Cyber Governance Health Check Cyber security survey for top segment of Dutch market

Transcription

1 Cyber Governance Health Check Cyber security survey for top segment of Dutch market PwC The Netherlands May 2014

2 Contents Introduction Executive Summary Detailed results Part 1: Overview of results Part 2: Additional Results Appendices Annex A: Overview of sector classification Annex B: PwC and Cyber Security PwC 2

3 Introduction Why a Dutch Cyber Governance Health Check? Today s advanced cyber adversaries are committed to planning their operations on targeted organizations to steal data, disrupt services and to gain access for future intrusions. Recent incidents and reportings have shown that cyber threats apply to all industries, not just those that deal with financial or personal information. As a result cyber security is now a strategic risk management issue for boards, not one to be left to the IT department. What is the Cyber Governance Health Check and how does it help you? The cyber governance health check is an PwC initiative that has been designed to understand and improve the cyber security governance measures and behaviours of organizations within the Netherlands. The objective of this health check is to create a benchmark insight in the cyber security maturity among the top segment of Dutch organizations. Benefits for you and your organization include: Understand better the nature and range of cyber security threats; Provide insight in relevant threats and any specific vulnerabilities; Provide an opportunity to take stock of your cyber risks; Increase awareness; and Evaluate your organization s Cyber Governance Health. Why is this survey specifically aimed at senior management level? When business and government leaders gathered at the most recent World Economic Forum in Davos, they focused on key emerging global risks, including cyber security. International research has revealed that many CEOs and boards are becoming increasingly aware of the fact that today cyber threats are a clear and present danger to the global business ecosystem. These threats are not considered IT risks but business Risks that could severely impact strategic objectives. 3

4 Introduction Breakdown of Results The results of all participating (33) organizations, representing different industry sectors, have been aggregated and can be seen as key question graphs displayed under the following sub-headings: Understanding the threat ; Leadership; and Risk management. The report does not offer an overarching narrative or seek to make any right or wrong judgements about any organization s cyber governance performance. The remaining survey results (Part 2) will be displayed under the following sub-headings: Respondent profile; Awareness of help and support; Cyber Incidents; and Completion of the Tracker. How to use the results The completion of the survey by the participants has enabled PwC to generate this report which provides a comparison of your organization against all participants. We would advice you: 1. Discuss the findings in this report with your trusted advisors; 2. Present the report at your Audit Committee for detailed deliberation and recommendations; and 3. Discuss the report and recommendations with your main Board to enable any requisite strategic direction to be offered. Confidentiality The information obtained through the survey has been held as securely as possible by the survey platform provider. As well as the measures already in place to protect confidentiality, the sectors used in the survey have been aggregated for the purpose of this report. A detailed breakdown of the aggregated industry sectors can be seen at Annex A. PwC 4

5 Introduction We believe this survey can strengthen the Dutch cyber capabilities and improve international competitiveness and it gives you a view on how your organization's approach to cyber governance compares to that of other organizations. The National Cyber Security Center (NCSC) supports this PwC initiative and invites all approached organizations to engage in a conversation with PwC on the results. This report shows you, for the first time and in confidence, how your organization measures up against its peers and competitors in terms of how cyber risks are governed. We are more willing to provide any additional insights or facilitate the development of action plans when required. Yours sincerely, Gerwin Naber Partner Forensic Services +31 (0) gerwin.naber@nl.pwc.com Erwin de Horde Partner Risk Assurance +31 (0) erwin.de.horde@nl.pwc.com Otto Vermeulen Partner Consulting Technology +31 (0) otto.vermeulen@nl.pwc.com

