Cyber Risk

Having better conversations on cyber

www.pwc.com/sg/risk-assurance

PwC

Contents

Putting Cyber Security into perspective 3

Engaging C-Suite executives on cyber security 8

C-Suite – key messages & discussion points

Chief Executive Officer 9

Chief Financial Officer 11

Chief Risk Officer 13

Chief Audit Executive 15

Chief Information Security Officer 17

Chief Privacy Officer 19

Chief Compliance Officer 21

Chief Technology Officer 23

Chief Administrative Officer 25

Securing your digital future 27

Cyber risk is not a technical/technology problem, it is a business issue and is asignificant board agenda. Organisations are taking steps to fundamentally shifthow their information security function operates in light of cyber risks.

Consumer

Suppliers

JV/Partners

Service Providers

Customer

Industry/Competitors

Technology

En

vir

on

me

nta

l

Economic

Your digital world just got bigger and the new business ecosystem must remain protected.

Enterprise

PwC

At a glance Cyberattacks are accelerating at an unprecedented rate—and your approach to

cybersecurity must keep pace. Here’s how businesses are adapting to the new reality:

Historical IT

Security Perspectives

Today’s Leading

Cybersecurity Insights

Scope of the challenge • Limited to your “four walls” and

the extended enterprise

• Spans your interconnected global

business ecosystem

Ownership and

accountability

• IT led and operated • Business-aligned and owned; CEO

and board accountable

Adversaries’

characteristics

• One-off and opportunistic;

motivated by notoriety, technical

challenge, and individual gain

• Organized, funded, and targeted;

motivated by economic, monetary,

and political gain

Information asset

protection

• One-size-fits-all approach • Prioritize and protect your “crown

jewels”

Defense posture • Protect the perimeter; respond if

attacked

• Plan, monitor, and rapidly respond

for when attacked

Security intelligence

and information sharing

• Keep to yourself • Public/private partnerships;

collaboration with industry

working groups

PwC

Putting cybersecurity into perspective

5

• Cybersecurity represents many things to many different people

• Key characteristics and attributes of cybersecurity:

─ Broader than just information technology and not limited to just the enterprise

─ Increasing attack surface due to technology connectivity and convergence

─ An ‘outside-in view’ of the threats and potential impact facing an organization

─ Shared responsibility that requires cross functional disciplines in order to plan, protect, defend and respond

PwC

Profiles of Cyber threat actors

6

Nation State

Insiders

Organized Crime

Hacktivists

• Economic, political, and/or military advantage

• Immediate financial gain• Collect information for future

financial gains

• Personal advantage, monetary gain

• Professional revenge• Patriotism

• Influence political and /or social change

• Pressure business to change their practices

MotivesAdversary

• Trade secrets• Sensitive business

information• Emerging technologies• Critical infrastructure

• Financial / Payment Systems• Personally Identifiable

Information• Payment Card Information• Protected Health Information

• Sales, deals, market strategies • Corporate secrets, IP, R&D• Business operations• Personnel information

• Corporate secrets• Sensitive business information• Information related to key

executives, employees, customers & business partners

Targets

• Loss of competitive advantage

• Disruption to critical infrastructure

• Costly regulatory inquiries and penalties

• Consumer and shareholder lawsuits

• Loss of consumer confidence

• Trade secret disclosure• Operational disruption• Brand and reputation• National security impact

• Disruption of business activities

• Brand and reputation• Loss of consumer confidence

Impact

PwC

The adversaries conducting cyber attacks and what they target

Adversary – Cyber Attacks

Input from Office of the National Counterintelligence Executive, Report to Congress on the Foreign Economic Collection and Industrial Espionage, 2009-2011, October 2011.

Emerging technologies

Military technologies

Advanced materials and manufacturing techniques

Healthcare, pharmaceuticals, and related technologies

Business deals information

What’s most at risk?

Economic, political and or military advantage

Immediate or future financial gain

Personal advantage, revenge or patriotism

Influence political and/or social change

Health records and other personal data

Industrial Control Systems (SCADA)

R&D and / or product design data

$ Payment card and related information / financial transactions

Information and communication technology and data

Engaging C-Suite executives on Cyber Security

1

Who’s behind this massive loss of data? There are very savvy criminals out there looking to profit from the sale of your customer data and your proprietary information.

Compliance does not equal security or does it?Unfortunately, most executives don’t think about security beyond complying with security regulations.

Do you think antivirus is fool proof security?The scary thing about cyber risks today is the companies that completely ignore security may have already been breached and do not even know it.

