Officer 23
Chief Administrative Officer 25
Securing your digital future 27
Cyber risk is not a technical/technology problem, it is a business issue and is asignificant board agenda. Organisations are taking steps to fundamentally shifthow their information security function operates in light of cyber risks.
Consumer
Suppliers
JV/Partners
Service Providers
Customer
Industry/Competitors
Technology
En
vir
on
me
nta
l
Economic
Your digital world just got bigger and the new business ecosystem must remain protected.
Enterprise
PwC
At a glance Cyberattacks are accelerating at an unprecedented rate—and your approach to
cybersecurity must keep pace. Here’s how businesses are adapting to the new reality:
Historical IT
Security Perspectives
Today’s Leading
Cybersecurity Insights
Scope of the challenge • Limited to your “four walls” and
the extended enterprise
• Spans your interconnected global
business ecosystem
Ownership and
accountability
• IT led and operated • Business-aligned and owned; CEO
and board accountable
Adversaries’
characteristics
• One-off and opportunistic;
motivated by notoriety, technical
challenge, and individual gain
• Organized, funded, and targeted;
motivated by economic, monetary,
and political gain
Information asset
protection
• One-size-fits-all approach • Prioritize and protect your “crown
jewels”
Defense posture • Protect the perimeter; respond if
attacked
• Plan, monitor, and rapidly respond
for when attacked
Security intelligence
and information sharing
• Keep to yourself • Public/private partnerships;
collaboration with industry
working groups
PwC
Putting cybersecurity into perspective
5
• Cybersecurity represents many things to many different people
• Key characteristics and attributes of cybersecurity:
─ Broader than just information technology and not limited to just the enterprise
─ Increasing attack surface due to technology connectivity and convergence
─ An ‘outside-in view’ of the threats and potential impact facing an organization
─ Shared responsibility that requires cross functional disciplines in order to plan, protect, defend and respond
PwC
Profiles of Cyber threat actors
6
Nation State
Insiders
Organized Crime
Hacktivists
• Economic, political, and/or military advantage
• Immediate financial gain• Collect information for future
financial gains
• Personal advantage, monetary gain
• Professional revenge• Patriotism
• Influence political and /or social change
• Pressure business to change their practices
MotivesAdversary
• Trade secrets• Sensitive business
information• Emerging technologies• Critical infrastructure
• Financial / Payment Systems• Personally Identifiable
Information• Payment Card Information• Protected Health Information
• Sales, deals, market strategies • Corporate secrets, IP, R&D• Business operations• Personnel information
• Corporate secrets• Sensitive business information• Information related to key
executives, employees, customers & business partners
Targets
• Loss of competitive advantage
• Disruption to critical infrastructure
• Costly regulatory inquiries and penalties
• Consumer and shareholder lawsuits
• Loss of consumer confidence
• Trade secret disclosure• Operational disruption• Brand and reputation• National security impact
• Disruption of business activities
• Brand and reputation• Loss of consumer confidence
Impact
PwC
The adversaries conducting cyber attacks and what they target
Adversary – Cyber Attacks
Input from Office of the National Counterintelligence Executive, Report to Congress on the Foreign Economic Collection and Industrial Espionage, 2009-2011, October 2011.
Emerging technologies
Military technologies
Advanced materials and manufacturing techniques
Healthcare, pharmaceuticals, and related technologies
Business deals information
What’s most at risk?
Economic, political and or military advantage
Immediate or future financial gain
Personal advantage, revenge or patriotism
Influence political and/or social change
Health records and other personal data
Industrial Control Systems (SCADA)
R&D and / or product design data
$ Payment card and related information / financial transactions
Information and communication technology and data
Engaging C-Suite executives on Cyber Security
1
Who’s behind this massive loss of data? There are very savvy criminals out there looking to profit from the sale of your customer data and your proprietary information.
Compliance does not equal security or does it?Unfortunately, most executives don’t think about security beyond complying with security regulations.
Do you think antivirus is fool proof security?The scary thing about cyber risks today is the companies that completely ignore security may have already been breached and do not even know it.
Put security on your agenda before it becomes an agendaExecutives who ignore security not only gamble with theircompany’s brand and good name, they also lose an opportunity toset themselves apart from the rest.
