www.pwc.com/security

Cybercrime: Rising risks, reduced readiness Most US organizations are unprepared to combat today’s skilled and sophisticated cyber adversaries.

June 10, 2014

Key findings from the 2014 US State of Cybercrime Survey Caesar J. Sedek

Peter Durojaiye

Agenda

• Results of the 2014 US State of Cybercrime Survey • Introduction to the NIST* Cybersecurity Framework • Cybersecurity: The New Reality • Adapting to the New Reality • Q/A Session

* National Institute of Standards and Technology PwC

Speaker Bios Peter Durojaiye Manager (213) 830-8304 [email protected]

Peter is an experienced manager in PwC’s IT Security, Privacy & Risk Advisory practice. He has eight years of experience assessing, managing and implementing information security solutions. Peter specializes in IT strategy, information protection and security, increased compliance, delegated administration and policy-based user identity, and access management. He has led several security technologies implementations across multiple industries. Peter has deep ties to the greater Los Angeles market dating back to his academic studies at UCLA, where he obtained both his undergraduate and graduate degrees in Computer Science and Systems Engineering, respectively.

Caesar Julius Sedek, CISSP, CISM, CRISC, CIPP/IT Manager (213) 407-1810 [email protected]

Caesar is a manager in PwC’s IT Security, Privacy and Risk Advisory practice based in Los Angeles. He has nearly 20 years of information security experience, including managing and building operational security organizations using risk-based strategies. He specializes in delivering complex, multinational projects focusing on security strategy, information security program management, industry framework, and regulatory compliance including: ISO, NIST, ISF, CobIT, HIPAA, PCI-DSS and Safe Harbor. Caesar has a decade of experience in the Media and Entertainment industries specializing in intellectual property, content protection, anti-piracy and privacy. He has extensive international work experience and deep knowledge of international privacy regulations. PwC

2014 Cybersecurity Survey

PwC

4

A cross-industry survey of US business, security, IT, and law enforcement executives. The 2014 US State of Cybercrime Survey was co-sponsored by PwC, CSO magazine, the Software Engineering Institute CERT® Program at Carnegie Mellon University, and the United States Secret Service. • More than 55o responses from decision-makers such as CIOs, CSOs, CISOs, CTOs, CEOs, CFOs, law enforcement officers, and prosecutors from public and private sectors • More than 60 questions on topics related to security incidents, supply chain security, risk assessment, threat actors, technology safeguards, and law enforcement procedures • Forty-seven percent (47%) of respondents from organizations with 1,000 or more employees • Twenty-seven percent (27%) of respondents from organizations with annual security budgets of $1 million or more

PwC

5

The current US State of Cybercrime is menacing, and the future doesn’t look promising. The cybersecurity programs of US organizations have not kept pace with the spiraling persistence, tactical skills, and technological expertise of today’s global cyber adversaries.

• The FBI notified 3,000 US companies that they were victims of cyber intrusions in 2013. • High-profile breaches of US retailers continue. • The Heartbleed bug confirms the ingenuity and technical prowess of threat actors. • Critical infrastructures are increasingly at risk because their legacy architecture is easy to compromise. • The “Internet of Things” will introduce new security risks for businesses, consumers, & governments.

PwC

6

The risks and repercussions of cybercrime are rising. Survey respondents detected an average of 135 security incidents last year. Among those that could calculate financial costs—and most could not—the average annual monetary loss was $415,000, an increase of 176% over the year before. Cybercrime in the past year Experienced a cybercrime incident in past 12 months

77%

Do not know the financial impact of cybercrime incident

70%

My organization is more concerned about cybersecurity than in the past year The number of security incidents has increased over last year

PwC

59%

34%

7

Viruses, worms, and spyware are the most common incidents, but other frequent events are more serious. Incidents that can impact operations, reputation, financial performance, and privacy regulations convey significant risks—and they are not infrequent. Hackers (24%) and current employees (13%) are cited as the most frequent sources of these incidents. Serious types of incidents detected

Network slowed/unavailable

30%

E-mail, other applications unavailable

23%

Denial of service attacks

22%

Unauthorized access to/use of data, systems, networks

17%

Customer records compromised or stolen

12%

Private or sensitive information unintentionally exposed

12%

PwC

8

Cyber insecurity: 8 cybersecurity issues that should concern you 1 . Sp en d i n g w i th a m i s a l i g n ed st r a tegy isn ’t s m a r t Strategy should be linked to business objectives, with allocation of resources tied to risks.

3

2 . Business p a r t n e rs fl y u n d er t he secur i t y r a d a r Recent contractor data leaks and payment card heists have proved that adversaries can and will infiltrate systems via third parties, but most organizations do not address third-party security.

