Navigating Cyber RiskExecutive Briefing Cyber Risk

Cyber security is now in the news on a weekly or even daily basis, and business leaders want to better understand the trends their organisation and sector is facing.

This briefing provides a snapshot of the current trends, threats and risks that leaders should be aware of and understand. It is updated on a quarterly basis to reflect changes over time and to highlight new or emerging trends.

These trends are evolving at the same time as cross-sector demand is growing for security advisory, delivery and managed services capabilities. While some demands are common to all industry sectors, others vary widely between sectors, geographies, and regulatory regimes.

Leading organisations are responding by investing in cyber transformation programmes, talent acquisition and retention, and security innovation – with particular emphasis on threat intelligence, security operations and red-teaming.

Is your organisation facing cyber security challenges that are growing in complexity? Are you looking for ways to understand and deal with the trends, threats and risks described in this briefing? Feel free to get in touch with a Deloitte cyber security leader near you for more information.

2

Introduction

© 2018 Deloitte LLP. All rights reserved.

3© 2018 Deloitte LLP. All rights reserved.

Encryption – Strong encryption is now a commercial selling point for many tech companies and smartphone manufacturers, raising tensions with governments who wish to have access to now-encrypted data. This will continue to play out through legal challenges to government demands, tech upgrades that secure corporate data flows, and growing public demands for increased privacy of personal data.

Into the wild – Powerful technical exploits – allegedly developed by government hackers – have been leaked on the internet and used by less skilled hackers to cause damage and business disruption to public and private sector networks. This presents significant challenges for large organisations that rely on complex networks and legacy technology, and cannot upgrade or patch systems fast enough to keep pace with attackers.

Political interference – The use of social media to spread disinformation and influence elections and public opinion is a concerning sign of things to come. The long-term implications are unclear but the manipulation of populations is now possible for a wide set of organisations, not just governments or media giants. Technology and social media companies are likely to face popular and political pressure to respond and take action, particularly in advance of elections.

Political

Offensive capability – Governments are beginning to acknowledge what has long been clear, that many of them are developing offensive cyber capabilities. Although these capabilities are usually described as a deterrent, the private sector can be caught in the middle and used as a target or as a means of conducting surveillance and reconnaissance activities.

4© 2018 Deloitte LLP. All rights reserved.

Directive on security of network and information systems (NIS Directive) – A major element of the EU’s cyber security strategy, focussed on establishing common security baseline across critical national infrastructure. Each member state will appoint an authority to oversee the application of the Directive, and in-scope organisations will be categorised as either ‘operators of essential services’ or ‘digital service providers’. In force from May 2018.

Privacy Shield – This enables companies to transfer personal data between the EU and US and replaces the (now-defunct) Safe Harbor Agreement. Privacy Shield will almost certainly be challenged in European courts, potentially forcing some companies to rely on other mechanisms, such as binding corporate rules or model clauses, to legally transfer data to the US.

Legal

General Data Protection Regulation (GDPR) – A range of new EU privacy and data protection requirements. In force from May 2018. The maximum fine of 4% attracts disproportionate attention and is likely to only be used for repeated violations that constitute negligence. The GDPR will have a global impact, and business models around exploiting data will likely evolve or even disappear due to regulatory changes.

Wave of regulation – A host of new cyber security-related regulations are either launching or in development (e.g., GDPR, NIS Dir, NY DFS). Political scrutiny of social media companies (in the wake of the 2016 US election) may foreshadow similar action in the EU, with the potential for regulators to become involved.

5© 2018 Deloitte LLP. All rights reserved.

Cyber risk remains difficult to price – There is continuing uncertainty among insurers and reinsurers – on both sides of the Atlantic – over how best to price cyber risk. There is particular concern around risks that are difficult to quantify, accumulated or correlated risks (such as those from widely used or homogenous technologies), as well as risks resulting from government actions in cyberspace.

Trust is priceless – Data losses are increasing in size and frequency as billions of accounts are compromised, causing material impact on share price/sale price. As data becomes more key to an organisation, the loss of the data – or loss of trust in those holding the data – is starting to matter. There is a competitive advantage for organisations that can credibly position themselves as more secure than their competitors.

Economic

Cybercrime as a Service – This does not always have to be sophisticated to be successful. Examples include large botnets rented out to launch Distributed Denial of Service (DDoS) attacks, or malware packages that have a well-supported development lifecycle. The scale and volume of these attacks on organisations (and on third parties and wider supply chains) is increasing rapidly and can be extremely difficult and costly to defend against.

Attacks become destructive – Business disruption is increasing from destructive large-scale attacks on stored data (e.g., wiper attacks disguised as ransomware). This has impacted several large multinationals, with losses estimated in the hundreds of millions of euros. While initially painful, these incidents can provide impacted organisations (and their competitors) with a clear business rationale for security and technology infrastructure upgrades.

6© 2018 Deloitte LLP. All rights reserved.

Trust is essential – Sophisticated attacks on banks in at least four countries (Bangladesh, Philippines, Ecuador and Vietnam) have exploited weaknesses the banks’ implementation of financial messaging, resulting in losses of more than $80 million. These incidents have highlighted a need for robust security and integrity of globally systemic financial services systems.

People still matter – The human factor remains hugely important in cyber security, with global demand for expertise predicted to exceed supply by at least 33% by 2020. Some cyber security skills can be taught swiftly, but most require real-world experience and time. Organisations can benefit by offering different pathways in to cyber security and by providing training and development opportunities to retain the talent they have currently.