6 Executive Summary Management dashboard

7 Executive Summary A SERIOUS ISSUE WHO OWNS THE RISK? CYBER IS A BUSINESS RISK 46% of participants think their Board colleagues take cyber risk very seriously. 39% however thinks that the board should pay more attention to cyber risk. When asked who owns the cyber risk for their organization, participants responded with a wide variety of roles. 14 % CEO 29 % 25 % HEAD OF IT 39% of participants said their strategic risk register includes a cyber risk category. CFO CYBER SAVVY BOARDS Most participants (68%) think their board members are qualified, to some extent, to manage innovation and risk in a digital age. TRAIN YOUR BOARD 85% of participants had not undertaken any cyber or information security training in the last 12 months and 96% of participants said none of their board colleagues had undertaken any either. 7% indicated their colleagues were barely qualified 68% thinks they are qualified to some extent 11% thinks the board have good skills participants who have done training participants who have NOT done training Other board members who have done training Other board members who have NOT done training PwC 7

8 Executive Summary KNOW YOUR KEY DATA ASSETS 43% of participants said the board has a very clear understanding of what their company s main information and data assets are. Marginally acceptable Basic/acceptable A very clear understanding THE IMPACT OF A CYBER ATT ACK 80% of participants think their main Board has a sufficient understanding of the potential impact of information and data asset losses. WHO HAS YOUR KEY DATA ASSETS? Understand the Threats 57% of participants said the board has an acceptable understanding of where the organization s key information or data assets are shared with third parties. 57% 11% 11% stated that the board has a poor understanding. INFORMATION SHARING 57% of participants said the main Board does not receive regular threat intelligence from their CIO or Head of Security. 57% 50% of the participants said their employees are encouraged to share information with other organizations in order to combat cyber Clear / acceptable understanding Poor understanding / 0% 20% 40% 60% 80% 100% PwC 8

9 PART 1 Overview of results PwC 9

10 Understanding the threats Does the Management Board have a good understanding of what the organization s key information and data assets are (e.g. IP, financial, corporate/strategic information, customer/personal data, intellectual property, etc)? 40% of participants admit that the main Board only has a basic or acceptable understanding of their organizations' key information and data assets, with 43% claiming a "very clear understanding. A very clear understanding Basic/acceptable Marginally acceptable A poor understanding 0% 10% 20% 30% 40% 50% Does the Management Board have a clear understanding of the value of those assets (e.g. financial, reputational, etc.)? A very clear understanding Basic/acceptable The majority of participants admit that the main Board has a very clear understanding of the value of their organization's information and data assets. 23% tend to be more pessimistic in their assessment and claim that the main Board has a basic understanding. Marginally acceptable A poor understanding 0% 10% 20% 30% 40% 50% 60% 70% PwC 10

11 Understanding the threats Does the Management Board have a good understanding of what the organization s Cyber Threats and Vulnerabilities are to those key information and data assets? A poor understanding Marginally acceptable Basic/acceptable 60% of participants think that the main board has a basic understanding of what the organization s cyber threats and vulnerabilities are to those key information and data assets. A very clear understanding 0% 10% 20% 30% 40% 50% 60% 70% What is the Board s understanding of the potential resulting impact (for example, on customers, share price or reputation) from the loss of/disruption to, those assets? A poor understanding Marginally acceptable Basic/acceptable A very clear understanding 47% of participants believe their board has a very clear understanding of the potential impacts of information and data asset losses. However 40% state that their board has a marginal to basic understanding. 0% 10% 20% 30% 40% 50% PwC 11

12 Understanding the threats Does the management Board periodically review key information and data assets (especially personal data) to confirm the legal, ethical and security implications of retaining them? Don t know Nearly half of organizations rarely or never review their key information and data assets. 37% of participants indicate that such a review occurs, nearly half of these reviews are considered to be executed thoroughly. Thoroughly Somewhat Rarely Never 0% 10% 20% 30% To what extent is your Board's discussion of cyber risk underpinned with up-to date Management Information? Very little insight Some information Comprehensive, generally Robust management information Don t know 66% of participants state that their Board's discussion of cyber risk is based on some information", with less than 10% believing it to be based on robust management information. Finally 10% of participants think the Board's discussion of cyber risk is based on very little information. 0% 10% 20% 30% 40% 50% 60% 70% PwC 12

