Session starts 3:00pm

Cyber Risks in Governance;The Imperatives

Theme:

PwC Nigeria - IoD Nigeria Cybersecurity Live Webinar

Thanks for joining:

Thursday 13 August 2020

Agenda

Time Activity Duration Facilitator/Anchor

3.00 – 3.05pm Welcome and Introduction 5 mins Nkiruka Aimienoho

(Senior Manager, Cybersecurity Resilience & Privacy, PwC Nigeria)

3.05 – 3.10pm Opening Remarks 5 mins Chief Chris Okunowo

(President, IoD Nigeria)

3.10 – 3.30pm Keynote Presentation 20 mins Wunmi Adetokunbo-Ajayi

(Partner, Cybersecurity & Privacy PwC Nigeria)

3.30 – 4.25pm Panel Discussion (Q&A) 55 mins Mr Austin Okere F.IoD - Panel Moderator

(Founder/Chairman CWG Plc & Ausso Leadership Academy)

Mr Kashifu Inuwa Abdullahi

(DG/CEO, National Information Technology Development Agency (NITDA))

Dr. Victoria Enape

(Principal Partner, Enape Victoria & Co.)

Wunmi Adetokunbo-Ajayi

(Partner, Digital Risk, Cybersecurity & Privacy PwC Nigeria)

4.25 – 4.30pm Wrap up and Closing 5 mins Chief Chris Okunowo

(President, IoD Nigeria)

Welcome

Nkiruka Aimienoho Senior Manager,

PwC Nigeria

Opening Remarks

Chief Chris

Okunowo President, IoD Nigeria

Keynote Presentation

Wunmi

Adetokunbo-AjayiPartner, PwC Nigeria

Cyber Risk in

Governance –

The Imperatives

Why is Cyber risk important?

Cyber crime is all over the news

SMEDAN Website Hacked

13 September 2018

The website of the Small and Medium Enterprises Development Agency (SMEDAN)

was hacked and defaced by a certain Ismael Chriki

INEC website hacked

Vanguard, 28 March 2015

The website of the Independent National Electoral Commission

was hacked by a group that parade itself as Nigeria Cyber Army.

The hack was confirmed by INEC on its Twitter handle,

@inecnigeria

South Africa’s Liberty Holdings suffers cyber attack

17 June 2018

Criminals gained access to the company’s data and

demanded payment from the firm for its return. The

reputational damage was considerable and the company’s

share price fell 5% on the heels of the attack.

Criminal gangs scoring points across Africa

(Privileged access )

The World Economic Forum says so

PwC

Source: World Economic Forum Global Risks Perception Survey (2019-2020)

Worsened by COVID-19

CURRENT STATE OF CYBER SECURITY

Percentage of INTERPOL survey respondent that

experienced cyber attack as a result of COVID 19

“According to one of INTERPOL’s private sector partners, 907,000 spam messages, 737 incidents related to malware and 48,000 malicious

URLs — all related to COVID-19 were detected between January and 24 April, 2020.”

Distribution of the key COVID-19 inflicted

cyberthreats based on INTERPOL report.

Donation

scams

Phishing

/Spear-Phishing/

Vishing

Online

EducationMobile Apps

Charity scams

Fake government instructionsTesting

scams

DDoS

Ransomware

Malicious

Website

Covid-19 Cyber attacks

…...the reason that matters

It’s a Business Risk

Cyber attacks can have significant business impact

Lost funds

Theft of intellectual property

Disruption to the normal course of business/trading

Loss productivity

Damage to reputational harm-loss of consumer trust, loss of current & future customers to competitors

Regulatory fines

Negative media coverage and associated public relations/damage control costs

Cost of recovering affected systems and data

Investigation costs

Litigation/settlement costs

Bankruptcy

Source: NetDiligence Cyber Claims 2019 Report

Cyber Claims in 2019

Business Impact- examples

YAHOO Equifax Adobe Nedbank

Facebook Capital One Nigeria

Loss of up to

$350m in share

value

Accrued up to

$1.35Billion as

breach costs

Settlement up to

the tune of $1

million

Reputational

damage

Drop in share

prices, regulatory

fine of up to

$1.63billion

Rapid drop in

stock price,

financial loss to the

tune of $150 million

Regulatory fine

Investigation cost

Increased cost of

compliance

Settlement cost

Maersk

$200m-$300m

PwC’s 2020 Global Economic Crime & Fraud Survey

PwC’s 2020 Global Economic Crime & Fraud Survey

Most disruptive fraud events – by industry(PwC’s 2020 Global Economic Crime and Fraud Survey)

As a Board Member, you are a Target

Primary

Target

Twitter

Account

Hack

Mike

Bloomberg

Kanye West

Bill Gates

Joe Biden

Elon Musk

UberApple

Jeff Bezos

Will this trend continue?

