KPMG Cyber Maturity Assessment / February 2013

The financial and reputational costs of not being prepared against cyber attack are significant. Estimates suggest the global financial impact of cybercrime is US$114 billion.1 Companies are thought to bear almost 80 percent of these costs.2 Loss of consumer and shareholder confidence is a particular issue. A series of data breaches at Sony in 2011 contributed to a 30 percent fall in its share price and a US$170 million hit to operating profits.3 With this global proliferation of attacks, the question for organizations is not if they will be attacked but when.

It is also increasingly common for government buyers and large corporates to demand confidence in information management as a qualifier for lucrative contracts or partnerships. With the stakes so high, organizations must decide on their cyber risk appetite and how they will respond to cyber threats. There is a significant responsibility on executives to assure customers, stakeholders and employees that appropriate safeguards are in place.

What is the Cyber Maturity Assessment?

KPMG’s Cyber Maturity Assessment (CMA) provides a broad ranging review of an organization’s ability to manage and protect its information and its preparedness against cyber attack.

It is unique in the market in that it looks beyond pure technical preparedness. It takes a rounded view of people, process and technology to enable clients to understand

areas of vulnerability, to prioritize areas for remediation and to demonstrate both corporate and operational compliance, turning information risk to business advantage.

In developing the CMA, KPMG has combined international information security standards with our global insight of best practice in risk management, cyber security, governance and people processes. The CMA addresses six key dimensions at three levels of maturity that together provide a comprehensive and in-depth view of an organization’s cyber maturity, as shown below.

The cyber threat to your business

KPMG Cyber Maturity Assessment

1 Norton Cybercrime Report, 2011.2 The Cost of Cybercrime, Detica/The Cabinet Office, 2011.3 http://www.computerweekly.com/news/1280096016/Sony-hacks-hit-share-price-

in-Tokyo-as-data-breaches-undermine-confidence

Board demonstrating due diligence, ownership and effective management of risk

Leadership and Governance Human Factors

The level and integration of a security culture that empowers and ensures the right people, skills, culture and knowledge

The approach to achieve comprehensive and effective risk management of information throughout the organization and its delivery and supply partners

Information Risk Management

Preparations for a security event and ability to prevent or minimize the impact through successful crisis and stakeholder management

Business Continuity and Crisis Management

The level of control measures implemented to address identified risks and minimize the impact of compromise

Operations and Technology Legal and Compliance

Regulatory and international certification standards as relevant

Organizations are subject to increasing amounts of legislative, corporate and regulatory requirements to show that they are managing and protecting their information appropriately. Simultaneously, the threats from cyber criminals and hacktivists are growing in scale and sophistication. Organizations are increasingly vulnerable as a result of technological advances and changing working practices including remote access, big data, cloud computing, services on demand and mobile technology.

© 2013 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. All rights reserved.

Through a combination of interviews, workshops, policy and process reviews and technical testing, KPMG’s CMA rapidly:

• Identifiescurrentgapsincomplianceandriskmanagementof information assets;

• Assessesthetruescaleofcybervulnerabilities;

• Setsoutprioritizedareasforremediationandanassociatedmanagement action plan.

The CMA provides the flexibility to assess the level of cyber maturity on a site by site basis or at a company level. It helps to identify best practice within an organization and provides comparator information against peer groups and competitors.

In short, it provides executives with a rapid assessment of your organization’s readiness to prevent, detect, contain and respond to all threats to information assets.

Why KPMG? The CMA is one component of KPMG’s Global Cyber Transformation Service. Our Cyber Transformation Service brings together specialists in information protection, technical security, risk infrastructure, organizational design, behavioral change and intelligence management. These combined skills are utilized to tailor a solution relevant to your risk appetite and the cyber threats your organization faces.

KPMG member firms are:

• Global – through our network of KPMG member firms, we employ over 145,000 professionals in 152 countries. KPMG cyber security industry professionals have deep expertise and can offer insight to you wherever you operate.

• Award-winning – KPMG in the UK was awarded ‘Information Security Consultant of the Year’ at both the 2011 and 2012 SC Magazine Europe Awards. KPMG in the UK was also highly commended for the Information Security Project of the Year category for I-4 program, which is the leading information security forum for large global businesses.

• Shaping the cyber agenda – Through I-4 (the International Information Integrity Institute) KPMG firms help the world’s leading organizations to work together to solve today’s and tomorrow’s biggest security challenges.

• Committed to you – KPMG’s client relationships are built on mutual trust and long-term commitment to providing effective and efficient strategies.

Contact usFor more information on the CMA or KPMG’s Cyber Transformation Services please contact one of our practitioners or visit us at www.kpmg.com/cybersecurity

UK

Stephen BonnerPartnerT: +44 20 76941644 E: stephen.bonner@kpmg.co.uk

Ruth AndersonPrincipal AdvisorT: +44 20 76942492 E: ruth.anderson1@kpmg.co.uk

US

Tony BuffomantePrincipal AdvisorT: +1 312 665 1748 E: abuffomante@kpmg.com

Australia

Scott Cass-DunbarDirectorT: +61 2 6248 1232 E: scassdunbar1@kpmg.com.au

Netherlands

John HermansPartnerT: +31 6 5136 6389 E: hermans.john@kpmg.nl

Canada

Jeff ThomasPartnerT: +1 403 691 8012 E: jwthomas@kpmg.ca

Germany

Jörg AsmaPartnerT: +49 221 2073 6233 E: jasma@kpmg.com

kpmg.com/socialmedia

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

© 2013 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.

Designed by Evalueserve.

Publication name: KPMG Cyber Maturity Assessment

Publication number: 120961. Publication date: February 2013