Cyber risk

Case studies

Leading cyber risk management in a smaller, more perilous world

A secure, vigilant, and resilient approach

By bringing the cyber element into an integrated risk management approach, Deloitte is helping clients around the world protect their data, their brands, and their organization's value.

Throughout most of history, crime has been a local phenomenon, perpetrated by individuals or groups in fairly concentrated areas. Today, the paradigm has changed. It's a "smaller" world, thanks to technology. Many banks in New York, London, and other cities are likely to be more concerned about being infiltrated by hackers located halfway around the world than they are about having branch offices robbed in person.

"The Internet is a primary terrain for reaching farther, getting things done faster, and getting smarter," says Ted DeZabala, DTTL Global Cyber Risk Services Leader. "The dramatic increase in cybercrime mirrors the innovations that public and private organizations have driven to grow, perform, compete, and serve their constituents."

When Deloitte member firms’ Security and Privacy practices became Cyber Risk Services in 2014, it was more than a name change; it signaled a new dialogue and approach to the problem. "The litany of breaches this past year shows that sometimes, no matter how good clients' defenses are, the attackers will succeed," DeZabala says. "To minimize damage to their brands, to fulfill their privacy obligations, to protect their valuations, and sometimes even to protect public safety, organizations need to get better at knowing when something bad is happening—and be able to recover operations when an attack does occur. Deloitte helps clients be not only secure, but also vigilant and resilient."

What distinguishes Deloitte, according to DeZabala, is member firms’ abilities to bring the cyber element and a deep regulatory understanding into an integrated business risk management approach. "Deloitte professionals support their clients, from their senior leaders all the way to their hands-on cyber risk specialists, in establishing programs attuned to their particular business risks, risk appetites, and investment levels," he says. "Other companies talk about aligning IT security with the business, but Deloitte’s ability to combine risk management, threat awareness, and deep knowledge of IT security puts us in a leading position to help clients through this transformation."

A globally coordinated effort

Deloitte member firms worldwide have contributed to the ongoing development of Cyber Risk Services' portfolio of offerings, and have expanded their rosters of skilled talent to meet the needs of the market. Their actions support Deloitte's overall ability to serve clients both locally and in joint efforts across national boundaries.

This collaboration and new cyber risk approach was apparent when a series of serious malware attacks in the Czech Republic in 2013 targeted major Czech banks, including a client of Czech Republic firm. Deloitte cyber risk professionals in the Czech Republic, Hungary, Netherlands, and Spain joined forces to help the client effectively handle the ongoing threat, recover from prior attacks, create a malware cybersecurity action plan, and perform a quality assessment of organizational and technical defense measures.

"The Czech situation is similar to hundreds that Deloitte encounters each year in countries around the world, and we fully expect those numbers to go up as cyber threats become more numerous and sophisticated," DeZabala says. "Organizations will continue to leverage and create technical advances. Today, we see it in the adoption of cloud computing, the pace of mobile application development, and the proliferation of 'smart' devices. Tomorrow, it will be things we haven't imagined yet. But, Deloitte helps clients anticipate the cyber risks on the horizon and be prepared to meet them."

Staying a step ahead

Deloitte remains on the leading edge of worldwide approaches to cyber risk thanks, in part, to its global Cyber Security Operations Centers (CyberSOC) and member firms’ Cyber Intelligence Centers (CIC). "Our CyberSOCs and CICs provide multinational threat awareness that supports Deloitte’s efforts to tailor solutions that are specific to industries and geographies," DeZabala explains.

The CyberSOC-CERT (Computer Emergency Response Team) Academy, a high-performance cyber-training platform designed for Deloitte professionals and clients worldwide, offers some of the most valued courses, workshops and “white hat hack labs” available. The Academy team includes Deloitte's most skilled cyber risk professionals, as well as other technology professionals who specialize in the IT industry's most-adopted products.

In addition to its work with clients, Deloitte also is sought out by organizations like the Securities Industry and Financial Markets Association (SIFMA) in the U.S., which selected Deloitte & Touche LLP (Deloitte U.S.) to participate in "Quantum Dawn 2," one of the most comprehensive cyber crisis simulations ever conducted. Organized in 2013 by SIFMA, along with major financial institutions and government agencies, the simulation involved a series of systemic cyber attacks that attempted to disrupt trading in U.S. equities markets.

"We approached Deloitte U.S.’s Cyber Risk Services group to lead the observation and subsequent reporting of the simulation because of its leadership position in the cybersecurity space," says Karl Schimmeck, Vice President of Financial Services Operations at SIFMA. Deloitte U.S.'s cyber risk professionals assisted SIFMA during the development of the test and placed observers in key cities while it was conducted. Deloitte U.S. also produced an after-actions report to offer recommendations around ways to improve sector-wide responses to cyber events and considerations for further protecting the financial services infrastructure.

End-to-end risk solutions

Cyber risk is a core service area in Deloitte's Risk Advisory business. Deloitte’s Risk Advisory practice is a global leader in helping clients address their most complex risk issues by delivering end-to-end integrated risk solutions. It focuses on highly regulated, high-growth industries and sectors that face significant market risks. To remain a global leader in cyber and other risk services, in addition to training and certifying its professionals, Risk Advisory enhanced its capabilities through strategic acquisitions during the past year:

  • Deloitte Australia quadrupled its number of cyber risk specialists with the acquisition of The Brief Group, one of the country's leading authorities in optimizing clients' health and safety management;
  • Deloitte Canada acquired Urgentis Digital Crisis Solutions Inc., a firm that helps companies prepare for and respond to cyber attacks;
  • Deloitte Denmark bought MN Security, a company recognized for its SAP security consulting. The move makes the Danish firm one of Scandinavia's largest SAP consulting companies; and
  • Deloitte U.S. brought into the fold a company called Vigilant, Inc., which specializes in threat intelligence, contextual awareness, and cyber risk detection.

"Growing awareness of cyber threats has sometimes led to growing fear. It's Deloitte’s job to take the fear out of addressing cyber risk," DeZabala says. "Today's organizations can't stop innovating. We can bring them pragmatic, realistic ways of integrating the management of cyber risk into their forward-looking strategies. We're proud of our network’s evolution this year, and there's more to come."

In this report, the terms Deloitte, our, we, and us are used to refer to the Deloitte Touche Tohmatsu Limited (DTTL) network of member firms or to one or more DTTL member firms. See additional information.

[Caption]: Photo credit top banner, Joyce Sau Yan Tse, Deloitte China

Cyber security

DTTL member firms were recognized as a winner of the "Global Strategic Partner Excellence Awards—Innovation" for collaboration in the area of cyber risk. The Symantec Innovation Award rewards a strategic relationship showcasing new innovative solutions that build on and/or expand the capabilities and scope of standard Symantec solutions.

Deloitte ranked #1 globally in Security Consulting by Gartner

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.


Source: Gartner, Market Share Analysis: Security Consulting, Worldwide, 2013, Jacqueline Heng, Lawrence Pingree, 15 April, 2014.

Deloitte named a global leader in Cyber Security Consulting by Kennedy

Source: Kennedy Consulting Research & Advisory; Cyber Security Consulting 2013; Kennedy Consulting Research & Advisory estimates. © 2013 Kennedy Information LLC, Reproduced under license.

Deloitte named a leader in Information Security Services Consulting by Forrester

Source: Forrester Research, Inc. The Forrester WaveTM: Information Security Consulting Services Q1 2013”, Ed Ferrara and Andrew Rose, February 1, 2013

Did you find this useful?