First, what are some of the

reasons for current status/trend?

Some reasons for current status

Increased use of

public cloud

Attacker’s risk/reward

imbalanceEase of attacks

Increasing reliance

on technology

Extension of the

corporation

Attacks-as-a

-service

Increased digitisation

-now fuelled by the

pandemic

Long-Term Risk Outlook

Source: World Economic Forum Global Risks Perception Survey (2019-2020)

Projections by the INTERPOL Cybercrime Directorate

❖ A further increase in cybercrime is highly likely in the near

future.

❖ Vulnerabilities will most likely be further exploited by

cybercriminals targeting employees’ credentials through essential

office tools and software.

❖ Coronavirus-related lockdowns will result in criminals searching for

alternative revenue streams.

❖ BEC schemes will likely surge due to the economic downturn

and shift in the business landscape.

❖ Ransomware attacks targeting the healthcare sector and

associated supply chains are likely to increase.

❖ Threat actors are expected to target the Personal Identifiable

Information of individuals.

❖ Cybercriminals will most certainly adapt their fraud schemes

to exploit the post-pandemic situation.

Will this trend continue?

❏ The rise of artificial intelligence (AI)

❏ 5G development and adoption of IoT devices increase vulnerability

❏ Globalisation of cybercrime

❏ Increased competition

❏ The cybersecurity skills gap continues to grow

❏ All other points raised before

❏ ++Increased skill levels of attackers

Nigeria’s SilverTerrier and SilentStarling Cyber groups

Tools were obtained from

free educational and

research-intended online

tutorials.

Sophisticated tools were

obtained by purchasing

them from the dark web*.

These tools were

developed by malicious

actors who put them up

for sale on the dark web*

at exorbitant prices.

Tools employed were

developed by these

group of hackers while

also re-engineering

existing tools to serve

their malicious intents.

2014 2017 2019

*Dark Web: Illegal websites where confidential information, malicious softwares, arms and ammunitions etc. are being traded by anonymous persons.

Sources: PaloAlto Network Unit42 Security Analysts and Researchers

Some recent BEC attacks in the news

New York-based Law Firm

approximately $922,857.76

“ Attempt to steal £100 million

(approximately $124 million)

from an English Premier

League soccer club. Fraudulent wire transfers from

a foreign financial institution

(Bank of Valleta, Malta)

approximately €13 million

(approximately USD $14.7

million),

sent to bank accounts around

the world.

Some recent BEC attacks in the news2

FBI- beginning no later than January 2019 and continuing until at least September

2019, actual losses caused by a particular team totalled $18,103,000 while attempted

losses were over $30,000,000.

A Chicago-based company was defrauded into sending wire transfers totaling

$15,268,000.00.

More BEC Scams...

Victim Company in Iowa.

Approximately $188,000 to a bank account in the name of the

Victim Company’s supplier.

Attempt targeted at a Michigan-based company was

thwarted by personnel at the company who noticed that it

was a fraudulent request.

This could have resulted in the loss of $1,206,418.76.

“ Victim Company in Chicago

Approximately $2,300,000 to a bank account in the name of the Victim Company’s subsidiary

opened by a money mule. Unauthorized access was gained to the company-issued email

account of the Chief Accounting Officer of a subsidiary of the victim’s company.

A good time to talk about some of the threats exploited

Denial of

service

Account

takeover

Social

Engineering

BEC Scam

The Covid-19

Effect

Data breachIdentity theft

Ransomware

Privileged

access

management

Business Risk

Privilege

escalation

Malware

How are organisations responding?

