Cyber Risk

A Threat to the Digital Agenda

Vincent Loy, PwC Singapore

Strictly Private
and Confidential

June 2015
Table of Contents

1 Cyber – Opportunities and Threats

2 Cyber Threats – Why, Who, What and How?

3 Putting Cyber Threats in Perspective

January 2015
PwC
3
Section 1
Cyber – Opportunities and Threats

PwC
The New Dynamic- New Opportunities
The digital age provides many opportunities for growth

Data and Digital Footprint

Automation Mobile/ Innovation Cost Hyper- Expanded Collaboration &

Social efficiency- connectivity Sphere Trust
media Cloud & Integration

Trust + Opportunity = Growth

PwC 3
The New Global Business Ecosystem- The Risks

• Interconnected, integrated,
and interdependent
environments

• An ecosystem built around a

model of open collaboration
and trust

• Constant information flow is

the lifeblood of the business
ecosystem

• Adversaries are actively

targeting critical assets

• Years of underinvestment

PwC Pressures and changes which 4

create opportunity and risk
The Risks- Organizations have not kept pace
Years of underinvestment in certain areas has left organizations unable to adequately adapt and
respond to dynamic cyber risks.

Board, Audit Committee, and Executive Leadership Engagement

Business Alignment and Enablement

Operational Secure Mobile Patch &

Insider Physical
Technology and Cloud Configuration
Threat Security
Risk and Impact Evaluation

Security Computing Management

Resource Prioritization
Notification Process and
Product & Service Threat
and Technology
Security Intelligence
Disclosure Fundamentals
Threat
Critical Asset Public/Private Technology
User Modeling Privileged Access
Identification and Information Debt
Administration & Scenario Management
Protection Sharing Management
Planning
Technology Global Incident Security
Adoption and Security and Crisis Technology
Enablement Operations Management Rationalization

Ecosystem & Breach

Monitoring Compliance consectetur
Security Culture
Supply Chain Investigation
and Detection Remediation adipiscing
and elit
Mindset
Security and Response

Security Strategy and Roadmap

Security Program, Functions, Resources and Capabilities

PwC 5
Section 2
Cyber Threats – Who, What and How?

PwC 8
Who are we protecting against

Nation
Hacktivism
State

INSIDER

Cyber Organised
Terrorists Crime

PwC 7
The Actors and The Information They Target
Adversary What’s most at risk?

Nation State Industrial Emerging

Control Systems technologies
(SCADA)

Hacktivists $ Payment card and

related information /
financial markets
Advanced materials
and manufacturing
techniques

Military
R&D and / or product
technologies
design data

Organized Crime
Healthcare,
pharmaceuticals, and Business
related technologies deals
information

Health records Information and

Insiders and other communication
personal data technology and data

Input from Office of the National Counterintelligence Executive, Report to Congress

on the Foreign Economic Collection and Industrial Espionage, 2009-2011, October
2011.

PwC 8
Cyber Attacks – Significant business impacts

 Financial losses

 Share price

 Regulatory

 Costs of remediation &

investigation

 Brand & reputation

PwC 9
Profiles of Threat Actors

PwC 10
Section 3
Putting Cyber Threats in Perspective

PwC
Putting cybersecurity into perspective

Cybersecurity represents many things to many different people

Key characteristics and attributes of cybersecurity :

• Broader than just information technology and not limited to just the enterprise

• Increasing attack surface due to technology connectivity and convergence

• An ‘outside-in view’ of the threats and potential impact facing an organization

• Shared responsibility that requires cross functional disciplines in order to plan,

protect, detect and respond

PwC 12
Evolving perspectives
Considerations for businesses adapting to the new reality

Historical Today’s Leading

IT Security Cybersecurity
Perspectives Insights

• Limited to your “four walls” and • Spans your interconnected global

Scope of the challenge
the extended enterprise business ecosystem

Ownership and • Business-aligned and owned; CEO and

• IT led and operated
accountability board accountable

• One-off and opportunistic; • Organized, funded and targeted;

Adversaries’
motivated by notoriety, technical motivated by economic, monetary and
characteristics
challenge, and individual gain political gain

Information asset • Prioritize and protect your “crown

• One-size-fits-all approach
protection jewels”

• Protect the perimeter; respond if • Plan, monitor, and rapidly respond

Defense posture
attacked when attacked

• Keep to yourself • Public/private partnerships;

Security intelligence and
collaboration with industry working
information sharing
groups

PwC 13
Key success factors
Identify and
Protect

People Process
People

Governance
Security

Process
Management

Emerging Security
Technologies Architecture
Third-
Threat &
Recover party
Incident Vulnerability Detect
Vendor Management
& Crisis
Manage
Manage
ment
ment Identity
Regulations &
Policy Management

Awareness &

Technology Education

Governance Technology

Response

PwC 14
Process…
Questions to consider when evaluating your ability to respond to the
new challenges.

Board, Audit Committee, and Executive Leadership Engagement

Business Alignment and Enablement

Understand the threats to your industry and Evaluate and improve effectiveness of existing
your business processes and technologies
Secure Mobile Patch &
Physical Operational
Insider and Cloud Configuration
Identify, prioritize,
Threatand protect the assets Security
Technology
Risk and Impact Evaluation

most essential to the business Security Computing Management

Resource Prioritization
Notification Process and
Product & Service Threat
and Technology
Security Intelligence
Disclosure Fundamentals
Threat
Critical Asset Public/Private Technology
User Modeling Privileged Access
Identification and Information Debt
Administration & Scenario Management
Protection Sharing Management
Planning
Technology Global Incident Security
Adoption and Security and Crisis Technology
Enablement Operations Management Rationalization

Ecosystem & Breach Security Culture

Monitoring Compliance consectetur
Supply Chain Investigation and Mindset
and Detection Remediation adipiscing elit
Security and Response

Develop a cross-functional incident response

Enhance situational awareness to detect and plan for effective crisis management Establish values and behaviors to create and
respond to security events Security Strategy and Roadmap promote security effectiveness

Security Program, Functions, Resources and Capabilities

PwC 15
Cyber Security Framework

PwC 16
Cyber Risk

Challenges

Lack of Board Cyber Education/

Training and CIO Briefings

Understanding your current cyber security posture

Third party Security Risks

Cyber Risk: not part of ERM, poor MI

Immature Cyber Incident Response

Management Process

Difficulties in identifying/valuing Information Assets

17
Questions

PwC
Thank you.

Contacts Us:

Vincent Loy Maggie Leong

Partner Senior Manager
Vincent.J.Loy@sg.pwc.com Maggie.Leong@sg.pwc.com

This publication has been prepared for general guidance on matters of interest only, and does not
constitute professional advice. You should not act upon the information contained in this publication
without obtaining specific professional advice. No representation or warranty (express or implied) is
given as to the accuracy or completeness of the information contained in this publication, and, to the
extent permitted by law, [insert legal name of the PwC firm], its members, employees and agents do
not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone
else acting, or refraining to act, in reliance on the information contained in this publication or for any
decision based on it.

© 2015 PwC Singapore. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers
LLP which is a member firm of PricewaterhouseCoopers International Limited, each member firm of
which is a separate legal entity.