cybersecurity - fpa norcal · landscape is changing and what this means to companies, ... pwc,...

FPA NorCal ConferenceFPA NorCal Conference

Cybersecurity

Anevolvingthreatlandscape


Cybersecurity- Anevolvingthreatlandscape

Inanincreasinglyinterconnectedanduncertainworld,it’sclearthatthecybersecuritythreatlandscapeischanging.Boththe

speedatwhichcyberattacksoccurandtheextenttowhichtheyspreadhaverisendramatically.Cyberrisksthatonceseemedimprobableandevenremotehavealsobecomethenorm.

Tonavigatethroughturbulenttimes,adistinctshiftisrequiredinhowgovernments,companiesandindividualsthink

about cybersecurity threats


LearningObjectives

• HelpyouunderstandthenatureandimpactofrecentcyberattacksandhowthisischangingtheperspectivesofCompanyBoards,ConsumersandRegulators

• ProvideyouwithanoverviewofhowthecybersecuritythreatlandscapeischangingandwhatthismeanstoCompanies,IndividualsandGovernments

• Enableyoutoaskpertinentquestionstoassessacompanies'cybersecurityrisk&capabilityposture


YourSpeakerPieterJoubertPwCCybersecurity&[email protected](415)203-6314

Pieter is a Director in the Cybersecurity and Privacy practice based in San Francisco, CA. He has 16 years experience in technology risk and resilience assurance and transformation programs . Pieter is primarily focused on delivering Cybersecurity and Privacy Strategy and Transformation services to global software companies in the Bay Area.

He is a South African Chartered Accountant and Certified Information Systems Auditor


Recentcyberattacksandthechangingthreatlandscape


Recentcyberattacksandthechangingthreatlandscape

• Massivecybersecuritybreacheshavebecomealmostcommonplace,regularlygrabbingheadlinesthatalarmconsumersandleaders

• Manyorganizationsworldwidestillstruggletocomprehendandmanageemergingcyberrisksinanincreasinglycomplexdigitalsociety

• Therehavebeennoreporteddeathsfromcyberattacksandrelativelylittledestruction.Butthedisruptivepowerofcyberattacksisincreasinglyclear,particularlyingeopoliticalthreats


Case1- GlobalhealthcareGroup


Case2– InfrastructureattacksMassivedatabreachrisksareraisingconcernsaboutthepowerofcyberattackstoripplethroughtheglobaleconomy

• December2015cyberattackinTurkeyimpactednetworksusedbythecountry’sbanks,media,andgovernment

• Laterthatmonth,thefirstknowncyberattacktotakedownapowergridtargetedUkraine’spowerdistributionsystems,cuttingelectricityto230,000residents

• InJune2017,thePetyacyberattack,aimedatUkrainiancomputers,disruptedbusinessoperationsacrosstheglobe


TheimpactofcyberthreatsWhatisthebottomline?Thecostofimprovinganorganization'scybersecurityandprivacypracticesmayseemsmallincomparisontothemajorcostsassociatedwithadatabreach.

Report loss or damage of internal records as result of a cybersecurity incident

Average cost of a data breach

Average cost per record

29%

$3.79m $144Average security budget

$5.1m

Of businesses affected by cybercrime in the last 24 months report a “High” reputational impact

13%

Ponemon Institute, 2017 Cost of Data Breach Study: Global Overview, June 2017

Ponemon Institute, 2017 Cost of Data Breach Study: Global Overview, June 2017

PwC, Global Economic Crime Survey 2016, February 2016

PwC, CIO and CSO, The Global State of Information Security® Survey 2018, October 2017

Report loss or damage of customer records as result of a cybersecurity incident

35%




Risksinthedigitalage

64%

87%

The total average downtime as a result of security incidents

Of CEOs say how they manage people’s data will differentiate them

Customer experience

Brand

13%Of businesses affected by cybercrime in the last 24 months report a “High” reputational impact

PwC, 20th Annual CEO Survey, January 2017

PwC, Global Economic Crime Survey 2016, February 2016

PwC, Consumer Intelligence Series: Protect.me, November 2017

19 hours


Of consumers will take their business elsewhere if they don’t trust a company is handling their data responsibly

71%

PwC, Consumer Intelligence Series: Protect.me, November 2017

Of consumers would stop doing business with a company for giving away their sensitive data without permission