Put security on your agenda before it becomes an agendaExecutives who ignore security not only gamble with theircompany’s brand and good name, they also lose an opportunity toset themselves apart from the rest.

Why cyber threats have become business risksWhen CEOs and Boards evaluated their market threats orcompetitors, few previously considered cyber threats. Today, thesheer volume and concentration of data, coupled with easy globalaccess throughout the business ecosystem, magnifies the exposurefrom cyber attacks.

PwC

Talking Cyber

CEO

Does your cyber security strategy support your long term goals?

Chief Executive Officer

CEO’s Cyber Agenda

A single successful attack could destroy an organisation’s financialstanding or reputation.

Key message

• Is security part of your board agenda?

• Is cyber security an integral part of your business model and strategy?

• Are you aware of the top risks and threats that your organisation isexposed to?

• Are you aware of major security incidents the industry has experienced inthe last year? Is your organisation prepared to respond to such incidents?

• Is your organisation able to identify and respond to emerging cyber threatswhile keeping pace with the ever evolving regulatory environment?

Questions to

Consider

We can help assess your existing capabilities and cyber security maturityenabling you to prioritise your investment. Our key services include:

• Cyber security strategy and roadmap development aligned to your widerbusiness strategy

• Cyber security diagnostic and maturity assessment services

• Threat assessment and modelling

• Privacy and cyber security legal assessment

How PwC can Help

?

Cyber attacks were rated the sixth most likely global risk to occur – of the key 50 potential risks that we’ve surveyed.

3

PwC

Talking Cyber

Are your current investments safeguarding you from future losses?

CFOChief Financial Officer

CFO’s Cyber Agenda

Are you aware of the financial impact of cybercrime activities andare you able to rightly prioritise your security investments?

Key message

• Do you know your average cyber crime cost and the frequency of yourattacks?

• Do you understand the cost of recovery vs. the benefit of cyber securityinvestments?

• Are you aware of the correlation between the lack of security investmentand the increase in fraud? Are you aware of your gross vs. net fraud losses?

• How is cyber resilience managed for new systems, projects or productlaunches? Is it cost effective?

• Are your cyber operations cost effective? How can you correctly prioritiseyour investments?

Questions to

Consider

We can help you prioritise your security investments, assess the effectivenessof your current security framework and technology landscape and enable youto drive cost efficiency across your cyber programme. Our services include:

• Security assessment services and service improvement

• Threat intelligence, detection and response maturity assessment

• Fraud and eCrime data analytics

• Managed vulnerability assessment services enabling detection andremediation of key security weakness through appropriate investments

How PwC can Help

?

£600k -£1.15m is the average cost to a large organisation of its worst security breach recorded this year (up from £450 -£850k a year ago).

5

PwC

Talking Cyber

Cyber crime risk is on the rise.Are you safe?

CROChief Risk Officer

CRO’s Cyber Agenda

Do you have a cyber risk framework in place enabling you to adaptto the rapidly evolving threat landscape?

Key message

• Are you able to keep up with the rapidly evolving threat landscape?

• Do you have a cyber risk appetite?

• How do you identify and measure cyber security related risks and comparethem with other business risks?

• Are you confident that you have an effective cyber risk managementframework in place? Do you regularly reassess your cyber risk appetite?

• Have you assessed the full impact of business disruption, and do youunderstand your reliance on critical systems, service providers andsuppliers?

Questions to

Consider

We can assess your cyber risk appetite and help develop an appropriate cyberrisk management framework aligned to your business needs and threatlandscape. Key services include:

• Cyber threat assessment and modelling

• Cyber security risk appetite assessment and risk management frameworkdevelopment

• Third party security assurance services

• Cyber security programme assurance

How PwC can Help

?

93% of large organisations and 87% of small businesses had a security breach in the last year.

7

PwC

Talking Cyber

Is your Internal Audit function able to thoroughly assess and help strengthen your cyber security posture?

CAEChief Audit Executive

CAE’s Cyber Agenda

Is your IA function able to assess and respond to the increasingspeed and frequency of cyber risks threatening your business?

Key message

• Are you aware of the threat landscape that your organisation is exposed to?

• Is your organisation able to identify and respond to emerging cyber threatswhile keeping pace with the ever evolving regulatory environment?

• Are your cyber operations efficient and effective? Is your controls andmonitoring capability robust and able to keep pace with emergingrequirements?

• Are you able to demonstrate compliance to existing legal regulatoryrequirements? Are your cyber processes designed for the future?