Why cyber threats have become business risksWhen CEOs and Boards evaluated their market threats orcompetitors, few previously considered cyber threats. Today, thesheer volume and concentration of data, coupled with easy globalaccess throughout the business ecosystem, magnifies the exposurefrom cyber attacks.
PwC
Talking Cyber
CEO
Does your cyber security strategy support your long term goals?
Chief Executive Officer
CEO’s Cyber Agenda
A single successful attack could destroy an organisation’s financialstanding or reputation.
Key message
• Is security part of your board agenda?
• Is cyber security an integral part of your business model and strategy?
• Are you aware of the top risks and threats that your organisation isexposed to?
• Are you aware of major security incidents the industry has experienced inthe last year? Is your organisation prepared to respond to such incidents?
• Is your organisation able to identify and respond to emerging cyber threatswhile keeping pace with the ever evolving regulatory environment?
Questions to
Consider
We can help assess your existing capabilities and cyber security maturityenabling you to prioritise your investment. Our key services include:
• Cyber security strategy and roadmap development aligned to your widerbusiness strategy
• Cyber security diagnostic and maturity assessment services
• Threat assessment and modelling
• Privacy and cyber security legal assessment
How PwC can Help
?
Cyber attacks were rated the sixth most likely global risk to occur – of the key 50 potential risks that we’ve surveyed.
3
PwC
Talking Cyber
Are your current investments safeguarding you from future losses?
CFOChief Financial Officer
CFO’s Cyber Agenda
Are you aware of the financial impact of cybercrime activities andare you able to rightly prioritise your security investments?
Key message
• Do you know your average cyber crime cost and the frequency of yourattacks?
• Do you understand the cost of recovery vs. the benefit of cyber securityinvestments?
• Are you aware of the correlation between the lack of security investmentand the increase in fraud? Are you aware of your gross vs. net fraud losses?
• How is cyber resilience managed for new systems, projects or productlaunches? Is it cost effective?
• Are your cyber operations cost effective? How can you correctly prioritiseyour investments?
Questions to
Consider
We can help you prioritise your security investments, assess the effectivenessof your current security framework and technology landscape and enable youto drive cost efficiency across your cyber programme. Our services include:
• Security assessment services and service improvement
• Threat intelligence, detection and response maturity assessment
• Fraud and eCrime data analytics
• Managed vulnerability assessment services enabling detection andremediation of key security weakness through appropriate investments
How PwC can Help
?
£600k -£1.15m is the average cost to a large organisation of its worst security breach recorded this year (up from £450 -£850k a year ago).
5
PwC
Talking Cyber
Cyber crime risk is on the rise.Are you safe?
CROChief Risk Officer
CRO’s Cyber Agenda
Do you have a cyber risk framework in place enabling you to adaptto the rapidly evolving threat landscape?
Key message
• Are you able to keep up with the rapidly evolving threat landscape?
• Do you have a cyber risk appetite?
• How do you identify and measure cyber security related risks and comparethem with other business risks?
• Are you confident that you have an effective cyber risk managementframework in place? Do you regularly reassess your cyber risk appetite?
• Have you assessed the full impact of business disruption, and do youunderstand your reliance on critical systems, service providers andsuppliers?
Questions to
Consider
We can assess your cyber risk appetite and help develop an appropriate cyberrisk management framework aligned to your business needs and threatlandscape. Key services include:
• Cyber threat assessment and modelling
• Cyber security risk appetite assessment and risk management frameworkdevelopment
• Third party security assurance services
• Cyber security programme assurance
How PwC can Help
?
93% of large organisations and 87% of small businesses had a security breach in the last year.
7
PwC
Talking Cyber
Is your Internal Audit function able to thoroughly assess and help strengthen your cyber security posture?
CAEChief Audit Executive
CAE’s Cyber Agenda
Is your IA function able to assess and respond to the increasingspeed and frequency of cyber risks threatening your business?
Key message
• Are you aware of the threat landscape that your organisation is exposed to?
• Is your organisation able to identify and respond to emerging cyber threatswhile keeping pace with the ever evolving regulatory environment?
• Are your cyber operations efficient and effective? Is your controls andmonitoring capability robust and able to keep pace with emergingrequirements?
• Are you able to demonstrate compliance to existing legal regulatoryrequirements? Are your cyber processes designed for the future?
• Are you confident that you have an effective cyber risk managementframework in place?
