1

Document Classification: KPMG Confidential

© 2016 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affilia ted with KPMG International Cooperative

(“KPMG International”), a Swiss entity. All rights reserved.

KPMG Türkiye Denetim Komitesi Enstitüsü26 Temmuz 2016

2

Document Classification: KPMG Confidential

© 2016 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affilia ted with KPMG International Cooperative

(“KPMG International”), a Swiss entity. All rights reserved.

David FerbracheKPMG İngiltere Siber Güvenlik

Danışmanlığı Direktörü

Cyber CrimeChanging landscapes developing responses

Dave Ferbrache

4© 2016 KPMG Al Fozan & Partners, a partnership registered in Saudi Arabia and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

Audit Committee Trends

15%

40%

37%

3% 5%

How much agenda time should you devote to cyber security (including data privacy) relative

to last year?

Significantly more time More time No change Less time N/A

10%

49%

41%

Please rate the quality of the information you receive about the risks…

Excellent Generally good Need improvement

5

Document Classification: KPMG Confidential

© 2016 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affilia ted with KPMG International Cooperative

(“KPMG International”), a Swiss entity. All rights reserved.

Patterns of Cyber Crime

6

Document Classification: KPMG Confidential

© 2016 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affilia ted with KPMG International Cooperative

(“KPMG International”), a Swiss entity. All rights reserved.

Commoditised Attacks Against Everyone

Botnets & Banking Trojans

Extortion by DDOS & Ransomware

Underground Economy

Large Scale Social Engineering

7© 2016 KPMG Al Fozan & Partners, a partnership registered in Saudi Arabia and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

Key Questions to Ask…

Who is in charge?

Have we got the basics

right?

How would we respond if it happened?

What would we tell our

clients?Are we sure?

What about our

suppliers?

Do our people know what to do?

Firewalls Anti-Virus Patching Passwords BackupsEducation/Awareness

8

Document Classification: KPMG Confidential

© 2016 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affilia ted with KPMG International Cooperative

(“KPMG International”), a Swiss entity. All rights reserved.

Targeted Attacks against businesses/UHNWI

CEO FraudsBusiness Email Compromises

Card Not Present and EFTPOS

Bulk Data Breaches

9© 2016 KPMG Al Fozan & Partners, a partnership registered in Saudi Arabia and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

More Demanding Questions to Ask…

Do we know what

matters?

Are we protecting our “crown

jewels”?

How do we keep up with the threat?

How do we test and

exercise our defences?

How do we detect

intrusions?

What about our

ecosystem?

What is the role of cyber insurance?

Risk Management

Additional Protection

Access Management

Threat Intelligence

Red Teams and Exercises

Third Party Security

Cyber insurance

10

Document Classification: KPMG Confidential

© 2016 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affilia ted with KPMG International Cooperative

(“KPMG International”), a Swiss entity. All rights reserved.

High End Cyber Attacks against finance system

Direct Compromise of Bank Systems

Financially Savvy Criminals

Secondary Market Manipulation

Links Between Espionage and Crime

11

Document Classification: KPMG Confidential

© 2016 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affilia ted with KPMG International Cooperative

(“KPMG International”), a Swiss entity. All rights reserved.

The Most Demanding Questions to Ask…

How

effectively do

our defences

counter the

threat?

How do we

detect &

counter

unusual

activity?

How do we

stop criminals

exploiting our

information?

How do we

build a cyber

resilient

organisation?

How do we

pool & share

intelligence?

What about

the wider

community?

What is the

return on our

investment?

End to end

security

Behavioural

monitoringCommunity

intelligenceActive cyber

defence

Cyber

resilience

Portfolio

opimisation

12© 2016 KPMG Al Fozan & Partners, a partnership registered in Saudi Arabia and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

Comprehensive approach

Identify

Protect

Detect

Respond

Identity key assets and business

processes

Protect key assets from insider and

external attack

Detect malicious, unusual or anomalous

activity

Develop and exercise

response and recovery options

BUILD

CYBER

RESILIENCE

13© 2016 KPMG Al Fozan & Partners, a partnership registered in Saudi Arabia and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

Bringing it together

TechnologyPeople Processes

Imp

lem

en

tati

on

Business Strategy and Goals

IntelligenceAssetsRegulatory

Environment

Un

de

rsta

nd

ing

Funding & Sponsorship

Policy

Governance

Fou

nd

atio

ns

Ownership Accountability

Risk Management

Security Operations

Pla

nn

ing

and

Co

ntr

ol

Vendor & Supplier Management

Compliance

14© 2016 KPMG Al Fozan & Partners, a partnership registered in Saudi Arabia and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

Cybersecurity Regulation• Global agenda point for regulators, but no common agreement on specifics.

• Meeting the requirements of multiple regulators increasingly challenging.

• Key themes:

• Governance/Risk Management

• Frameworks and Independent Review

• Third Parties/Supply Chain Security

• Transparency/Incident Reporting

• Threat Intelligence and Information Sharing

• Started with banks… now extending to other critical infrastructure

15© 2016 KPMG Al Fozan & Partners, a partnership registered in Saudi Arabia and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

The takeaways…

Basics of cyber

security

Risk and key asset based

approach

Education and

awareness

Detection response

and recovery

Building cyber

resilience

Digital risk and

opportunity

Document Classification: KPMG Confidential

The KPMG name, logo are registered trademarks or trademarks of KPMG International.

The information contained herein is of a general nature and is not intended to address the circumstances of

any particular individual or entity. Although we endeavour to provide accurate and timely information, there

can be no guarantee that such information is accurate as of the date it is received or that it will continue to be

accurate in the future. No one should act on such information without appropriate professional advice after a

thorough examination of the particular situation.

© 2016 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent

member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights

reserved.