Training, awareness and regulation

Compliance with regulation

Certification to standards

Appointments of CISO

Technology implementations

Periodic vulnerability assessments

Current Approaches - Mind the Gap

Ineffective

reporting

Compliance

focused

Skills gap

Technology-

centric

Demonising

staff

Generic

approaches

Oversight

gaps

Silos

31

Strategic Considerations for Boards & Top Executives- to build a Cyber Resilient Organisation

PwC

Building a Cyber Resilient Organisation

1Address cyber as an

enterprise-wide business

issue, not an IT issue

2Have an oversight

approach with access to

cyber expertise

3Understand legal

and regulatory

requirements

5Engage in discussions with

management about cyber

risk appetite

6Get the right information

to monitor the cyber

and privacy program

7Monitor cyber resilience

4Discuss the adequacy

of the cyber strategy

and plan

7 key areas of focus

Pertinent Questions Board Members Should Ask...

❏ How could a cyber incident impact my business?

❏ How much risk are we willing to take?

❏ How resilient is my business to a cyber-attack?

❏ Which threats should we be most concerned about?

❏ Are we spending in the right areas?

❏ What actions are we taking to educate employees (the first

line of defense) about how to identify and react to the cyber

attack schemes?

❏ Are there gaps in our cybersecurity capabilities?

❏ How is the IT function changing its strategic priorities in the

short-, mid- and long-term and are resources sufficient to

achieve these priorities?

❏ Has the incident response plan been updated for leadership

and employees in a remote working environment?

❏ How are increased third-party and fourth-party security risks

due to COVID-19 & other related matters being managed?

34

Next Steps for Business Leaders

Leading from the front

Dear Sir/Ma

To Board Member

1. Determine your Cyber risk profile- your company does not have the resources

to address all cyber security problems

2. Focus on Resilience

3. Attacks are not always sophisticated

Good luck!

Yours sincerely

www.pwc.com

Contact Details

Wunmi Adetokunbo-Ajayi

Partner, Digital Risk and Cybersecurity

E mail: wunmi.adetokunbo-ajayi@pwc.com

Cell: +234 (0) 705 126 5583

Tel: +234 (01) 2711700 Ext 38001

Nkiruka Aimienoho

Senior Manager, Digital Risk, Privacy & Cybersecurity

E mail: nkiruka.aimienoho@pwc.com

Cell: +234 (0) 703 657 5637

Tel: +234 (01) 2711700

Oluwatoyin Oni

Digital Risk, Privacy & Cybersecurity

E mail: oluwatoyin.oni@pwc.com

Cell: +234 (0) 803 654 4588

Tel: +234 (01) 2711700 Ext 22009

© 2020 PwC. All rights reserved. Not for further distribution without the permission of PwC. “PwC”

refers to the network of member firms of PricewaterhouseCoopers International Limited (PwCIL), or,

as the context requires, individual member firms of the PwC network. Each member firm is a separate

legal entity and does not act as agent of PwCIL or any other member firm.

PwCIL does not provide any services to clients. PwCIL is not responsible or liable for the acts or

omissions of any of its member firms nor can it control the exercise of their professional judgment or

bind them in any way. No member firm is responsible or liable for the acts or omissions of any other

member firm nor can it control the exercise of another member firm’s professional judgment or bind

another member firm or PwCIL in any way.

Thank you

Panel Moderator

Mr Austin OkereFounder/Chairman,

CWG Plc & Ausso Leadership

Academy

Panel Discussion

Dr. Victoria Enape Principal Partner,

Enape Victoria & Co.

Mr Kashifu Inuwa

Adbullahi DG/CEO

National Information

Technology Development

Agency (NITDA)

Wunmi

Adetokunbo-AjayiPartner

Digital Risk, Cybersecurity

& Privacy, PwC Nigeria

Mr Austin OkereFounder/Chairman

CWG Plc & Ausso

Leadership Academy

All

Questions

Answers&

Comments to questions asked

Questions (un-edited) Comments

What pertinent questions should board members ask

technical teams and security leaders within the

organisation.

❏ How could a cyber incident impact the business?

❏ How much risk are we willing to take?

❏ How resilient is the business to a cyber-attack?

❏ Which threats should we be most concerned about?

❏ Are we spending in the right areas?

❏ What actions are we taking to educate employees (the first line of defense) about how to identify and react to the

cyber attack schemes?

❏ Are there gaps in our cybersecurity capabilities?

❏ How is the IT function changing its strategic priorities in the short-, mid- and long-term and are resources sufficient

to achieve these priorities?

❏ Has the incident response plan been updated for leadership and employees in a remote working environment?