Questions to
Consider
We can help you assess your security posture, identify potential weak areasand help determine the appropriate remediation roadmap through a focusedaudit service offering including:
• Cyber security audit services, including penetration testing
• Cyber security controls testing and optimisation – eg identity & access
• Cyber security diagnostic and cyber maturity assessments
• Privacy and cyber security legal assessment services, including policy andcontract review services
• Cyber security programme assurance
• Threat assessment and modelling
How PwC can Help
?
IA is already heavily involved in security audits with 84% of organisations covering data privacy, 72% focusing on identity and access management and 69% having addressed threat intelligence and vulnerability management.
9
PwC
Talking Cyber
Are you able to prevent and withstand cyber attacks?
CISOChief Information Security Officer
CISO’s Cyber Agenda
Are you able to successfully protect your critical assets and easilyadapt to the evolving cyber security threat landscape?
Key message
• Are your cyber operations efficient and cost effective? Is your monitoringcapability flexible and scalable? How do you prioritise your investments?
• When you experience a cyber incident, how do you fix the problem so itwon’t happen again? Are you prepared?
• Are you leveraging analytics to understand incidents and identify systemicissues and root causes? How do you know when you have a breach?
• Are your cyber resilience skills broad, scalable and flexible to deal withspikes in business demand?
• What are the protocols when responding to cyber threats or incidents? Areyou leveraging security best practices, tools and standards?
Questions to
Consider
We can help you build an intelligence led security defence system, enablingrapid detection and containment of security incidents. Our services includebut are not limited to:
• Cyber security diagnostic, breach discovery assessment and remediation
• Cyber incident management, response and forensic investigation
• Advanced threat detection and monitoring, and threat intelligence services
• Integrated managed security services, including vulnerability management
• Cyber security programme delivery and cyber defence team augmentation
• Security technologies, SOC setup, operations and crisis management
How PwC can Help
?
20% of the large organisations detected that outsiders had successfully penetrated their network in the last year (up from 15% a year ago). Detection has improved, but the risks are still imminent.
11
PwC
Talking Cyber
Are you able to safeguard your business and your clients’ data?
CPOChief Privacy Officer
CPO’s Cyber Agenda
Are you protected against both internal and external data leakage?Key message
• Do you understand what information is most valuable, where it is located,and how it impacts the customer and business experience?
• Are you confident that you meet all your data protection requirements?
• Are you aware of the insider data threats you are exposed to? Are youemploying the correct data loss prevention mechanisms to protect yourbusiness?
• What would happen if you had a major systems outage or customerinformation breach? Are you prepared? Do you have a plan to respond?
• Are you leveraging analytics to understand incidents and identify systemicissues and root causes?
Questions to
Consider
We can help you determine your critical data assets enabling you to secure andprotect your intellectual property alongside your clients’ and business datathrough a focused service offering including:
• Privacy and cyber security legal compliance services
• Data leakage monitoring and assessment service
• Security advisory services including data loss prevention services
• Security intelligence and analytics
• Fraud and eCrime data analytics, e-Discovery and disclosure
How PwC can Help
?
Over last one year, data protection breaches occurred in almost half of all large organisations and roughly one in ten small businesses.
19
PwC
Talking Cyber
Are you able to keep pace with emerging cyber and information security regulations?
CCOChief Compliance Officer
CCO’s Cyber Agenda
Are you effectively meeting cyber security regulatory requirementsand enabling the adoption of new regulations and standards?
Key message
• Are you able to demonstrate compliance to existing legal and regulatoryrequirements around cyber?
• How will you ensure compliance with the emerging Information Securityregulations and standards, whilst not losing sight of other importantInformation Security issues?
• Is you compliance assessment process able to reveal potential weaknesses?
• How can you begin to stabilise and simplify your regulatory reporting, riskand compliance activities to reduce barriers to growth?
• Have you effectively embedded good Information Security behaviours intoyour organisation’s culture?
Questions to
Consider
We can help you navigate the complex regulatory landscape, enabling you topromptly respond to emerging cyber security regulations and standards. Ourservice offering include:
• Providing legal support and general counsel on regulatory proceedings
• Advising on the latest regulatory requirements and potentialimplementation of cyber security best practices
• Cyber security assessments against security standards and best practices
• Culture & behaviours programme delivery; cyber security awareness andtraining
How PwC can Help
?
