Cyber Risk Having better conversations on cyber

Transcription

1 Cyber Risk Having better conversations on cyber

2 Contents Putting Cyber Security into perspective 3 Engaging C-Suite executives on cyber security 8 C-Suite key messages & discussion points Chief Executive Officer 9 Chief Financial Officer 11 Chief Risk Officer 13 Chief Audit Executive 15 Chief Information Security Officer 17 Chief Privacy Officer 19 Chief Compliance Officer 21 Chief Technology Officer 23 Chief Administrative Officer 25 Securing your digital future 27 Cyber risk is not a technical/technology problem, it is a business issue and is a significant board agenda. Organisations are taking steps to fundamentally shift how their information security function operates in light of cyber risks. PwC

3 Environmental Economic Your digital world just got bigger and the new business ecosystem must remain protected. Customer Consumer Industry/ Competitors Enterprise Suppliers Service Providers JV/ Partners Technology

4 At a glance Cyberattacks are accelerating at an unprecedented rate and your approach to cybersecurity must keep pace. Here s how businesses are adapting to the new reality: Historical IT Security Perspectives Scope of the challenge Limited to your four walls and the extended enterprise Today s Leading Cybersecurity Insights Spans your interconnected global business ecosystem Ownership and accountability IT led and operated Business-aligned and owned; CEO and board accountable Adversaries characteristics One-off and opportunistic; motivated by notoriety, technical challenge, and individual gain Organized, funded, and targeted; motivated by economic, monetary, and political gain Information asset protection One-size-fits-all approach Prioritize and protect your crown jewels Defense posture Protect the perimeter; respond if attacked Plan, monitor, and rapidly respond for when attacked Security intelligence and information sharing Keep to yourself Public/private partnerships; collaboration with industry working groups PwC

5 Putting cybersecurity into perspective Cybersecurity represents many things to many different people Key characteristics and attributes of cybersecurity: Broader than just information technology and not limited to just the enterprise Increasing attack surface due to technology connectivity and convergence An outside-in view of the threats and potential impact facing an organization Shared responsibility that requires cross functional disciplines in order to plan, protect, defend and respond PwC 5

6 Profiles of Cyber threat actors Adversary Motives Targets Impact Nation State Economic, political, and/or military advantage Trade secrets Sensitive business information Emerging technologies Critical infrastructure Loss of competitive advantage Disruption to critical infrastructure Organized Crime Immediate financial gain Collect information for future financial gains Financial / Payment Systems Personally Identifiable Information Payment Card Information Protected Health Information Costly regulatory inquiries and penalties Consumer and shareholder lawsuits Loss of consumer confidence Hacktivists Influence political and /or social change Pressure business to change their practices Corporate secrets Sensitive business information Information related to key executives, employees, customers & business partners Disruption of business activities Brand and reputation Loss of consumer confidence Insiders Personal advantage, monetary gain Professional revenge Patriotism Sales, deals, market strategies Corporate secrets, IP, R&D Business operations Personnel information Trade secret disclosure Operational disruption Brand and reputation National security impact PwC 6

7 The adversaries conducting cyber attacks and what they target Adversary Cyber Attacks What s most at risk? Economic, political and or military advantage Influence political and/or social change Immediate or future financial gain Industrial Control Systems (SCADA) $ Payment card and related information / financial transactions Military technologies Healthcare, pharmaceuticals, and related technologies Emerging technologies Advanced materials and manufacturing techniques Business deals information R&D and / or product design data Personal advantage, revenge or patriotism Health records and other personal data Information and communication technology and data Input from Office of the National Counterintelligence Executive, Report to Congress on the Foreign Economic Collection and Industrial Espionage, , October PwC