❏ How are increased third-party and fourth-party security risks due to COVID-19 & other related matters being

managed?

When we talk about hacking and putting around a

SOC, NITDA promised they would establish a national

cybersecurity research center and would go into

partnership with the Government of Malaysia and

Canada and that it would have a cyber incident

response centre. How far is that project with NITDA?

The project was muted in 2017. NITDA has changed it’s approach to research because NITDA does not only deal with

cybersecurity all IT areas. Now, NITDA is taking a different approach through creating centers of excellence in tertiary

institutions where we think it is better and more appropriate to have people carry out this type of research.

A Computer Emergency Response and Readiness Team was setup which currently resides in NITDA for the federal

government and the team is connected with the National Computer Emergency Response and Readiness Team housed

with the office of the national security adviser. Because the establishment of a center would be a lot of financial investment

for NITDA, hence this approach of getting the same objective but using a distributed method.Cybersecurity has to involve

as may stakeholders as possible to avoid a single point of failure in terms of policy development.

Comments to questions asked

Questions (un-edited) Comments

Give an overview of the provisions of the cybercrime

Act in dealing with cyber criminals and getting justice

for cyber victims

The Cybercrime Act was signed into law in 2015. It criminalizes certain actions using the internet or any other electronic

means for the purpose of committing crimes. The provisions of the act are designed in such a manner that it gives law

enforcement the ability to prosecute people for committing certain crimes. The presidency has the power to designate

certain computers and networks as critical and vital to national security. Also, the presidency is to provide guidelines on

how those networks are actually managed. If hackers are found guilty, they are liable to pay up to 10 million naira or

imprisonment for 5 years depending on the purpose of the hack and results they get from the hack.

The Act makes identity theft a crime; it makes child pornography a crime; cyber stalking and cyber bullying are also crimes

under this act; it forbids the distribution of racist and xenophobic materials; it requires that service providers should retain

traffic and subscriber information for a certain period as may be regulated by the telecoms regulator in order to assist law

enforcement to gather information for the purpose of prosecution; it allows for the interception of electronic communication

based on court order. This is an overview of the legal aspect of the cybercrime act.

Per the institutional framework of the Cybercrime Act, there is an office for the procession of cybercrime in the attorney

general’s office where they deal with any cybercrime activity that has been reported to them and they will prosecute

anybody that is responsible for that crime.

The Cybercrime act also makes provision for a Cybersecurity Advisory Council. This council is made up of all stakeholders

within and outside of government, ministers and private sector participants including non-governmental organizations who

would meet at least quarterly to discuss and advise government on issues to be addressed as far as cybercrime and

cybersecurity is involved.

There have been some issues raised around the conditions of the act, which tends to be more commercially inclined, those

issues are being addressed as the Act is being reviewed.

Comments to questions asked

Questions (un-edited) Comments

Should we be worried about the new “arms race” in

the form of quantum computing with the potential to

compromise all existing security measures? Should

we wait or proactively and strategically ACT NOW?

We still have some ways to go before the risks with quantum computing start to crystallise. The most part of this technology

is still in the Research and Development stage (with less than 15 currently in the world) and may take years before it

becomes commercially available. However, as quantum computing advances in technology, we believe that security and

best practices will also be developed alongside Yes, they can significantly reduce the processing time traditional computers

need to complete processes and the real concern is using this to break existing cryptographic algorithms. So, it's still early

to be "worried" but it's something we should all keep our eyes on. To add to this, it is not only attackers that can use this

technology, “good guys can”. Therefore it also has the potential to increase security.

Should we be stressing cyber security or cyber

resilience?

Both Cyber security and Cyber resilience are important.

Cyber security deals with the measures put in place to prevent security breaches of any kind while cyber resilience deals

with the quality of your response to any cyber attack when it occurs. Hence, both cyber security and cyber resilience are

both important.

Based on the Cybersecurity Framework - Identify, Protect, Detect, Respond and Recover; Respond and Recover cover

cyber resilience.

Cyber attacks may be inevitable. We must secure our most priced assets to reduce the level of exposure and loss.

Likewise we must also be prepared to immediately detect and respond to cyber attack when it occurs.

Recent Twitter Hack. What could they have done

differently to prevent it?

Twitter says the main vector used for hack was spear phishing. Spear phishing is about targeting the specific

individuals.Continued education, training and awareness is very important because people are usually the weakest link

regards of technology implemented.