4 0

1 0 0 1 0 1 0 1 1 1 0

1 1 01 1 1 0 0 0 0 1 0 0 0 10

0 1 00 0 0 1 10 10 00 1 1 1 0 01 010

11 0

1

0

0

3. A m i s s i n g li n k i n t he s u p p l y c h a i n Flow of data to supply chain partners continues to surge, yet they are not required to comply with privacy and security policies.

10

010 0

Boardroom

1

4. Slo w m o ves i n m o b i l e secur i t y Mobile technologies and risks are proliferating but security efforts are not keeping up. 5. Fai ling t o a s s e s s fo r t h r e a t s is r i s k y b u s i n es s Organizations typically include cyber risks in enterprise riskmanagement programs but do not regularly assess threats.

CEO

5

6. It t a k e s a t e a m t o b e a t a cro o k External collaboration is critical to understanding today’s threats and improving cybersecurity but most don’t work with others.

CFO

IT/IS

7. Got suspicious e m p l o yee b e h a vior? Cybersecurity incidents carried out by employees have serious impact, yet are not addressed with the same rigor as external threats like hackers.

2

8 HR

6

8. Un t r a i n e d e m p l o yees d r a i n r evenue Employee vulnerabilities are well known, but businesses do not train workers in good cybersecurity hygiene.

Employees

7 PwC

9

Despite increasing threats, most respondents do not strategically invest in cybersecurity. Only 38% of overall respondents said they prioritize security investments based on greatest risk and impact to the organization’s business strategy. Heavily regulated industries like Banking and Finance are much more likely to do so. Have methodology to prioritize security based on risk 61%

33%

33%

31%

27% 20%

Banking & Finance

PwC

Healthcare

Insurance

Information & Telecommunications

Government

Education

10

Respondents do not evaluate the cybersecurity capabilities of third-party and supply chain partners. As recent high-profile data breaches have proved, third-party partners can provide access to troves of confidential data. Failure to ensure that third parties comply with cybersecurity practices is potentially dangerous. Third-party processes in place 44% 41%

31% 27%

Process for evaluating third parties before launch operations

PwC

Process for assessing third parties with which share data or networks before launch operations

Include security provisions in contract negotiations with external vendors and suppliers

Conduct incident-response planning with third-party supply chain

11

Mobility has generated a deluge of business data, but deployment of mobile security has not kept pace with use. Smartphones, tablets, and the “bring your own device” trend have elevated security risks, yet only 31% of respondents have a mobile security strategy in place. Other security efforts continue to trail the use of these devices. Mobile device security safeguards in place Remote wipe capability

50%

Device encryption

38%

Strong authentication on devices

37%

Mobile device management software

36%

Protection of corporate e‐mail and calendaring on employee‐ and user‐owned devices

36%

Ban of non‐corporate‐supplied devices in the workplace/network access Geo‐fencing capability None

PwC

20% 5% 16%

12

Organizations do not thoroughly assess their ecosystem for cyber risks. While 81% of respondents say they include cyber threats in enterprise risk-management, most do not implement the tools and processes necessary for comprehensive assessment. Tools & processes used to assess risks Conduct periodic risk assessments

47%

Perform security event analysis

40%

Conduct vulnerability management

40%

Periodic systems penetration testing Participate in Information Sharing & Analysis Center Conduct cyber threat research

PwC

32% 25% 23%

13

Employees represent a significant, but unchecked, threat. While “bad guys” like hackers and nation-states dominate headlines, 28% of respondents say employees are a source of security incidents. Yet only 49% have a plan for responding to insider threats. Top threats employees pose to network security

Victims of social engineering

58%

Lost laptop, smartphone, USB drive, or other sensitive materials

58% 45%

Unintentional destruction or manipulation of data

Vulnerabilities of mobile devices

44%

Attaching unauthorized devices to the network

43%

Unintentional theft of intellectual property

Vulnerabilities of remote access

PwC

40% 35%

14

Employee awareness can help deter incidents and reduce costs, but most organizations lack training programs. Respondents understand that employees present significant risks but they do not invest in training. Doing so can lessen the financial costs of cybersecurity events by as much as 76%.