Trust

The current number of unfilled cybersecurity job openings

1 million

Cybersecurity Ventures, Cybersecurity Jobs Report, June 2017


Whatthismeanstocompaniesandindividuals


Thecybersecurityandprivacylandscape

Leaders are seeking new ways to address talent

shortages

Corporate leaders face increasing

accountability from boards, regulators,

and the marketplace

Companies need help identifying the

appropriate level of security and

governance across business models

Digital business models are driving

the adoption of new safeguards

Managing threats and risks

increasingly means taking a

proactive approach

Increased regulation across the globe is

reshaping industries

New producers, consumers, and stewards of data

have emerged

New risks are being generated by

increased reliance on data

Trust has become a key factor in

executing commerce

New and disruptive

technologies are being explored

with security and privacy

ramifications


IncreasingregulatoryscrutinyThefastevolvingcyberthreatlandscapeisdrivingthereleaseofnewlaws,regulationsandattestationframeworksbyGovernments,regulators,andprofessionalassociationssuchastheAICPA

2014 – USA

2014 – France 2015 – USA

2015 – USA

2015 – Germany

2015 – USA

2015 – USA

Cybersecurity Enhancement Act

French Data Protection Act

National Cybersecurity Protection

Advancement Act

Cybersecurity Information Sharing Act

IT Security Act (ITSG)

OCC (Comptroller of the Currency) Cybersecurity Assessment Tool (CAT)

Federal Exchange Data Breach Notification Act

2016 – Hong Kong

Hong Kong (SAR) Circular

2017 - China

China Cybersecurity Law

2018 – EU/Global

General Data Protection Regulation (GDPR)


Managingcyberrisksasanopportunity

As data, and then information, take on a digital form, the ability to manage, govern, and secure it becomes increasingly more important. Those organizations that can manage their data in the best possible manner will separate themselves from peers within their respective industries

Companies aspiring to lead should be asking these questions:

Do we understand what the emerging risk landscape means for our organization?

Is our cybersecurity and privacy program being strategically managed from the C-suite and boardroom on down?

How can we best prepare for an incident?

Do we measure and demonstrate to stakeholders the effectiveness of our cybersecurity and privacy efforts?

Are we gaining connectivity without losing consumer trust?

Is our organization monetizing data while respecting privacy?

Does our program leverage strides in cyber and privacy risk management to boost our economic performance?

Does ourprogram view data in the same light as “cash”?


Thekeyquestionsbusinessexecutivesshouldbeaskingaboutcybersecurity

Cybersecurityandprivacywasoncetheresponsibilityofasingledepartment.Today,ittoucheseverypartofthebusiness.

CEO

CRO Boardroom

CPO

Sales and Marketing

CIO/CISO

EnterpriseImpact

• Do we have the information we need to oversee cyber risks?

• Do we have a tested cyber incident response plan?

• Is our organization respecting privacy while monetizing data?

• Are we following applicable privacy regulations?

• Do we understand what the emerging risk landscape means for our organization?

• Can we articulate our cybersecurity strategy across the organization?

• Do we approach cybersecurity using a risk based approach?

• Can we articulate our current cybersecurity risks?

• Are we taking appropriate steps to protect our organization against cybersecurity risks?

• Do we measure and demonstrate to stakeholders the effectiveness of our cybersecurity and privacy efforts?

• Are we gaining connectivity without losing consumer trust?

• Does our program leverage strides in cyber and privacy risk management to boost our economic performance?


Keytakeaways

• Governments are recognizing cyber is a threat to national security as many government agencies rely on commercial networks and vendors.

• “Cyber vulnerabilities in the private sector pose a serious threat to national security”, the chairman of the DoD Joint Chiefs of Staff said.

• Governments trying to grapple with these problems are releasing regulations to motivate increased prioritization of cybersecurity.

National security

• GDPR (General Data Protection Regulation) has introduced some of the steepest penalties so far (4% of global turnover).

• Cyber insurance typically doesn’t cover fines and penalties.

• China and Russia Cyber Laws require data localization and export capabilities.

Steep penalties for non-complianceFast paced change• Regulation can’t keep pace with technological

evolution and disruption.

• Tech companies are aligning their government affairs, legal, and security teams for policy advocacy.

• Companies such as Microsoft are becoming vocal – i.e. Digital Geneva Convention.

• Google commissioned study to show how Russia’s localization law would increase cost of cloud services.

High profile breaches• Increasing number of high profile breaches

(2017 - Equifax, HBO, Target & Home Depot).

• Many attacks were largely preventable through good governance, risk management and robust People, Process and Technology controls.

• Public is increasingly becoming aware of its security and privacy rights.


www.pwc.com/cybersecurityandprivacy

This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.

© 2018 PwC. All rights reserved. PwC refers to the US member firm or one of its subsidiaries or affiliates, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.

cybersecurity - fpa norcal · landscape is changing and what this means to companies, ... pwc,...

Documents