Given the increasing legal and regulatory focus on cyber security, monitoring the level of regulatory compliance has become essential.
13
PwC
Talking Cyber
Is your technology investment enabling cyber resilience?
CTOChief Technology Officer
CTO’s Cyber AgendaAre you able to leverage technology to your advantage, derivingmaximum return from your security technology investments forcyber?
• What are the appropriate technologies to invest in and when is the righttime to invest?
• Have you assessed the full impact of business disruption, and do youunderstand your reliance on critical systems? How are you protecting thesesystems?
• How is cyber resilience managed for new systems, projects or productlaunches? Is it cost effective?
• Are you using your resources in a secure way by employing the correctblend of technology security controls? How are you measuring theeffectiveness and efficiency of your controls framework?
Questions to
Consider
We can help you use technology to your advantage, enabling you to prioritiseyou investments in information technology, operations technology andconsumer technology. Our key service offering consists of:
• Technology and security risk assessment services enabling an in depthreview of your critical systems/ applications and technology processes
• Controls framework design, implementation and testing services (includingpenetration testing)
• Business resilience and IT continuity services
• Identity and access management, as well as security integration services
How PwC can Help
?
60 million banking transactions were lost by a major bank due to a system malfunction suffered in 2010; all transactions had to be manually recovered.
15
Key message
PwC
Talking Cyber
Can you effectively manage your interconnected business ecosystem?
CAOChief Administrative Officer
CAO’s Cyber Agenda
Can you effectively manage your suppliers and are your supportingfunctions enabling you to conduct your business securely?
Key message
• Are you able to effectively manage your suppliers? Are you managing yourcontract lifecycles effectively?
• Are you aware of the outsourcing risks and are you able to manage them?
• How do you know your service providers effectively manage cyber risks?
• Do you understand the potential impact of your supplier breaches and areyou prepared to respond to them?
• Do you have a culture of cyber resilience and are your internal processesaligned to prevent and address potential cyber risks?
Questions to
Consider
We can help you understand and manage risk in your interconnected businessecosystem, assisting you to secure your digital channels, enabling partner andsupplier management. Our key service offering are as follows:
• Defining security policies and the mandatory requirements that yourbusiness users, and third parties must adhere to
• Help you assess/ develop and maintain your outsourcing strategy to enableeffective risk mitigation
• Privacy and cyber security legal assessment services, including policy andcontract review services
• Third party security assurance services, litigation and dispute services
How PwC can Help
?
78% of the organisations claim that they have effective security behaviours instilled into their culture, yet fewer than half require suppliers to comply with privacy policies.
17
We can help secure your digital future
We provide a comprehensive range of integrated cyber security services that help you assess, build and manageyour cyber security capabilities, and respond to incidents and crises. Our services are designed to help you buildconfidence, understand your threats and vulnerabilities, and secure your environment. Our cyber securityservice delivery team includes incident response, legal, risk, technology and change management specialists.
You can’t secure everything
We will help assess your cyber priorities:
• Enterprise security architecture
• Protect what matters
• Strategy, organisation and governance
• Threat intelligence
It’s not if but when
The assessment will cover:
• Continuity and resilience
• Crisis management
• Incident response and forensics
• Monitoring and detection
Fix the basics
The cyber assessment will critically evaluate your security foundation:
• Identity and access management
• Information technology, operations technology and consumer technology
• IT security hygiene and controls alignment to your business processes
• Security intelligence and analytics
Seize the advantage
Our security assessment will help you identify digital opportunity with confidence as we will assess key aspects of your cyber strategy:
• Digital trust embedded in the strategy
• Privacy and cyber security legal compliance
• Risk management and risk appetite
Their risk is your risk
Our assessment will review existing cyber risk and provide recommendations to help manage risk in your interconnected business ecosystem.
• Digital channels
• Partner and supplier management
• Robust contracts
People matter
The assessment will evaluate your cyber maturity in the following key areas:
• Insider threat management
• People and ‘moments that matter’
• Security culture and awareness
Priorities Risk
Connection
PeopleTechnology
Crisis
21
Find out more
This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this
publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in
this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care
for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.
© 2018 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom) which is a
member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.
Ervin Jocson
Partner
+65 8318 1830
Jimmy Sng
Partner
+65 6236 3808
Kyra Mattar
Partner
+65 9846 8500
Tan Shong Ye
Partner
+65 6236 3262