13 Understanding the threats Does the Board receive regular intelligence from the CIO/Head of Security on who may be targeting your organization, their methods and motivations? Never Rarely Regularly Don t know Less than 30% of all participants said that their Boards received regular intelligence on cyber threats from their CIO or Head of Security. More than 50% of participants stated that this rarely or never happens. 0% 10% 20% 30% 40% In your view do all board members understand their own personal cyber risk profile e.g. how to prevent being a target of an electronic attack? A poor understanding Marginal understanding Fully understand Two thirds of participants stated that their Board members possessed a marginal understanding of their cyber risk profile, with 14% of participants claiming that their Boards have a "poor understanding". 0% 20% 40% 60% 80% PwC 13

14 Understanding the threats Does the Board encourage its technical staff to enter into formal information sharing exchanges with other organizations in your sector and/or across the economy in order to benchmark, learn from others and help identify emerging threats? Yes No Don t know While 50% of participants confirmed that their technical staff were encouraged to share information with other organizations in order to combat cyber security threats, nearly a third of participants think that their staff are not encouraged to do so. 0% 10% 20% 30% 40% 50% 60% PwC 14

15 Leadership How often is your strategic risk register reviewed and discussed at management Board? (Alternatively, if you have no formal register, how often are strategic risks considered at management Board?) We do not have a strategic risk register Not at all/dealt with in correspondence only Considered at an annual meeting Considered bi-annually Considered quarterly Considered at every meeting Not applicable, please explain 66% of participants believe strategic risk is considered at least once a year with 28% at an annual basis, 16% at biannual and 22% at a quarterly basis. Nearly 10% of participants stated they do not have a strategic risk register. 0% 10% 20% 30% Is cyber net risk expected to increase or decrease, in terms of likelihood of occurrence, over the next year or so? Increase significantly Increase slightly Stay the same Decrease slightly Decrease significantly Not applicable, please explain The majority of organizations expect the level of cyber risk to increase slightly over the next year, although the increase predicted by 16% of participants is significant. 0% 10% 20% 30% 40% 50% 60% PwC 15

16 Leadership In your personal view, how important are cyber risks to the business? Not at all important Of limited importance Extremely important Almost all participants regard cyber risks as being of importance, with 35% considering this risk to be extremely important. Not applicable, please explain 0% 10% 20% 30% 40% 50% Do you think that employees are comfortable reporting compromises or losses of information and data assets? No I don t think so I think so Yes Half of the participants stated that their staff are (probably) not comfortable reporting data or information compromises/losses, with the majority of the other participants saying they think their staff do feel comfortable. 0% 10% 20% 30% 40% 50% PwC 16

17 Leadership Which of the following statements best describes how cyber risk is handled in your Board governance process? It is a technical topic, not warranting Board-level consideration We have heard about it once or twice but it is not regular Board business We listen occasionally e.g. a 6 monthly update, plus being told when something has gone wrong We regularly consider cyber risk and make decisions (e.g. investment policies) We actively manage our cyber risk profile throughout the year For the majority of organizations, cyber risks are occasional rather than regular Board business. Only 14% of participants said that the Board regularly considers cyber risks or "actively managed" cyber risk profiles. 0% 5% 10% 15% 20% 25% 30% 35% In terms of the organization's overall approach to cyber risk, how concerned are you personally? Very anxious Anxious No particular concerns Relaxed Very relaxed 0% 10% 20% 30% 40% 50% Almost 50% of participants state they are anxious about their organization s overall approach to cyber risk. Less than 40% of participants say they have no particular concerns regarding this matter. PwC 17

18 Leadership Which corporate body or individual holds principal governance responsibility for assessing and monitoring the impact and likelihood of cyber threats to the organization? Management Board Operating Board or Executive Committee Audit Committee Risk Board or Committee IT or Security Committee Chief Executive Officer Chief Financial Officer Chief Operating Officer Chair of Management Board Head of IT Head of Security Other executive. Please specify in the next question No corporate body or individual should have this responsibility 0% 5% 10% 15% 20% 25% 30% The monitoring and assessment of cyber threats fell to a number of different corporate bodies, the most common being the Chief Financial Officer, Head of IT, and IT or security Committee. 7% of participants believe no corporate body or individual currently has this responsibility. PwC 18

