C-suite unprepared for cyber risks, PwC study says
A majority of companies do not have a handle on their third-party cyber risks, which are obscured by the complexity of their business relationships and vendor/supplier networks, a global survey by the professional services firm PwC has revealed.
The finding is one of many in the PwC 2022 Global Digital Trust Insights Survey.
The survey of 3,600 CEOs and other C-suite executives globally found that 60 per cent have less than a thorough understanding of the risk of data breaches through third parties, while 20 per cent have little or no understanding at all of these risks.
PwC said that the findings are a red flag in an environment where 60 per cent of the C-suite respondents anticipate an increase in cybercrime in 2022.
They also reflect the challenges organisations face in building trust in their data — making sure that it is accurate, verified and secure, so that customers and other stakeholders can trust that their information will be protected.
Notably, PwC said, 56 per cent of respondents say that their organisations expect a rise in breaches via their software supply chain, yet only 34 per cent have formally assessed their enterprise’s exposure to this risk.
Similarly, PwC said, 58 per cent expect a jump in attacks on their cloud services, but only 37 per cent profess to have an understanding of cloud risks based on formal assessments.
Chris Mills, risk assurance director, PwC Bermuda, said: “It’s critical that the C-suite embeds cybersecurity and privacy into their operations and business strategy.
“Our survey shows that the most advanced organisations see cybersecurity as more than defence and controls; they see it as important to business growth and as a means to drive sustained outcomes and build trust with their customers.”
Sean Joyce, global and US cybersecurity and privacy leader, PwC United States, said: “Organisations can be vulnerable to an attack even when their own cyber defences are good; a sophisticated attacker searches for the weakest link — sometimes through the organisation’s suppliers.
“Gaining visibility and managing your organisation’s web of third-party relationships and dependencies is a must. Yet, in our research, fewer than half of respondents say they have responded to the escalating threats that complex business ecosystems pose.”
Asked how their companies are minimising third-party risks, the most common answers were auditing or verifying their suppliers’ compliance (46 per cent), sharing information with third parties or helping them in some other way to improve their cyber stance (42 per cent), and addressing cost or time-related challenges to cyber resilience (40 per cent).
But the survey found that a majority have not refined their third-party criteria (58 per cent), not rewritten contracts (60 per cent), nor increased the rigour of their due diligence (62 per cent) to identify third-party threats.
The survey found that nearly three quarters of respondents said that the complexity of their organisation poses “concerning” cyber and privacy risks.
Data governance and data infrastructure (77 per cent each) ranked highest among areas of unnecessary and avoidable complexity.
Simplification is a challenge but there is ample evidence that it is worthwhile, PwC said.
While three in ten respondents overall said that their organisations had streamlined operations over the past two years, the “most improved” in the survey — the top 10 per cent in cyber outcomes — were five times more likely to have streamlined operations enterprise-wide.
These top 10 per cent organisations are also 10 times more likely to have implemented formal data trust practices and 11 times more likely to have a high level of understanding of third-party cyber and privacy risks, PwC said.
The survey found that executive and CEO respondents differ on how much support the CEO provides on cyber, with CEOs seeing themselves as more involved in, and supportive of, setting and achieving cyber goals than their teams do.
But PwC said that there is no disagreement that proactive CEO engagement in setting and achieving cyber goals makes a difference.
Executives in the “most improved” group, reporting the most progress in cybersecurity outcomes, were 12 times more likely to have broad and deep support on cyber from their CEOs, PwC said.
Most executives also believe that educating CEOs and boards so that they can better fulfil their cyber responsibilities is the most important act for realising a more secure digital society by 2030.
The survey of 3,602 business, technology, and security executives — CEOs, corporate directors, CFOs, CISOs, CIOs, and C-suite officers — was conducted in July and August by PwC Research.
Sixty-two per cent of respondents are with companies with $1 billion and above in revenues; 33 per cent are with $10 billion-plus companies.
Respondents operate in a range of industries: tech, media, telecom (23 per cent), industrial manufacturing (22 per cent), financial services (20 per cent), retail and consumer markets (16 per cent), energy, utilities and resources (8 per cent), health (7 per cent), and government and public services (3 per cent).
Respondents by region include: Western Europe (33 per cent), North America (26 per cent), Asia Pacific (18 per cent), Latin America (10 per cent), Eastern Europe (4 per cent), Middle East (4 per cent), and Africa (4 per cent).