www.pwc.com Developing a robust cyber security governance framework 16 April 2015

www.pwc.com Developing a robust cyber security governance framework 16 April 2015

Cyber attacks are ubiquitous Anonymous hacker group declares cyber war on Hong Kong government, police - SCMP, 2 October 2014 Adobe hack: At least 38 million accounts breached - BBC, 30 October 2013 2

Are we doing enough to protect? 3

To get started evaluate the risks Information and communications technologies Business deals information What s most at risk? Military technologies Clean technologies Healthcare, pharmaceuticals, and related technologies Energy and other natural resources information Advanced materials and manufacturing techniques Agricultural technologies Macroeconomic information Management should understand what their most valuable information assets are and where they are located in the business ecosystem at any given time How losing these assets will cost the business? Businesses should prioritise and allocate resources to effectively protect the crown jewels today and into the future Source: Office of the National Counterintelligence Executive, Report to Congress on the Foreign Economic Collection and Industrial Espionage, 2009-2011, October 2011. 4

Will these enterprise risks cost your assets? Common Risks 5

Examples of key assets and their costs Adversary Motives Target Assets Costs to organisation Nation State Economic, political, and / or military advantage Trade secrets Sensitive business information Emerging technologies Critical infrastructure Loss of competitive advantage Disruption to critical infrastructure Organised Crime Immediate financial gain Collect information for future financial gains Financial / payment systems Personally Identifiable Info Payment Card Info Protected Health Info Costly regulatory inquiries and penalties Consumer / shareholder lawsuits and loss of their confidence Hacktivists Influence political and / or social change Pressure business to change their practices Corporate secrets Sensitive business info Info related to key executives, staff, customers & business partners Disruption of business activities Brand and reputation Loss of consumer confidence and even Cyber Terrorists Political and / or ideological change Create fear, uncertainty, and doubt Critical infrastructure Operational technologies Highly visible venues Destabilise, disrupt, and destroy physical and logical assets 6

With these in mind, we move towards a cyber security model that is Business Aligned Partner with the business to define and deliver solutions for cyber security risk Information Oriented Gather the necessary insight into the information processing environment to provide relevant risk reporting Risk Driven Drive processes which balance business needs, services portfolio delivery and cyber security risk Delivered Effectively Provide strategies, direction and oversight of delivery to drive consistent, reusable and cost effective services 7

A holistic cyber security governance model Business Risk Reporting / Business Requirements Business Aligned Partner with the business to define and deliver solutions for cyber security risk KPIs & Reporting Operations Plan Information Oriented Strategic Planning, Gather the necessary Business insight into the Partnership information & processing Risk environment Manage-tment relevant risk reporting provide Define / Build Architecture Delivered Effectively Provide strategies, Sustain / Policies, Operate Risk Driven Standards, Drive processes which Awareness & direction and balance business needs, Change services portfolio delivery and cyber security risk oversight of delivery to drive consistent, reusable and cost effective services Technology Data, Controls, Remediation 8

Building blocks of the model Cyber security strategy Strategic Planning, Business Partnership & Risk Management IT risk management program planning 3rd party risk management 10

Building blocks of the model Architecture architecture design Research & development Policy & standard guidance 11

Building blocks of the model Policies, Standards, Awareness & Change Policy & standard development Training & awareness Tech risk change management 12

Building blocks of the model Operations Infrastructure security Operational Identity and access management Threat & vulnerability management Application Event monitoring & incident response 13

Building blocks of the model KPIs & Reporting Metrics and Reporting Compliance and Audit Support 14

A successful security framework needs strong oversight General Counsel Chief Risk Officer Chief Compliance Officer Chief Privacy Officer Chief Administrative Officer CFO CIO CISO Board Audit Committee ERM Risk Committee Data Governance Committee Privacy Committee Cyber Organisation Strategic Planning, Business Partnership & Risk Management Architecture Policies, Standards, Awareness & Change Operations KPIs & Reporting Manage Risk with Metrics Plan Define / Build Operate Sustain Key: Leadership & Governance Definition & Guidance Management & Delivery 15

Expect the unexpected In all things success depends on previous preparation, and without such previous preparation there is sure to be failure 凡 事 豫 則 立, 不 豫 則 廢 Chinese Confucian proverb 16

It s not if, but when Capability to respond to a cyber attack requires: a response mechanism that is integrated from the bottom to the top of the organisation a response mechanism that has been recorded (plans) staff who have been trained in their response role, and who have rehearsed that role in crisis conditions a culture that recognises and reports potential business impacting cyber attacks, and not fix on fail and 17

a capability to respond must consider the entire business response How are clients impacted? 96% 72% 20% 65% What does this mean? concerned about the impact of a cyber attack have cyber threat on their risk register conducted a C-Suite level exercise to rehearse their response to a cyber attack regularly conduct a C- Suite level exercise Cyber attacks are still perceived as an IT issue and the business wide impact may not be fully appreciated 18

Thank you! Jason Ho E-mail: jason.wk.ho@hk.pwc.com Phone: +852 2289 1213 This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors. 2015 PricewaterhouseCoopers Limited. All rights reserved. refers to the China or Hong Kong member firm, and may sometimes refer to the network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.