19 Leadership However you answered the previous question, which organizational body/individual should have that governance responsibility, in your view? Management Board Operating Board or Executive Committee Audit Committee Risk Board or Committee IT or Security Committee Chief Executive Officer Chief Financial Officer Chief Operating Officer Chair of Management Board Head of IT Head of Security Other executive. Please specify in the next question No corporate body or individual should have this responsibility 0% 5% 10% 15% 20% 25% 30% Comparing the result with the previous question it is evident that participants believe Operating Board or Executive Committee should get more responsibility than what they currently hold. PwC 19

20 Leadership Who is the organization's most senior "risk owner" for cyber? Chief Executive Officer Chief Financial Officer Chief Operating Officer Chair of management Board Head of IT Head of Security Other executive. Please specify We don t have one 0% 10% 20% 30% Ownership of cyber risk lies with different senior roles in different organizations, with the most commonly identified being the Chief Financial Officer (29%). The Chief Executive Officer (14%) and the Head of IT (25%) were also commonly identified. It is unclear whether the hierarchical differences in risk owners (Head of IT as opposed to CEO or CFO) is indicative of the importance attached to these risks. Who is the organization's most senior "risk manager" for cyber? Chief Executive Officer Chief Financial Officer Chief Operating Officer Chair of management Board Head of IT Head of Security Other executive. Please specify We don t have one The Head of IT was selected by 57% of all participants as being the most senior cyber risk manager. While several other posts such as Chief Financial Officer, Head of Security, and the Chair of management Board were named; none exceeded 11% of responses. 0% 20% 40% 60% PwC 20

21 Leadership Where, in governance terms, is the "risk owner" for cyber held to account? Management Board Operating Board or Executive Committee Audit Committee Risk Board or Committee The cyber risk owner is most commonly held to account at the management Board, stated 68% of participants. No other posts selected by participants exceed 10%. IT or Security Committee Other board or committee. Please specify in the next There is no governance-level holding to account process 0% 10% 20% 30% 40% 50% 60% 70% Taking account of the differing contributions of both executive and non-executive members, does your Boardroom have the right skills and knowledge to manage innovation and risk in the digital world? Barely To some extent Good skills We are positioned for the digital age Don t know Not applicable. Please explain Whilst only 7% deemed their boards "barely" qualified in this respect, beyond this participants were conservative about their Board's level of skills. 68% of participants stated their colleagues had the right skills and knowledge "to some extent", (11%) assessed their Board as having "good skills" and no one was confident enough to say that they were "positioned for the digital age". 0% 10% 20% 30% 40% 50% 60% 70% PwC 21

22 Leadership Do you feel the organization is doing enough to protect itself against cyber threats? No, performance is quite unsatisfactory No, there is more we need to do Yes, we re doing good things Yes, standards are excellent Responses to organizations' overall readiness to protect themselves against cyber threats can be narrowed down to two answers: The majority (68%) stated that "there is more to do" and 31% said their organization is doing good things. 0% 20% 40% 60% 80% Are Board colleagues taking the cyber risk sufficiently seriously? Not seriously at all Not seriously enough Very seriously Too seriously 46% of participants believe that their board colleagues take cyber threats very seriously. However 39% of participants thought their colleagues are not taking it seriously enough. It is noteworthy that 15% of participants had no idea whether their board colleagues take cyber risk seriously. 0% 10% 20% 30% 40% 50% PwC 22

23 Leadership Have you personally undertaken any form of cyber security/information security training in the last 12 months? Yes 85% of participants had not undertaken any cyber or information security training in the last 12 months. No 0% 20% 40% 60% 80% 100% Have other Board members undertaken any form of cyber security/information security training in the last 12 months? Yes 96% of participants said that none of their colleagues had undertaken cyber security training in the last 12 months. No 0% 20% 40% 60% 80% 100% PwC 23