• Are you confident that you have an effective cyber risk managementframework in place?

Questions to

Consider

We can help you assess your security posture, identify potential weak areasand help determine the appropriate remediation roadmap through a focusedaudit service offering including:

• Cyber security audit services, including penetration testing

• Cyber security controls testing and optimisation – eg identity & access

• Cyber security diagnostic and cyber maturity assessments

• Privacy and cyber security legal assessment services, including policy andcontract review services

• Cyber security programme assurance

• Threat assessment and modelling

How PwC can Help

?

IA is already heavily involved in security audits with 84% of organisations covering data privacy, 72% focusing on identity and access management and 69% having addressed threat intelligence and vulnerability management.

9

PwC

Talking Cyber

Are you able to prevent and withstand cyber attacks?

CISOChief Information Security Officer

CISO’s Cyber Agenda

Are you able to successfully protect your critical assets and easilyadapt to the evolving cyber security threat landscape?

Key message

• Are your cyber operations efficient and cost effective? Is your monitoringcapability flexible and scalable? How do you prioritise your investments?

• When you experience a cyber incident, how do you fix the problem so itwon’t happen again? Are you prepared?

• Are you leveraging analytics to understand incidents and identify systemicissues and root causes? How do you know when you have a breach?

• Are your cyber resilience skills broad, scalable and flexible to deal withspikes in business demand?

• What are the protocols when responding to cyber threats or incidents? Areyou leveraging security best practices, tools and standards?

Questions to

Consider

We can help you build an intelligence led security defence system, enablingrapid detection and containment of security incidents. Our services includebut are not limited to:

• Cyber security diagnostic, breach discovery assessment and remediation

• Cyber incident management, response and forensic investigation

• Advanced threat detection and monitoring, and threat intelligence services

• Integrated managed security services, including vulnerability management

• Cyber security programme delivery and cyber defence team augmentation

• Security technologies, SOC setup, operations and crisis management

How PwC can Help

?

20% of the large organisations detected that outsiders had successfully penetrated their network in the last year (up from 15% a year ago). Detection has improved, but the risks are still imminent.

11

PwC

Talking Cyber

Are you able to safeguard your business and your clients’ data?

CPOChief Privacy Officer

CPO’s Cyber Agenda

Are you protected against both internal and external data leakage?Key message

• Do you understand what information is most valuable, where it is located,and how it impacts the customer and business experience?

• Are you confident that you meet all your data protection requirements?

• Are you aware of the insider data threats you are exposed to? Are youemploying the correct data loss prevention mechanisms to protect yourbusiness?

• What would happen if you had a major systems outage or customerinformation breach? Are you prepared? Do you have a plan to respond?

• Are you leveraging analytics to understand incidents and identify systemicissues and root causes?

Questions to

Consider

We can help you determine your critical data assets enabling you to secure andprotect your intellectual property alongside your clients’ and business datathrough a focused service offering including:

• Privacy and cyber security legal compliance services

• Data leakage monitoring and assessment service

• Security advisory services including data loss prevention services

• Security intelligence and analytics

• Fraud and eCrime data analytics, e-Discovery and disclosure

How PwC can Help

?

Over last one year, data protection breaches occurred in almost half of all large organisations and roughly one in ten small businesses.

19

PwC

Talking Cyber

Are you able to keep pace with emerging cyber and information security regulations?

CCOChief Compliance Officer

CCO’s Cyber Agenda

Are you effectively meeting cyber security regulatory requirementsand enabling the adoption of new regulations and standards?

Key message

• Are you able to demonstrate compliance to existing legal and regulatoryrequirements around cyber?

• How will you ensure compliance with the emerging Information Securityregulations and standards, whilst not losing sight of other importantInformation Security issues?

• Is you compliance assessment process able to reveal potential weaknesses?

• How can you begin to stabilise and simplify your regulatory reporting, riskand compliance activities to reduce barriers to growth?

• Have you effectively embedded good Information Security behaviours intoyour organisation’s culture?

Questions to

Consider

We can help you navigate the complex regulatory landscape, enabling you topromptly respond to emerging cyber security regulations and standards. Ourservice offering include:

• Providing legal support and general counsel on regulatory proceedings

• Advising on the latest regulatory requirements and potentialimplementation of cyber security best practices

• Cyber security assessments against security standards and best practices

• Culture & behaviours programme delivery; cyber security awareness andtraining

How PwC can Help

?

Given the increasing legal and regulatory focus on cyber security, monitoring the level of regulatory compliance has become essential.

