Do you understand your organisation’s

cyber capabilities well enough to take a risk?

Cybersecurity:

are you asking the right questions?

In these increasingly uncertain times, it is critical that every dollar

spent counts. This is particularly the case for complex technical risks

where it can be difficult to decipher what the problem is. As a top risk

for many organisations, cyber is a case in point.

Recent global events such as geopolitical cyber activity or a global

pandemic have revealed immediate infrastructure gaps for many

businesses, including cybersecurity limitations. The ransomware

NotPetya amounted to the most costly and destructive cyberattack in

history, according to the White House. Fifty-four percent (54%) of

CFOs say the COVID-19 outbreak has the potential for “significant”

impact to their business operations, particularly on digital upskilling,

bandwidth and cybersecurity limitations.2For 35% of Asia Pacific companies - 30% globally – these figures

translate into a cybersecurity spend of 10% or more of their IT budget.1

1 Source: PwC 2019 Digital Trust Insights Survey

2 Source: PwC COVID-19 CFO Pulse Survey, March 11, 2020

$170.4 billion

$114 billion

2018 20222017

12.4%

Worldwide spending on information security

products and services exceeded $114 billion in

2018, an increase of 12.4 percent from 2017,

according to Gartner, Inc. The forecast for 2022 is

that the market will grow to $170.4 billion.

With the increase of cyberattacks occurring, organisations continue to spend more money on security; however, they often spend it in the wrong areas.”– Dr. Eric Cole, founder and CEO at Secure Anchor

Directors are increasingly taking action to be

prepared for a crisis, including a cyber-attack.

In the past five years, directors reported a

sizable increase in the level of cyber

oversight in the boardroom. Roughly, three-

quarters of participants in PwC 2019 Annual

Corporate Directors’ Survey said their boards

have discussed the company’s crisis

response plan in the event of a major security

breach (78%); the company’s cyber insurance

coverage (74%); and whether to engage an

outside cybersecurity expert (74%). Whilst

this is undoubtedly positive, directors remain

uncomfortable with that they have the skills

and tools to effectively lead the organisation

response to cyber risk.

A particular challenge is that the data

available within organisations to articulate its

cyber risks are not prepared with a common

language that all of the disciplines and the

directors can understand.Tough decisions

need to be made about where to invest.

Directors should understand the role and

mandate of their cybersecurity team, this

includes understanding how cybersecurity

budgets are measured and prioritised against

the organisation’s financial exposure to cyber

risk; resources and investment decisions.

What is the role of Directors?

Fewer than 40% of directors say that the board

fully understands the cybersecurity risks facing

the company (37%) or that the board has

sufficient expertise in cybersecurity (36%).

3 Source: National Association of Corporate Directors (‘NACD”) 2020 Director's Handbook on Cyber-Risk Oversight

Management is always eager to tell a board

what they are doing but are less eager to

discuss what they are not doing (i.e., what

difficult budget decisions they had to make

that resulted in risk acceptance). A

conversation about what fell below the cut

line and what decision process was used to

evaluate trade-offs will support senior

stakeholders in better directing investment.3

Organisations must have the right leadership

and processes in place to drive the security

measures required by digital advancements.

Achieving this requires a concerted effort to

uncover and manage new risks inherent in

emerging technologies.

Leadership is vital, however the increase in

the board’s interest and involvement

discussed on the previous page does not

always translate into corporate boards

proactively shaping their companies’ security

strategies or investment plans. Only 44% of

respondents to PwC Digital Trust Insights

Survey 2019 said their corporate boards

actively participate in their companies’ overall

security strategy. Senior leaders driving the

business must take ownership of building

cyber resilience. Establishing a top-down

strategy to manage cyber and privacy risks

across the enterprise is essential.

A company’s risk management strategy

should be informed by a solid understanding

of the cyber threats facing the organisation

and an awareness of which key assets

require the greatest protection. There should

be a coherent risk appetite framework.

Leadership must drive the development of a

cyber-risk management culture at all levels of

the organisation. To enable directors with

limited expertise to fully understand the risks

facing the company and its defences and

communicate effectively throughout the

various functions across an organisation,

companies need a common language that

allows cyber risk discussions in non-technical,

intuitive terms.