24 Leadership How much does the organization invest in cyber defences? Too much A reasonable sum (it s just right) Not a great deal (it s just right) 42% participants said that their organizations invested "a reasonable sum" in cyber defences. The vast majority of the remainder deemed the cyber defence budget as being "not a great deal". No one regarded spending on cyber defences as being too much. Too low 0% 10% 20% 30% 40% 50% What is the budget strategy for your cyber defences? Decrease of 10 % or more with respect to last year Decrease of 5-10 % with respect to last year Decrease of 0-5 % with respect to last year Same budget as last year Increase of 0-5 % with respect to last year Increase of 5-10 % with respect to last year Increase of 10 % or more with respect to last year 54% of participants stated they have an increasing budget strategy for their cyber defense. For 35% of responses the budget remained the same as last year. Finally 4% of participants said their organization s budget strategy for cyber defense had a limited decrease of less than 5% with respect to last year. 0% 10% 20% 30% 40% PwC 24

25 Risk management How mature, and developed, is your formal risk management system? We do not have a formal risk Very new Immature Reasonably mature Mature Very mature Not applicable, please explain The majority of participants rank their risk management systems as being (reasonably) mature or very mature, with 35% stating they have a immature, very new or no formal risk management systems. 0% 10% 20% 30% 40% Where else is the strategic risk register reviewed/ discussed? Nowhere Lower-level committee IT or Security Committee Risk Board or Committee Audit Committee Operational Board or Executive Committee More than one place Not applicable, please explain 0% 10% 20% 30% 40% 31% of participants stated that the strategic risk register is reviewed or discussed in more than on place within their organizations. 19% of participating organizations discuss it in IT or Security Committee group en another 19% in Audit Committee. PwC 25

26 Risk management Does the organization s strategic risk register include a cyber risk category? No Yes Yes, but classified under another category Almost 50% of participating organizations have a specific 'cyber risk' category within their strategic risk register (or have it classified under another category). 39% of participants stated they do not have any. Not applicable, please explain 0% 10% 20% 30% 40% In the strategic risk register, how well described (i.e., understandable to a general board audience) are cyber risks, and the potential consequences for the business? Not well Basic In the opinion of most of participants (71%) the description of cyber risks within the strategic risks register is of a basic or lower level. Richly Not applicable, please explain 0% 10% 20% 30% 40% 50% PwC 26

27 Risk management How significant or important is cyber risk, when compared with all other strategic risks the organization faces? Top/Group Risk Medium/Segment Risk Low/Operational Risk In comparison to other risks, participants ranked cyber risk as being of medium (42%) or low importance (39%). Only 10% rated cyber security issues as having top level importance. Not applicable, please explain 0% 10% 20% 30% 40% 50% To what extent has your Board explicitly set its appetite for cyber risk, both for existing business and for new digital innovations? Not really Loosely Clearly set and understood Most organizations (63%) have not, or have only loosely set their appetite for cyber risk. 20% of all participants claimed they have clearly set and understood their tolerances for such risks. Don t know 0% 10% 20% 30% 40% 50% PwC 27

28 Risk management Does the management Board have an understanding of where the organization's key information or data assets are shared with third parties (including suppliers, customers, advisors and outsourcing partners)? A poor understanding Marginally acceptable Basic/acceptable A very clear understanding 57% of participants believed that their Board had a basic or acceptable understanding of their organizations information and data sharing activities. 18% of participants rated this understanding as marginal or being poor. 0% 10% 20% 30% 40% 50% 60% How has your organization addressed cyber risks with its suppliers and other relevant third parties? Not specifically To some extent Formally reviewed in depth Integral to how we manage suppliers Don t know Not applicable. Please specify Responses on how participating organizations have addressed cyber risks with their suppliers and other relevant third parties are rather distributed. 46% of participants believe their organizations have done this to some extent with 21% stating it is formally reviewed in depth. Another 21% of participants stated their organizations have addressed cyber risks integral to how they manage suppliers. 0% 10% 20% 30% 40% PwC 28

29 PART 2 Additional Results PwC 29

30 Respondent profile Which of the following describes you? Executive member of the management Board 85% of the participants filled in this survey were executive member of the management Board. Non-executive director 0% 20% 40% 60% 80% 100% Which sector classification best applies to the organization s main business? Industrials and consumer goods and services Energy, Utilities & Mining Financials Healthcare Public sector - local Public sector - national Technology, Media & Telecommunications Other. Please feel free to specify Participating organizations operate in a variety of sectors. This shows that cyber security is a relevant subject in different industries. 0% 5% 10% 15% 20% PwC 30