Social

Diversity is needed – Women are currently estimated to comprise only 11% of the global cyber security workforce. This imbalance in the cyber security industry (and technology more broadly) is a business issue, and is increasingly becoming a policy and public relations issue for many companies. A diverse security team can produce better security outcomes, by bringing a more balanced cultural and gender perspective to defending an organisation, thereby minimising groupthink bias.

Perceptions of privacy – There is still a disconnect between the perception and reality of online collection of personal information, with many people unaware of the vast amount of personal data that is collected about them online. For example, a recent Deloitte Mobile Consumer Survey showed that more than 70% of European residents are aware that companies use their personal data, but only 14% believe that their online purchasing history is shared with third parties.

7© 2018 Deloitte LLP. All rights reserved.

Ransomware is lucrative – Ransomware attacks impact hundreds of thousands of individuals around the globe, and cause significant business disruption for public and private sector organisations. Ransomware packages can be bought online easily, with some sellers even offering customer support to aspiring criminals.

Smartphones become ubiquitous – Developed economies have reached high levels of smartphone ownership (above 80 percent in most European countries) and online commerce is focused on reaching these users. A thriving second-hand market is increasing ownership in developing economies, and most of the world’s internet users now connect through a smartphone (as opposed to a PC or laptop).

Attack of the things – The rapid growth of low-cost low-margin connected devices (Internet of Things –IoT) is blurring network boundaries and creating opportunities for large-scale attacks. IoT devices are often weak in terms of security and management, and this challenge is compounded by the drive of staff to bring personal devices into the office.

Technological

Fintech spreads – Fintech is becoming a commercial differentiator in financial services. Organisations face increasing pressure to update core systems towards the ‘architecture of the future’ that is cloud-based and agile, and there is a focus on cutting through the hype to understand the real benefits of technologies such as blockchain and machine learning.

8

Southern Africa

Navin SingManaging Director:Risk Advisory Africa+27 83 304 4225navising@deloitte.co.za

Shahil KanjeeRisk Advisory Africa Leader: Cyber Technology Risk +27 83 634 4445skanjee@deloitte.co.za

Cathy GibsonDirector: Risk Advisory Africa+27 82 330 7711cgibson@deloitte.co.za

Tiaan van Schalkwyk Associate Director: Risk Advisory Africa+27 83 475 3551tvanschalkwyk@deloitte.co.za

West Africa

Anthony OlukojuRisk Advisory Regional Leader+234 805 209 0501aolukoju@deloitte.com.ng

Temitope Aladenusi Director: Risk Advisory +234 805 901 6630taladenusi@deloitte.com.ng

East Africa

Julie NyangayaRisk Advisory Regional Leader+254 720 111 888jnyangaya@deloitte.co.ke

William OelofseDirector: Risk Advisory+254 20 423 0000woelofse@deloitte.com

Central Africa

Tricha SimonRisk Advisory Regional Leader+260 973 224 715tsimon@deloitte.co.zm

Rodney DeanDirector: Risk Advisory+263 867 700 0261rdean@deloitte.co.zw

8

Our local network

© 2018 Deloitte LLP. All rights reserved.

8

AfricaShahil Kanjeeskanjee@deloitte.co.za

AustriaGilbert Wondracekgwondracek@deloitte.at

BelgiumChris Verdonckcverdonck@deloitte.com

Central EuropeLajos Antallantal@deloittece.com

CISDenis Lipovdlipov@deloitte.ru

CyprusPanicos Papamichaelppapamichael@deloitte.com

DenmarkKim Schlyterkschlyter@deloitte.dk

FinlandKarthi PillayKarthi.Pillay@deloitte.fi

FranceMichael Bittanmbittan@deloitte.fr

GermanyPeter Wirnspergerpwirnsperger@deloitte.de

GreeceChristos Vidakiscvidakis@deloitte.gr

IcelandThorvaldur Henningssonthenningsson@deloitte.is

IrelandJacky Foxjacfox@deloitte.ie

IsraelLior Kalevlkalev@deloitte.co.il

ItalyStefano Buschisbuschi@deloitte.it

LuxembourgStephane Hurtaudshurtaud@deloitte.lu

MaltaIvan Spiteriispiteri@deloitte.com.mt

Middle EastFadi Mutlakfmutlak@deloitte.com

NetherlandsNiels van de VorlenvandeVorle@deloitte.nl

NorwayBjorn Jonassenbjojonassen@deloitte.no

PortugalGoncalo Quintinogquintino@deloitte.pt

SpainCesar Martin Laracmartinlara@deloitte.es

SwedenMarcus Sorlandermsoerlander@deloitte.se

SwitzerlandKlaus Julischkjulisch@deloitte.ch

TurkeyBurc Yildirimbuyildirim@deloitte.com

UKPhill Eversonpeverson@deloitte.co.uk

8

Our global network

© 2018 Deloitte LLP. All rights reserved.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about to learn more about our global network of member firms.

Deloitte provides audit & assurance, consulting, financial advisory, risk advisory, tax and related services to public and private clients spanning multiple industries. Deloitte serves four out of five Fortune Global 500 ® companies through a globally connected network of member firms in more than 150 countries and territories bringing world-class capabilities, insights, and high-quality service to address clients’ most complex business challenges. To learn more about how Deloitte’s approximately 245,000 professionals make an impact that matters, please connect with us on Facebook, LinkedIn, or Twitter.

This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this communication.

© 2018. For information, contact Deloitte Touche Tohmatsu Limited.