Cyber Risk Management

Effectively addressing threats in a continuously changing world, without breaking the bank

The pace of adoption of new technologies and digital business models is increasing at unprecedented speed. This is further accelerated by COVID-19. In order to stay ahead of the curve and reap the benefits technology has to offer, organisations have embarked on a digital transformation journey. As a result, organisations are exposed to new digital vulnerabilities. In the meantime, the business has become digital and is thus dependent on technology, making an effective approach to cybersecurity more important than ever. In order to keep up with the rapidly evolving technology and business services landscape, the cybersecurity and risk management functions need to transform and digitise the way risk management is performed. Doing this efficiently and effectively requires re-thinking the cyber risk function to ensure the cyber risk mitigation effort is in line with the digital ambitions of the organisation. In order to maintain stakeholders' trust, user friendly cybersecurity and privacy practices must be seamlessly integrated into everything we do.

Key challenges

  1. Optimise the risk operating model and align it with the requirements of a modern organisation
    Continuous deployment of modern products and services must be enabled by a modern risk function. As the attack surface is rapidly evolving and the threat-actor's breadth and depth of attacks is increasing, the risk exposure is larger than ever before. Therefore, in order to  keep up with the pace of these evolutions, the risk operating model should be reconfigured.  This shall  enable operational teams to minimise risk exposure throughout the entire lifecycle, from design to decommissioning. The governance and culture should foster this risk awareness with the developers and product owners. At the same time, specialised cyber capabilities (covering people, processes and technology) should be productised to help mitigate cyber risks. To fully utilise the efficiencies of this tailored and fine grained risk approach, a shift in mindset of the three lines of defence model is required to allow closer collaboration from the lines of defence to keep the risk within acceptable bandwidths.
  2. Enhance risk oversight by making management decisions based on (near) real time indicators
    Management requires insight into both the current risk exposure as well as the extent in which operations are effectively and efficiently addressing the risks. Data generated across the business need to be leveraged to provide real-time KPIs and KRIs, augmented with ad-hoc monitoring of cyber risks. Translating available data to meaningful indicators allows measurement and reporting of cyber risks on a continuous basis. This will close the risk feedback loop, enabling management to make better informed budget decisions and allowing the individual teams to take action based on these real time insights.
  3. Adopt an adaptive risk approach to tailor risk management where it is most needed
    One-size fits all risk mitigating frameworks do the business a disservice. They tend to propose requirements which are not mitigating material risks in the context of a specific application. At the same time highly specialised risks are left unaddressed. Adopting a modern and adaptive approach to risk management must enable the identification of  real risks in light of the threat landscape. Based on these insights, the relevant aspects of the frameworks can be applied and, where required, enriched.

How we can help

  1. Assess the current maturity to tailor your roadmap
    We assess your cyber risk maturity to identify gaps and prioritise those. Leveraging PwC's cyber maturity framework assessment tools, we will identify key improvement areas. The results of our assessment shall allow you to benchmark your maturity against other organisations. Leveraging our tooling allows the (project) teams to continuously  update their assessments, while implementing improvements. This will allow for monitoring of the business case and prioritise investment.
  2. Implement a scalable cyber function
    We implement modern cybersecurity operating models which allow identification and mitigation of cyber threats efficiently and effectively at scale. Our experts will help you to formulate a cyber risk strategy aligned with your business strategy. From this strategy, we shall design the operating model which covers everything from structure & governance, to people & competencies, way of working, and technology & information. In order to operationalise this operating model, we offer support in the implementation of tools  and processes. As modern operating models increase the cyber accountability in operational teams, these teams cannot be successful with tools and processes alone. For this purpose we leverage a centralised team approach, with satellite teams which will sit and work closely together with the operational teams in order to increase their maturity while promoting their autonomy.
  3. Quantifying your risk
    There are multiple reasons why Cyber Risk Quantification is an area worth developing, as part of modern risk management practices. Cyber threats constantly occur and evolve. Companies face different threat actors, working through different threat vectors, to create different risk events. How can companies defend against cyber threats, without breaking the bank? We can help you be more granular and accurate by quantifying cyber risks. By determining the likely financial impact of different threats, you can direct finite resources to fend off the greatest threats. We can support you by blending cyber risk exposures into your decision-making in order to, for example: prioritise mitigation investments, challenge 1st line programme plans and risk management strategies, and enable your communication to your stakeholders to demonstrate delivered value. Moving forward, we will help you to ensure that the Operational Risk (OpRisk) capital requirements are backed by ongoing quantification of cyber risk exposure, while also considering how they correlate to and amplify the exposure of other OpRisks.
Follow us

Contact us

Sergio Hernando

Sergio Hernando

Partner Technology Resilience, PwC Netherlands

Tel: +31 (0)63 087 97 19

Job van Ommen

Job van Ommen

Director, PwC Netherlands

Tel: +31 (0)64 201 78 55