31 Respondent profile What proportion of organization revenues/sales are generated outside the Netherlands? % 60-79% 40-59% 20-39% 1-19% 0% Not applicable 0% 5% 10% 15% 20% 25% 30% A quarter of participating organizations earn more than 80% of their revenues/sales from outside the Netherlands. 18% of participants stated 100% and another 18% stated more than 80% of their revenues/sales are generate inside the Netherland. For 21% of participating organizations national and international revenues are in similar ranges. How many employees does your organization have? (including full and part time) More than % of the responses are from organizations with ,000 employees. 21% of participants are from small organizations (up to 1,000 employees). And finally 9% responses are from organizations with more than 50,000 employees. 0% 5% 10% 15% 20% 25% 30% 35% PwC 31

32 Respondent profile How many employees are based outside the Netherlands? % 60-79% 40-59% 20-39% 1-19% 0% 39% of participating organizations have all their employees based inside the Netherlands and 15% of organizations attended in this survey have 80% of their employees based outside the Netherlands. 0% 10% 20% 30% 40% PwC 32

33 Cyber incidents Based on your own recollection, has the organization suffered more or fewer cyber compromises and occurrences over the last year? Increase: significant Increase: slight Steady state/no change Decrease: slight Decrease: significant While almost one fifth of participants were unable to answer this question, 46% of them believed that the number of cyber compromises and occurrences stayed steady over the last year. However, 35% of participants claimed that this number is increased with respect to last year. 0% 10% 20% 30% 40% 50% From your own recollection, how well did the organization respond to those compromises and occurrences? Poorly/unacceptable standard Not well OK/average standard Quite well Very well/excellent standard 27% of participants believe their organizations responded quite well to those cyber compromises and occurrences. 23% of participants thinks the responses were average with 19% stating their organizations reacted very well. Finally 19% of participants had no idea how well their organizations responded to those cyber compromises and occurrences. 0% 10% 20% 30% PwC 33

34 Cyber incidents Where, in governance terms, were these compromises and occurrences considered? Management Board Operating Board or Executive Committee Audit Committee Risk Board or Committee IT or Security Committee Other board or committee Most participants (35%) state cyber compromises and occurrences are discussed at their main Boards. 19% of participants believe that they are considered at IT or Security Committee with 19% stating those occurrences are not considered at a governance level. They were not considered at a governance level 0% 5% 10% 15% 20% 25% 30% 35% Is your Organization able to determine the quantitative and qualitative impact of cyber compromises and occurrences? Poorly/unacceptable standard Not well OK/average standard Quite well Very well/excellent standard 39% of participants believe their organizations determine the impact of those cyber compromises and occurrences quite well with 19% stating this to be of average level and 31% of participants think, they are handling it poorly or not well at all. 0% 10% 20% 30% 40% PwC 34

35 Cyber incidents Is your Organization ready to report to regulators and/or clients on cyber breaches? Yes No 69% of participants indicate they are working on reporting cyber breaches to regulators and / or clients while almost 20% of participants say they are ready to do so. We are working on it 0% 20% 40% 60% 80% 100% Is your Organization well prepared to deal with future cyber compromises and occurrences? Poorly/unacceptable standard Not well OK/average standard Quite well 27% of participants state their organizations are quite well prepared to deal with future cyber compromises and occurrences. 39% of participants think they are averagely prepared and 27% believe they are not well prepared. Very well/excellent standard 0% 10% 20% 30% 40% PwC 35

36 Awareness of help and support Are you aware of any organizational standards, guidance or certifications that your organization follows/holds for cyber security? Yes 77% of participants indicate that their organization uses standards, guidance or certification for cyber security. No No answer 0% 20% 40% 60% 80% Do you know where to turn for genuinely informed advice on cyber security? Yes. Please specify No I don t need any cyber security advice 12% of participants state they do not know where to turn for genuinely informed advice on cyber secuirty. 73% of participantts claim they know where to find this: Specialists Head of IT External consultancy parties Peers, etc. 0% 20% 40% 60% 80% PwC 36