Employee awareness & training initiatives in place

Security training program for new employees

46%

Periodic security education & awareness programs

44%

Employees are required to review & accept written inappropriate use policy Onsite first responders trained to properly handle digital evidence

PwC

40% 20%

How employee training can pay off $683,000: Annual losses of companies that do not have new employee training $162,000: Annual losses of companies that do have new employee training

15

NIST Cybersecurity Framework

PwC

16

NIST Cybersecurity Framework

The NIST Cybersecurity Framework (“CSF”) was developed through publicprivate collaboration and provides a common language to address and manage cyber risk in a cost-effective way based on business needs, without placing additional regulatory requirements on businesses. • The CSF does not introduce new standards or concepts; rather, it leverages and integrates industry-leading cybersecurity practices that have been developed by organizations like NIST and the International Standardization Organization (“ISO”) • The CSF comprises a risk-based compilation of guidelines that can help organizations identify, implement, and improve cybersecurity practices • The CSF is a reiterative process designed to evolve in synch with changes in cybersecurity threats, processes, and technologies • The CSF provides an assessment mechanism that enables organizations to determine their current cybersecurity capabilities, set individual goals for a target state, and establish a plan for improving and maintaining cybersecurity programs

PwC

17

Framework Components The Cybersecurity framework has three primary components: Profile, Implementation Tiers, and Core.

Profile: Current vs. Target Profile

Implementation Tiers: Risk Management Processes and Tolerance

Core: Functions, Categories, Subcategories

PwC

18

Framework Components – Core P

The Framework Core defines standardized cybersecurity activities, desired outcomes, and applicable references that constitutes a continuous cycle of effective cybersecurity.

T C

Functions

Definition

Categories

Identify

An understanding of how to manage cybersecurity risks to systems, assets, data, and capabilities

Asset management, business environment, governance, risk assessment, risk management strategy

Protect

The controls and safeguards necessary to protect or deter cybersecurity threats

Access control, awareness and training, data security, data protection processes, maintenance, protective technologies

Detect

Continuous monitoring to provide proactive and real-time alerts of cybersecurity-related events

Anomalies and events, continuous monitoring, detection processes

Respond

Incident-response activities

Response planning, communications, analysis, mitigation, improvements

Recover

Business continuity plans to maintain resilience and recover capabilities after a cyber breach

Recovery planning, improvements, communications

PwC

19

Framework Components – Tiers P

Implementation Tiers help create a context that enables organizations to understand how their current cybersecurity risk-management capabilities stack up against the characteristics described by the Framework.

T C

Tier 1: Partial • Risk-management is ad hoc, with limited awareness of risks and no collaboration with others Tier 2: Risk Informed • Risk-management processes and program are in place but are not integrated enterprise-wide; collaboration is understood but organization lacks formal capabilities Tier 3: Repeatable • Formal policies for risk-management processes and programs are in place enterprise-wide, with partial external collaboration Tier 4: Adaptive • Risk-management processes and programs are based on lessons learned and embedded in culture, with proactive collaboration PwC

20

Framework Components – Profile P

The Profile component enables organizations to align and improve cybersecurity practices based on their individual business needs, tolerance for risk, and available resources.

Current Profile Target Profile

Identify Gaps

PwC

T C

• Organizations will assess their “Current Profile” by measuring their existing programs against the recommended practices in the Framework Core. • Organizations then identify a “Target Profile” that focuses on the Framework Core categories and subcategories that align to the organization’s desired cybersecurity outcomes. • A comparison of the Current State Profile and Target State Profile will identify the gaps that should be closed to enhance cybersecurity and provide the basis for a prioritized roadmap.

21

How current cybersecurity compares with the CSF. To compare how the security programs of survey respondents achieve the recommended CSF guidelines, we identified key responses to this year’s US State of Cybercrime Survey questions that correspond with best practices as prescribed by the CSF’s Core functions.

Recover

Identify

Business continuity plans to maintain resilience & recover capabilities after a breach

Know how to manage risks to systems, assets, data, & capabilities

Respond

Protect

Policies & activities necessary for prompt responses to incidents

Controls & safeguards to protect assets and deter threats

Detect

Continuous monitoring & realtime alerts of events PwC

22

Most respondents’ cybersecurity programs lack key components of the Framework’s Core guidelines (cont.) We found that the vast majority of respondents’ cybersecurity programs fall very short of the CSF guidelines. Program to identify assets Practices, policies, & technologies in sensitive place Identify Prioritize security investments based on risk/impact to business strategy

38%

Hired a Chief Security Officer (CSO) or Chief Information Security Officer (CISO)

28% 8%

Supply chain risk management program

Protect 49%

Identity management tools

44%

Data Loss Prevention technology Incident response team

PwC

31%

23

Most respondents’ cybersecurity programs lack key components of the Framework’s Core guidelines (cont.) Implementation of critical detection practices and technologies is particularly weak. Practices, policies, & technologies in place Detect 40%

Vulnerability management

33%

Cyber threat intelligence analysis

26%

Use of SIEM technologies

Respond Have formal policies & procedures for reporting & responding to cyber events

54%

Participate in Information Sharing & Analysis Centers (ISACs)