13

PwC

Talking Cyber

Is your technology investment enabling cyber resilience?

CTOChief Technology Officer

CTO’s Cyber AgendaAre you able to leverage technology to your advantage, derivingmaximum return from your security technology investments forcyber?

• What are the appropriate technologies to invest in and when is the righttime to invest?

• Have you assessed the full impact of business disruption, and do youunderstand your reliance on critical systems? How are you protecting thesesystems?

• How is cyber resilience managed for new systems, projects or productlaunches? Is it cost effective?

• Are you using your resources in a secure way by employing the correctblend of technology security controls? How are you measuring theeffectiveness and efficiency of your controls framework?

Questions to

Consider

We can help you use technology to your advantage, enabling you to prioritiseyou investments in information technology, operations technology andconsumer technology. Our key service offering consists of:

• Technology and security risk assessment services enabling an in depthreview of your critical systems/ applications and technology processes

• Controls framework design, implementation and testing services (includingpenetration testing)

• Business resilience and IT continuity services

• Identity and access management, as well as security integration services

How PwC can Help

?

60 million banking transactions were lost by a major bank due to a system malfunction suffered in 2010; all transactions had to be manually recovered.

15

Key message

PwC

Talking Cyber

Can you effectively manage your interconnected business ecosystem?

CAOChief Administrative Officer

CAO’s Cyber Agenda

Can you effectively manage your suppliers and are your supportingfunctions enabling you to conduct your business securely?

Key message

• Are you able to effectively manage your suppliers? Are you managing yourcontract lifecycles effectively?

• Are you aware of the outsourcing risks and are you able to manage them?

• How do you know your service providers effectively manage cyber risks?

• Do you understand the potential impact of your supplier breaches and areyou prepared to respond to them?

• Do you have a culture of cyber resilience and are your internal processesaligned to prevent and address potential cyber risks?

Questions to

Consider

We can help you understand and manage risk in your interconnected businessecosystem, assisting you to secure your digital channels, enabling partner andsupplier management. Our key service offering are as follows:

• Defining security policies and the mandatory requirements that yourbusiness users, and third parties must adhere to

• Help you assess/ develop and maintain your outsourcing strategy to enableeffective risk mitigation

• Privacy and cyber security legal assessment services, including policy andcontract review services

• Third party security assurance services, litigation and dispute services

How PwC can Help

?

78% of the organisations claim that they have effective security behaviours instilled into their culture, yet fewer than half require suppliers to comply with privacy policies.

17

We can help secure your digital future

We provide a comprehensive range of integrated cyber security services that help you assess, build and manageyour cyber security capabilities, and respond to incidents and crises. Our services are designed to help you buildconfidence, understand your threats and vulnerabilities, and secure your environment. Our cyber securityservice delivery team includes incident response, legal, risk, technology and change management specialists.

You can’t secure everything

We will help assess your cyber priorities:

• Enterprise security architecture

• Protect what matters

• Strategy, organisation and governance

• Threat intelligence

It’s not if but when

The assessment will cover:

• Continuity and resilience

• Crisis management

• Incident response and forensics

• Monitoring and detection

Fix the basics

The cyber assessment will critically evaluate your security foundation:

• Identity and access management

• Information technology, operations technology and consumer technology

• IT security hygiene and controls alignment to your business processes

• Security intelligence and analytics

Seize the advantage

Our security assessment will help you identify digital opportunity with confidence as we will assess key aspects of your cyber strategy:

• Digital trust embedded in the strategy

• Privacy and cyber security legal compliance

• Risk management and risk appetite

Their risk is your risk

Our assessment will review existing cyber risk and provide recommendations to help manage risk in your interconnected business ecosystem.

• Digital channels

• Partner and supplier management

• Robust contracts

People matter

The assessment will evaluate your cyber maturity in the following key areas:

• Insider threat management

• People and ‘moments that matter’

• Security culture and awareness

Priorities Risk

Connection

PeopleTechnology

Crisis

21

Find out more

This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this

publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in

this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care

for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.

© 2018 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom) which is a

member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.

Ervin Jocson

Partner

+65 8318 1830

ervin.jocson@sg.pwc.com

Jimmy Sng

Partner

+65 6236 3808

jimmy.sng@sg.pwc.com

Kyra Mattar

Partner

+65 9846 8500

kyra.mattar@sg.pwc.com

Tan Shong Ye

Partner

+65 6236 3262

shong.ye.tan@sg.pwc.com