8 Engaging C-Suite executives on Cyber Security Why cyber threats have become business risks When CEOs and Boards evaluated their market threats or competitors, few previously considered cyber threats. Today, the sheer volume and concentration of data, coupled with easy global access throughout the business ecosystem, magnifies the exposure from cyber attacks. Put security on your agenda before it becomes an agenda Executives who ignore security not only gamble with their company s brand and good name, they also lose an opportunity to set themselves apart from the rest. Who s behind this massive loss of data? There are very savvy criminals out there looking to profit from the sale of your customer data and your proprietary information. Compliance does not equal security or does it? Unfortunately, most executives don t think about security beyond complying with security regulations. Do you think antivirus is fool proof security? The scary thing about cyber risks today is the companies that completely ignore security may have already been breached and do not even know it. 1

9 Talking Cyber Does your cyber security strategy support your long term goals? PwC CEO Chief Executive Officer

10 CEO s Cyber Agenda? Key message Questions to Consider A single successful attack could destroy an organisation s financial standing or reputation. Is security part of your board agenda? Is cyber security an integral part of your business model and strategy? Are you aware of the top risks and threats that your organisation is exposed to? Are you aware of major security incidents the industry has experienced in the last year? Is your organisation prepared to respond to such incidents? Is your organisation able to identify and respond to emerging cyber threats while keeping pace with the ever evolving regulatory environment? Cyber attacks were rated the sixth most likely global risk to occur of the key 50 potential risks that we ve surveyed. How PwC can Help We can help assess your existing capabilities and cyber security maturity enabling you to prioritise your investment. Our key services include: Cyber security strategy and roadmap development aligned to your wider business strategy Cyber security diagnostic and maturity assessment services Threat assessment and modelling Privacy and cyber security legal assessment 3

11 Talking Cyber Are your current investments safeguarding you from future losses? PwC CFO Chief Financial Officer

12 CFO s Cyber Agenda? Key message Questions to Consider How PwC can Help Are you aware of the financial impact of cybercrime activities and are you able to rightly prioritise your security investments? Do you know your average cyber crime cost and the frequency of your attacks? Do you understand the cost of recovery vs. the benefit of cyber security investments? Are you aware of the correlation between the lack of security investment and the increase in fraud? Are you aware of your gross vs. net fraud losses? How is cyber resilience managed for new systems, projects or product launches? Is it cost effective? Are your cyber operations cost effective? How can you correctly prioritise your investments? We can help you prioritise your security investments, assess the effectiveness of your current security framework and technology landscape and enable you to drive cost efficiency across your cyber programme. Our services include: Security assessment services and service improvement Threat intelligence, detection and response maturity assessment Fraud and ecrime data analytics Managed vulnerability assessment services enabling detection and remediation of key security weakness through appropriate investments 600k m is the average cost to a large organisation of its worst security breach recorded this year (up from k a year ago). 5

13 Talking Cyber Cyber crime risk is on the rise. Are you safe? PwC CRO Chief Risk Officer

14 CRO s Cyber Agenda? Key message Questions to Consider Do you have a cyber risk framework in place enabling you to adapt to the rapidly evolving threat landscape? Are you able to keep up with the rapidly evolving threat landscape? Do you have a cyber risk appetite? How do you identify and measure cyber security related risks and compare them with other business risks? Are you confident that you have an effective cyber risk management framework in place? Do you regularly reassess your cyber risk appetite? Have you assessed the full impact of business disruption, and do you understand your reliance on critical systems, service providers and suppliers? 93% of large organisations and 87% of small businesses had a security breach in the last year. How PwC can Help We can assess your cyber risk appetite and help develop an appropriate cyber risk management framework aligned to your business needs and threat landscape. Key services include: Cyber threat assessment and modelling Cyber security risk appetite assessment and risk management framework development Third party security assurance services Cyber security programme assurance 7

15 Talking Cyber Is your Internal Audit function able to thoroughly assess and help strengthen your cyber security posture? PwC CAE Chief Audit Executive