37 Completion of tracker In order to optimize results, we request that this questionnaire is not passed to the CIO or others to complete on your behalf. However, if you have done so, could you please indicate who has supported you in completing this questionnaire? Nobody CEO COO CFO CIO CRO A mix of the above Others 39% of addressees completed this survey him/her self. However, this task was passed in many cases to CIOs, CROs and others. Others to whom this survey were passed to include: Information security officer CISO Chief audit executive Controller Compliance Officer 0% 10% 20% 30% 40% PwC

38 Annexes PwC 38

39 Annex A sector classification Industrials and consumer goods and services Aerospace and Defence Automobiles and Parts Chemicals Construction Materials Electronic Equipment Food and Beverages House, Leisure & Pers Goods Industrial Engineering Industrial General Industrial Transportation Retailers Support Services Tobacco Travel and Leisure Energy, Utilities & Mining Basic Resource (ex Mining) Mining Oil and Gas Utilities Financials Banks Financial and General Insurance Real Estate Healthcare Health Care Equip and Services Pharmaceuticals & Biotech Education and housing Technology, Media & Telecommunications Media Tech Hardware Tech Software & Services Telecommunications IT services Public sector Public sector government Public sector - province Public sector - municipality Public sector - other PwC 39

40 Annex B PwC and cyber security Our services We provide a comprehensive range of integrated cyber security services that help you assess, build and manage your cyber security capabilities, and respond to incidents and crises. Our services are designed to help you build confidence, understand your threats and vulnerabilities, and secure your environment. Our cyber security service delivery team includes incident response, legal, risk, technology and change management specialists. Assess Build Manage Respond Understanding your capabilities and maturity to help you prioritise your investment Board-led maturity assessment Breach discovery assessment Cyber security diagnostic Cyber threat assessments and modelling Penetration testing Policy and contract review Privacy and cyber security legal assessment Standards compliance and certification Strategy and roadmap Third party assurance, including cloud Threat intelligence, detection and response maturity assessment Assess Build Manage Respond Rapid, global access to leading cyber incident containment, investigation and crisis management expertise Breach notification Fraud and ecrime data analytics Computer, network and malware forensics Crisis management Cyber incident legal advice including privilege Cyber incident response and forensic investigation e-discovery and disclosure Human resource advice employee breaches Network intrusion containment and remediation Regulatory proceedings Third party litigation Assess Build Manage Respond Designing and delivering cyber security improvement programmes Framework development Embedding security Enterprise risk management Awareness and training Enterprise security architecture Contracting for security Information governance CERT and policy development Privacy and cyber security legal strategy Capability build Cyber security programme delivery Security technologies and SOC development Threat intelligence, detection and response capability development Cyber security programme assurance Insider threat management Legal policy development Product development support Security intelligence and analytics Assess Build Manage Respond Managing and maintaining control of your business, enabling you to focus on strategic priorities Advanced threat detection and Managed vulnerability as monitoring assessment Cyber defence team augmentation Data leakage monitoring Integrated managed security services Legal support to compliance officers and general counsel Retained incident response services Threat intelligence Training

41 Contact details Gerwin Naber Erwin de Horde Otto Vermeulen Partner Forensic Services Partner Risk Assurance Partner Consulting Technology +31 (0) (0) (0) PwC. All rights reserved. Not for further distribution without the permission of PwC. "PwC" refers to the network of member firms of PricewaterhouseCoopers International Limited (PwCIL), or, as the context requires, individual member firms of the PwC network. Each member firm is a separate legal entity and does not act as agent of PwCIL or any other member firm. PwCIL does not provide any services to clients. PwCIL is not responsible or liable for the acts or omissions of any of its member firms nor can it control the exercise of their professional judgment or bind them in any way. No member firm is responsible or liable for the acts or omissions of any other member firm nor can it control the exercise of another member firm's professional judgment or bind another member firm or PwCIL in any way. PwC 41