A better cyber security risk oversight

How to achieve a common understanding of

risks and defences across the organisation?Directors – and organisations overall – should ensure resources exist to

allow stakeholders to understand the business’ cyber risk and address it

appropriately. We see this journey to consist of three phases:

Understanding risk –Companies assess what cyber risk

really means to them, identifying the

key assets that drive the business, and

the nature of the threats they face.

- Inventory assets

- Assess maturity

- Assess threat and risk

- Understand 3rd party obligations

Prioritising risk – Companies focus

more precisely on the areas that matter most

and make decisions based on those priorities.

- Formalise governance

- Interpret risk assessments

- Build remediation plans

- Allocate resources

- Inventory assets

- Assess maturity

- Assess threat and risk

- Understand 3rd party obligations

Monitoring risk – Companies develop

the ability to know with increasing agility when

changes in the technology or business

environment or evolving threats change their

risk exposure.

- Develop meaningful metrics

- Actively engage in discussions about efforts to

improve

- Observe peers and competitors for signals

- Prepare to reassess maturity

- Formalise governance

- Interpret risk assessments

- Build remediation plans

- Allocate resources

- Inventory assets

- Assess maturity

- Assess threat and risk

- Understand 3rd party obligations

• Cyber is a top risk for most organisations

and significant amounts are invested in

better managing cyber related risks, but

cyber related investment decisions are not

aligned to the company’s risk appetite

around core business practices; or blur

housekeeping actions with strategic

improvements. Confidence in the ability of

the company to recover from a cyberattack

is often low.

• Identifying the organisations’ most valuable

and sensitive digital assets is a continuous

exercise and companies are struggling to

maintain an inventory of key processes,

assets and dependencies.

• Controls to manage cyber and other

technology risks are often of a manual

nature resulting in significant limitations;

and for those companies investing in

automated solutions we frequently see the

coverage of tools and other technologies is

not implemented consistently across all key

assets.

• When an incident occurs, it is usually

because of not managing cyber risk at an

adequate granular level. Existing

assurance activity, if in place, is typically

too high level or too narrow to give such

insights.

Be ready for surprisesAs directors and organisations embark on understanding, prioritising and monitoring risk, they are

likely to encounter some surprises. We see these common themes across organisations:

Only 15% of CEOs strongly agree their company

can withstand cyberattacks and

recover quickly.4

40%of PwC’s Fall 2018 Digital

Trust Insights Survey

participants are very

comfortable they have

identified their organisations’

key digital assets.

4 Source: PwC’s 22nd Annual Global CEO Survey

Directors can start the engagement with

executives and their risk and security

leadership by targeting key strategic areas.

Framing questions in a structured nature a chief

information security officer is likely to appreciate

can develop a better conversation and more

impactful communication for all parties.

Framing conversations using internationally

recognised frameworks, such as the US

National Institute of Standards and Technology

Cyber Security Framework (‘NIST CSF’),

provides a common language for all

stakeholders.

The NIST CSF is a structured collection of

cyber risk fundamentals that can be used

when discussing, prioritising, and addressing

key components of a cyber-risk management

program. It is by design a principle-based,

non-prescriptive tool for framing the important

issues so stakeholders can speak a common

language that covers the full lifecycle and

holistic view of cybersecurity risk

management.

What should directors do?

At the highest level, the CSF is organised into five “functions”—

or key activities. Together these define a holistic approach to a

company’s cyber risk management:

Each of the five functions comprises a number of lower level activities broken down as “categories” and “sub-categories,” each providing a more

granular and detailed description of leading practices.

• What measures are in

place to ensure key

elements of the

business are safe?

• How quickly and

effectively can the

organisation react when

bad things happen?

1. Identify 2. Protect 3. Detect 4. Respond 5. Recover

Understanding risk Prioritising risk Monitoring risk

• What matters most to

the business?

• What are the biggest

threats?

• How alert is the

organisation to

threatening events or

disruptions?

• Once an attack or

disruption happens,

how quickly

• is the organisation able

to resume normal

operations?

The objective is to create digital resilience by design: agile cyber defence

and recovery capabilities to weather cyberattacks without suffering costly

disruptions.