16 CAE s Cyber Agenda? Key message Questions to Consider How PwC can Help Is your IA function able to assess and respond to the increasing speed and frequency of cyber risks threatening your business? Are you aware of the threat landscape that your organisation is exposed to? Is your organisation able to identify and respond to emerging cyber threats while keeping pace with the ever evolving regulatory environment? Are your cyber operations efficient and effective? Is your controls and monitoring capability robust and able to keep pace with emerging requirements? Are you able to demonstrate compliance to existing legal regulatory requirements? Are your cyber processes designed for the future? Are you confident that you have an effective cyber risk management framework in place? We can help you assess your security posture, identify potential weak areas and help determine the appropriate remediation roadmap through a focused audit service offering including: Cyber security audit services, including penetration testing Cyber security controls testing and optimisation eg identity & access Cyber security diagnostic and cyber maturity assessments Privacy and cyber security legal assessment services, including policy and contract review services Cyber security programme assurance Threat assessment and modelling IA is already heavily involved in security audits with 84% of organisations covering data privacy, 72% focusing on identity and access management and 69% having addressed threat intelligence and vulnerability management. 9

17 Talking Cyber Are you able to prevent and withstand cyber attacks? PwC CISO Chief Information Security Officer

18 CISO s Cyber Agenda? Key message Questions to Consider How PwC can Help Are you able to successfully protect your critical assets and easily adapt to the evolving cyber security threat landscape? Are your cyber operations efficient and cost effective? Is your monitoring capability flexible and scalable? How do you prioritise your investments? When you experience a cyber incident, how do you fix the problem so it won t happen again? Are you prepared? Are you leveraging analytics to understand incidents and identify systemic issues and root causes? How do you know when you have a breach? Are your cyber resilience skills broad, scalable and flexible to deal with spikes in business demand? What are the protocols when responding to cyber threats or incidents? Are you leveraging security best practices, tools and standards? We can help you build an intelligence led security defence system, enabling rapid detection and containment of security incidents. Our services include but arenot limited to: Cyber security diagnostic, breach discovery assessment and remediation Cyber incident management, response and forensic investigation Advanced threat detection and monitoring, and threat intelligence services Integrated managed security services, including vulnerability management Cyber security programme delivery and cyber defence team augmentation Security technologies, SOC setup, operations and crisis management 20% of the large organisations detected that outsiders had successfully penetrated their network in the last year (up from 15% a year ago). Detection has improved, but the risks are still imminent. 11

19 Talking Cyber Are you able to safeguard your business and your clients data? PwC CPO Chief Privacy Officer

20 CPO s Cyber Agenda? Key message Questions to Consider Are you protected against both internal and external data leakage? Do you understand what information is most valuable, where it is located, and how it impacts the customer and business experience? Are you confident that you meet all your data protection requirements? Are you aware of the insider data threats you are exposed to? Are you employing the correct data loss prevention mechanisms to protect your business? What would happen if you had a major systems outage or customer information breach? Are you prepared? Do you have a plan to respond? Are you leveraging analytics to understand incidents and identify systemic issues and root causes? Over last one year, data protection breaches occurred in almost half of all large organisations and roughly one in ten small businesses. How PwC can Help We can help you determine your critical data assets enabling you to secure and protect your intellectual property alongside your clients and business data through a focused service offering including: Privacy and cyber security legal compliance services Data leakage monitoring and assessment service Security advisory services including data loss prevention services Security intelligence and analytics Fraud and ecrime data analytics, e-discovery and disclosure 19

21 Talking Cyber Are you able to keep pace with emerging cyber and information security regulations? PwC CCO Chief Compliance Officer

22 CCO s Cyber Agenda? Key message Questions to Consider How PwC can Help Are you effectively meeting cyber security regulatory requirements and enabling the adoption of new regulations and standards? Are you able to demonstrate compliance to existing legal and regulatory requirements around cyber? How will you ensure compliance with the emerging Information Security regulations and standards, whilst not losing sight of other important Information Security issues? Is you compliance assessment process able to reveal potential weaknesses? How can you begin to stabilise and simplify your regulatory reporting, risk and compliance activities to reduce barriers to growth? Have you effectively embedded good Information Security behaviours into your organisation s culture? We can help you navigate the complex regulatory landscape, enabling you to promptly respond to emerging cyber security regulations and standards. Our service offering include: Providing legal support and general counsel on regulatory proceedings Advising on the latest regulatory requirements and potential implementation of cyber security best practices Cyber security assessments against security standards and best practices Culture & behaviours programme delivery; cyber security awareness and training Given the increasing legal and regulatory focus on cyber security, monitoring the level of regulatory compliance has become essential. 13

