Cyber RiskA Threat to the Digital Agenda

Vincent Loy, PwC Singapore

Strictly Privateand Confidential

June 2015

PwCJanuary 2015

3

Table of Contents

1 Cyber – Opportunities and Threats

2 Cyber Threats – Why, Who, What and How?

3 Putting Cyber Threats in Perspective

PwC

Cyber – Opportunities and ThreatsSection 1

PwC 3

The New Dynamic- New Opportunities

The digital age provides many opportunities for growth

Automation Mobile/Socialmedia

Innovation Costefficiency-

Cloud

Hyper-connectivity

& Integration

ExpandedSphere

Collaboration &Trust

Trust + Opportunity = Growth

Data and Digital Footprint

PwC 4

The New Global Business Ecosystem- The Risks

Pressures and changes whichcreate opportunity and risk

• Interconnected, integrated,and interdependent

environments

• Constant information flow isthe lifeblood of the businessecosystem

• Adversaries are activelytargeting critical assets

• Years of underinvestment

• An ecosystem built around amodel of open collaborationand trust

PwC 5

The Risks- Organizations have not kept pace

Years of underinvestment in certain areas has left organizations unable to adequately adapt andrespond to dynamic cyber risks.

Product & ServiceSecurity

PhysicalSecurity

OperationalTechnology

Security

Public/PrivateInformation

Sharing

ThreatModeling

& ScenarioPlanning

TechnologyAdoption andEnablement

Ecosystem &Supply Chain

Security

GlobalSecurity

Operations

BreachInvestigationand Response

Notificationand

Disclosure

Privileged AccessManagement

SecurityTechnology

Rationalization

Patch &ConfigurationManagement

consecteturadipiscing elit

InsiderThreat

UserAdministration

TechnologyDebt

Management

Secure Mobileand CloudComputing

Security Strategy and Roadmap

Board, Audit Committee, and Executive Leadership Engagement

Business Alignment and Enablement

Process andTechnology

Fundamentals

ThreatIntelligence

Incidentand Crisis

Management

Ris

ka

nd

Imp

ac

tE

va

lua

tio

nR

es

ou

rc

eP

rio

ritiz

atio

n

Security Program, Functions, Resources and Capabilities

ComplianceRemediation

Security Cultureand Mindset

Monitoringand Detection

Critical AssetIdentification and

Protection

PwC

Cyber Threats – Who, What and How?Section 2

8

PwC 7

Who are we protecting against

NationState

Hacktivism

OrganisedCrime

CyberTerrorists

INSIDER

PwC 8

The Actors and The Information They Target

Adversary

Input from Office of the National Counterintelligence Executive, Report to Congresson the Foreign Economic Collection and Industrial Espionage, 2009-2011, October2011.

Emergingtechnologies

Militarytechnologies

Advanced materialsand manufacturingtechniques

Healthcare,pharmaceuticals, andrelated technologies

Businessdealsinformation

What’s most at risk?

Nation State

Organized Crime

Insiders

Hacktivists

Health recordsand otherpersonal data

IndustrialControl Systems(SCADA)

R&D and / or productdesign data

$ Payment card andrelated information /financial markets

Information andcommunicationtechnology and data

PwC

Cyber Attacks – Significant business impacts

9

Financial losses

Share price

Regulatory

Costs of remediation &investigation

Brand & reputation

PwC 10

Profiles of Threat Actors

PwC

Putting Cyber Threats in PerspectiveSection 3

PwC 12

Putting cybersecurity into perspective

Key characteristics and attributes of cybersecurity :

• Broader than just information technology and not limited to just the enterprise

• Increasing attack surface due to technology connectivity and convergence

• An ‘outside-in view’ of the threats and potential impact facing an organization

• Shared responsibility that requires cross functional disciplines in order to plan,protect, detect and respond