Once directors understand where their company is on the journey,

they can discuss and challenge with confidence and relevant information

whether management’s plans and responses are reasonable.

Directors must take the following three actions:

Make the organisation’s cyber

spend count: a maturity assessment

against a recognised framework can allow the

organisation to set out a clear roadmap on

how to move from current state to a desired

target operating model. This roadmap should

inform the cyber investment needs and

priorities. It does not necessarily mean more

investment; it means the right investment in

the right areas for the business.

By understanding and leveraging the CSF, boards

can play an active role engaging with security

leadership and company leadership about the

company’s cybersecurity strategy and its effort to

build cyber resiliency.

How to take the first step?

Understand the current state

of your organisation’s cyber

risk assessment and defences: assess how well the organisation is

addressing cyber risk by using a maturity

model, such as the widely accepted

Capability Maturity Model Integration (CMMI).

This will allow the company to define current

and target states for its security capabilities

and measure progress against goals. A

maturity model like CMMI combined with

NIST CSF can enable maturity ratings and

benchmark progress, internally and against

peers.

Get involved in shaping

the organisation’s cyber

strategy: do not be comfortable with only

discussing the strategy at high level in

board meetings.

1 2 3

“What we should actually be doing is thinking about what are our key controls that will mitigate the risks. How do we have those funnelled and controlled through the team that we have, how do we work through that in a well formatted, formulated process and pay attention to those controls we have chosen? Not a continual, add more, add more, add more.” – Dr. Chris Pierson, CEO, Binary Sun Cyber Risk Advisors

As a leading provider of trust around cyber and technology risks, PwC

has developed a cyber-maturity assessment framework based upon

internationally recognised frameworks, including the NIST CSF that

can help boards, senior management and other stakeholders establish

a common language for communicating cyber risks across the

organisation. Covering the five key capabilities of cyber risk

management, it supports organisations in making better decisions on

where to focus next from people, process and technology

perspectives.

Our assessment brings together assurance practices and cyber expertise

with a methodology using an internationally recognised framework. It can

help stakeholders assess and monitor the maturity of their cyber

defences using maturity scores against a common standard and

methodology, provide insights into peer organisations on a no-name

basis, resulting in greater confidence. Key features include:

How can PwC help?

Benchmarking to other organisations using

data from similar assessments.

Validation (not just talk-through) performed to

ensure that cyber controls are designed

effectively and implemented across the

scope set.

Maturity scoring using the Capability Maturity

Model Integration (“CMMI”) framework to

provide an absolute rating for each

framework element and a roadmap for

improvement initiatives.

Boards are not expected to have all of the answers related to cyber risk, but they do need to talk with management and ask the right questions so they can stay on top of this complex and dynamic risk.”– PwC “Cybersecurity and the board: six questions your board should ask” – July 2016.

For more information about the topics in this publication, please contact :

Contact us

Kenneth Wong

Cybersecurity and Privacy Leader,

Risk Assurance, Mainland China

and Hong Kong/Asia Pacific

+852 2289 2719

kenneth.ks.wong@hk.pwc.com

Nick Hamer

Trust and Transparency Services

Leader, Risk Assurance,

Mainland China and Hong Kong

+852 2289 8545

nick.j.hamer@hk.pwc.com

This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.

© 2020 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. PMS-001450

NorthCentralSouth

Lisa Li

Partner

+86 (10) 6533 2312

lisa.ra.li@cn.pwc.com

Ryan Yao

Partner

+86 (10) 6533 7576

ryan.h.yao@cn.pwc.com

Samuel Sinn

Partner

+86 (21) 2323 2296

samuel.sinn@cn.pwc.com

Chun Yin Cheung

Partner

+86 (21) 2323 3927

chun.yin.cheung@cn.pwc.com

Tony Wan

Partner

+86 (21) 2323 8149

tony.wan@cn.pwc.com

Kok Tin Gan

Partner

+852 2289 1935

kok.t.gan@hk.pwc.com

Felix Kan

Partner

+852 2289 1970

felix.py.kan@hk.pwc.com

Danny Weng

Partner

+86 (20) 3819 2629

danny.weng@cn.pwc.com

Dennis Li

Partner

+86 (10) 6533 7800

dennis.y.li@cn.pwc.com