A way to prevent such an attack from recurring is to continuously train and re-train their staff members and keep them up

to date on latest cyber trends and attack techniques. Prominent organisations should expect to be hacked and be able to

respond efficiently and quickly as possible. Key thing is about how responsive we are to a cyber attack

Comments to questions asked

Questions (un-edited) Comments

Should all categories of employees of an organization

be trained in cybersecurity issues.

Yes, all employees should be aware of the current cyber security landscape and should be adequately trained in

recognizing and avoiding the tactics employed by malicious users in compromising security systems.

More specifically, an employee risk assessment should be carried out by organizations to determine the impact on their

business if any employee is compromised. This may lead to different levels of cyber security trainings for employees

based on the risk assessment.

In addition, based on the polls conducted when the webinar began, we that majority of the participants on this webinar

agree that people are the weakest link for a cyber attack. If all staff are adequately trained to identify possible cyber

threats, it reduces the possibility of a successful social engineering, phishing and/or other types of cyber attacks.

What can persons do as regards connection to public

(hotel, cafe etc) WiFi, in order to do office work? Best practise is to avoid connection to untrusted networks like public wifi to avoid Man-in-the-middle attack.

But if you have to, ensure to use your VPN and be very cautious of the type of activities done during the period.

How would you rate the global collaboration towards

arresting BEC and hacking?

As organizations all around the globe are now becoming more cyber aware and taking more steps in ensuring that cyber

threats and attacks are reduced to the barest minimum. It’s also important for organisations to organise regular

cybersecurity training and awareness programs for all staff (board members, technical and non-technical staff inclusive).

People are the weakest link. Those within or outside

or both? What could we do different to curtail it.?

In addition to hardening security systems within an organization, adequate awareness and training programs should be

organized for all stakeholders.

Comments to questions asked

Questions (un-edited) Comments

How can you control information already in the open

space?

This depends on the information and the platform in use.

For things like brand abuse and trademark infringement, it can be pursued legally. In the event that the actors are unknown,

there are organisations that offer takedown services to expunge the information and/or where they are hosted.

Information on social media can also be handled by the platforms by reaching out to the providers. They also offer a

number of features to report abuse that can be explored by the public.

In most cases, you would still need to provide evidence of abuse. If the information isn't found to violate any policy, it may

be significantly more challenging because "freedom of speech" (for instance, imagine a company trying to remove a

customer's complaint. This scenario, the complaint is likely not violating any policy or infringing on the brand/trademark so it

will be almost impossible to remove/control this)

Is there any insurance policy as regards hacking,

especially when the client has full compliance from

the antivirus software ?

Insurance policy should be discussed by Anti-virus providers.

What does BEC mean? Business Email Compromise (BEC). It is a tactic employed by malicious users where a business email is obtained and used

to imitate the owner in performing fraudulent activities.

How are social medias still hacked after a two-factor

authentication has been activated?

Two-factor authentication provides an extra layer of security to user accounts and confidential resources. However, if the

two-factor authentication medium is also compromised, then personal accounts or corporate accounts is prone to being

hacked.

Comments to questions asked

Questions (un-edited) Comments

Should the Board get some punitive measures where

there are cyber attack incidents in organisations?

Considering that at times, the CIO, CISO who often get

fired typically recommended tools to

address....PROTECTION, DETECTION and RESPONSE

strategies.

Before any punitive measure is taken in response to a cyber attack, organizations need to engage cybersecurity specialists

to carry out a thorough investigation to determine the cause of the compromise.

Malicious exploits in security systems could be result of several factors such as:

● ignorant employees falling victims of social engineering attacks

● Poorly configured infrastructure and outdated server applications

● Lack of state-of-the-art security systems

Most cases of data breaches result in significant financial loss to affected organizations and in situations where the breach

was a result of negligence of duty, organizations should take effective measures to prevent a repeat of such compromise.

Returning to the workplace after Covid-19, what

should boards be thinking about?

- Safety of staff. This is key and should be uppermost in the mind of board members.

- Mechanisms in place to identify if someone is infected with Covid-19 as well as response plan should that happen.

- How do you continue to operate your business with all the limitations at hand

- In terms of services, identify critical services and ensure resilience is built around them

- Continued education of staff

Wrap-up & Closing

Dele AlimiDG, IoD Nigeria

Thank you

This webinar has ended.