Cybersecurity represents many things to many different people

PwC 13

HistoricalIT Security

Perspectives

Today’s LeadingCybersecurity

Insights

Scope of the challenge• Limited to your “four walls” and

the extended enterprise• Spans your interconnected global

business ecosystem

Ownership andaccountability

• IT led and operated• Business-aligned and owned; CEO and

board accountable

Adversaries’characteristics

• One-off and opportunistic;motivated by notoriety, technicalchallenge, and individual gain

• Organized, funded and targeted;motivated by economic, monetary andpolitical gain

Information assetprotection

• One-size-fits-all approach• Prioritize and protect your “crown

jewels”

Defense posture• Protect the perimeter; respond if

attacked• Plan, monitor, and rapidly respond

when attacked

Security intelligence andinformation sharing

• Keep to yourself • Public/private partnerships;collaboration with industry workinggroups

Evolving perspectivesConsiderations for businesses adapting to the new reality

PwC 14

Key success factors

People

Technology

Go

vern

an

ce Pro

cess

People

Governance Technology

Process

Incident& CrisisManage

ment

Third-party

VendorManage

ment

Identify andProtect

Detect

Response

RecoverThreat &

VulnerabilityManagement

SecurityArchitecture

SecurityManagement

IdentityManagement

Awareness &Education

Regulations &Policy

EmergingTechnologies

PwC 15

Product & ServiceSecurity

PhysicalSecurity

OperationalTechnology

Security

Public/PrivateInformation

Sharing

ThreatModeling

& ScenarioPlanning

TechnologyAdoption andEnablement

Ecosystem &Supply Chain

Security

GlobalSecurity

Operations

BreachInvestigationand Response

Notificationand

Disclosure

Privileged AccessManagement

SecurityTechnology

Rationalization

Patch &ConfigurationManagement

consecteturadipiscing elit

InsiderThreat

UserAdministration

TechnologyDebt

Management

Secure Mobileand CloudComputing

Security Strategy and Roadmap

Board, Audit Committee, and Executive Leadership Engagement

Business Alignment and Enablement

Ris

ka

nd

Imp

ac

tE

va

lua

tio

nR

es

ou

rc

eP

rio

ritiz

atio

n

Security Program, Functions, Resources and Capabilities

ComplianceRemediation

Process…Questions to consider when evaluating your ability to respond to thenew challenges.

Security Cultureand Mindset

Process andTechnology

Fundamentals

ThreatIntelligence

Monitoringand Detection

Critical AssetIdentification and

Protection

Incidentand Crisis

Management

Develop a cross-functional incident responseplan for effective crisis management

Evaluate and improve effectiveness of existingprocesses and technologies

Enhance situational awareness to detect andrespond to security events

Identify, prioritize, and protect the assetsmost essential to the business

Establish values and behaviors to create andpromote security effectiveness

Understand the threats to your industry andyour business

PwC 16

Cyber Security Framework

17

Cyber Risk

Lack of Board Cyber Education/Training and CIO Briefings

Understanding your current cyber security posture

Third party Security Risks

Cyber Risk: not part of ERM, poor MI

Immature Cyber Incident ResponseManagement Process

Difficulties in identifying/valuing Information Assets

Challenges

PwC

Questions

Thank you.

This publication has been prepared for general guidance on matters of interest only, and does notconstitute professional advice. You should not act upon the information contained in this publicationwithout obtaining specific professional advice. No representation or warranty (express or implied) isgiven as to the accuracy or completeness of the information contained in this publication, and, to theextent permitted by law, [insert legal name of the PwC firm], its members, employees and agents donot accept or assume any liability, responsibility or duty of care for any consequences of you or anyoneelse acting, or refraining to act, in reliance on the information contained in this publication or for anydecision based on it.

© 2015 PwC Singapore. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopersLLP which is a member firm of PricewaterhouseCoopers International Limited, each member firm ofwhich is a separate legal entity.

Contacts Us:

Vincent Loy

Partner

Vincent.J.Loy@sg.pwc.com

Maggie Leong

Senior Manager

Maggie.Leong@sg.pwc.com