23 Talking Cyber Is your technology investment enabling cyber resilience? PwC CTO Chief Technology Officer

24 CTO s Cyber Agenda? Key message Questions to Consider Are you able to leverage technology to your advantage, deriving maximum return from your security technology investments for cyber? What are the appropriate technologies to invest in and when is the right time to invest? Have you assessed the full impact of business disruption, and do you understand your reliance on critical systems? How are you protecting these systems? How is cyber resilience managed for new systems, projects or product launches? Is it cost effective? Are you using your resources in a secure way by employing the correct blend of technology security controls? How are you measuring the effectiveness and efficiency of your controls framework? 60 million banking transactions were lost by a major bank due to a system malfunction suffered in 2010; all transactions had to be manually recovered. How PwC can Help We can help you use technology to your advantage, enabling you to prioritise you investments in information technology, operations technology and consumer technology. Our key service offering consists of: Technology and security risk assessment services enabling an in depth review of your critical systems/ applications and technology processes Controls framework design, implementation and testing services (including penetration testing) Business resilience and IT continuity services Identity and access management, aswell as security integration services 15

25 Talking Cyber Can you effectively manage your interconnected business ecosystem? PwC CAO Chief Administrative Officer

26 CAO s Cyber Agenda? Key message Questions to Consider How PwC can Help Can you effectively manage your suppliers and are your supporting functions enabling you to conduct your business securely? Are you able to effectively manage your suppliers? Are you managing your contract lifecycles effectively? Are you aware of the outsourcing risks and are you able to manage them? How do you know your service providers effectively manage cyber risks? Do you understand the potential impact of your supplier breaches and are you prepared to respond to them? Do you have a culture of cyber resilience and are your internal processes aligned to prevent and address potential cyber risks? We can help you understand and manage risk in your interconnected business ecosystem, assisting you to secure your digital channels, enabling partner and supplier management. Our key service offering are as follows: Defining security policies and the mandatory requirements that your business users, and third parties must adhere to Help you assess/ develop and maintain your outsourcing strategy to enable effective risk mitigation Privacy and cyber security legal assessment services, including policy and contract review services Third party security assurance services, litigation and dispute services 78% of the organisations claim that they have effective security behaviours instilled into their culture, yet fewer than half require suppliers to comply with privacy policies. 17

27 We can help secure your digital future We provide a comprehensive range of integrated cyber security services that help you assess, build and manage your cyber security capabilities, and respond to incidents and crises. Our services are designed to help you build confidence, understand your threats and vulnerabilities, and secure your environment. Our cyber security service delivery team includes incident response, legal, risk, technology and change management specialists. You can t secure everything We will help assess your cyber priorities: Enterprise security architecture Protect what matters Strategy, organisation and governance Threat intelligence Priorities Risk Seize the advantage Our security assessment will help you identify digital opportunity with confidence as we will assess key aspects of your cyber strategy: Digital trust embedded in the strategy Privacy and cyber security legal compliance Risk management and risk appetite It s not if but when The assessment will cover: Continuity and resilience Crisis management Incident response and forensics Monitoring and detection Fix the basics The cyber assessment will critically evaluate your security foundation: Identity and access management Information technology, operations technology and consumer technology IT security hygiene and controls alignment to your business processes Security intelligence and analytics Crisis Technology People Connection Their risk is your risk Our assessment will review existing cyber risk and provide recommendations to help manage risk in your interconnected business ecosystem. Digital channels Partner and supplier management Robust contracts People matter The assessment will evaluate your cyber maturity in the following key areas: Insider threat management People and moments that matter Security culture and awareness 21

28 Find out more Tan Shong Ye Partner Kyra Mattar Partner Jimmy Sng Partner Ervin Jocson Partner This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it PricewaterhouseCoopers LLP. All rights reserved. In this document, PwC refers to PricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom) which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.