25%

Computer forensics

25% Recover 53%

Have a methodology to determine effectiveness of security Have satisfactory outside communications firms (PR, crisis management) PwC

20% 24

Benefits beyond improved cybersecurity

Beyond the improved cybersecurity posture, NIST CSF can deliver ancillary benefits including:

• Effective collaboration and communication of security posture with executives and industry organizations • Potential future improvements in legal exposure and even assistance with regulatory compliance • Enabling security leaders to effectively communicate security practices, goals, and compliance requirements with third-party partners, service providers, and regulators

PwC

25

Cybersecurity: The New Reality

PwC

26

Putting cybersecurity into perspective

• •

PwC

Cybersecurity represents many things to many different people Key characteristics and attributes of cybersecurity: ─ Broader than just information technology and not limited to just the enterprise ─ Increasing attack surface due to technology connectivity and convergence ─ An ‘outside-in view’ of the threats and potential impact facing an organization ─ Shared responsibility that requires cross functional disciplines in order to plan, protect, defend and respond 27

The cyber challenge now extends beyond the enterprise Global Business Ecosystem

Traditional boundaries have shifted; companies operate in a dynamic environment that is increasingly interconnected, integrated, and interdependent. •

The ecosystem is built around a model of open collaboration and trust—the very attributes being exploited by an increasing number of global adversaries.

•

Constant information flow is the lifeblood of the business ecosystem. Data is distributed and disbursed throughout the ecosystem, expanding the domain requiring protection.

•

Adversaries are actively targeting critical assets throughout the ecosystem—significantly increasing the exposure and impact to businesses.

Years of underinvestment in security has impacted organizations’ ability to adapt and respond to evolving, dynamic cyber risks.

PwC

Pressures and changes which create opportunity and risk

28

Profiles of threat actors Adversary Nation State

Organized Crime

Hacktivists

Insiders

PwC

Targets

Motives

Impact

• Economic, political, and/or military advantage

• Trade secrets • Sensitive business information • Emerging technologies • Critical infrastructure

• Loss of competitive advantage • Disruption to critical infrastructure

• Immediate financial gain • Collect information for future financial gains

• Financial / Payment Systems • Personally Identifiable Information • Payment Card Information • Protected Health Information

• Costly regulatory inquiries and penalties • Consumer and shareholder lawsuits • Loss of consumer confidence

• Influence political and /or social change • Pressure business to change their practices

• Corporate secrets • Sensitive business information • Information related to key executives, employees, customers & business partners

• Disruption of business activities • Brand and reputation • Loss of consumer confidence

• Personal advantage, monetary gain • Professional revenge • Patriotism

• • • •

Sales, deals, market strategies Corporate secrets, IP, R&D Business operations Personnel information

• • • •

Trade secret disclosure Operational disruption Brand and reputation National security impact

29

Evolving perspectives Considerations for businesses adapting to the new reality Historical IT Security Perspectives

Today’s Leading Cybersecurity Insights

Scope of the challenge

• Limited to your “four walls” and the extended enterprise

• Spans your interconnected global business ecosystem

Ownership and accountability

• IT led and operated

• Business-aligned and owned; CEO and board accountable

Adversaries’ characteristics

• One-off and opportunistic; motivated by notoriety, technical challenge, and individual gain

• Organized, funded and targeted; motivated by economic, monetary and political gain

Information asset protection

• One-size-fits-all approach

• Prioritize and protect your “crown jewels”

Defense posture

• Protect the perimeter; respond if attacked

• Plan, monitor, and rapidly respond when attacked

Security intelligence and information sharing

• Keep to yourself

• Public/private partnerships; collaboration with industry working groups

PwC

30

Adapting to the New Reality

PwC

31

Keeping pace with the new reality Operating in the global business ecosystem requires you to think differently about your security program and investments. Engage and commit with the business • Leadership, ownership, awareness and accountability for addressing the cyber-risks that threaten the business • Business alignment and enablement of objectives

Board, Audit Committee, and Executive Leadership

Investment Activities Projects and Initiatives Functions and Services

Security Strategy and Roadmap

Security Program, Resources and Capabilities

PwC

Resource Prioritization

Risk and Impact Evaluation

Business Alignment and Enablement

Rationalize and prioritize investments • Critical assets are constantly evaluated given they fundamental to the brand, business growth and competitive advantage • Threats and impact to the business are considered as investment activities are contemplated

Transform and execute the security program • New and enhanced capabilities are needed to meet the ever changing cybersecurity challenges • A comprehensive program includes cross functional coordination and collaboration • The security implications related to the convergence of Information Technology, Operational Technology and Company Products and Services are addressed 32

Why organizations have not kept pace Years of underinvestment in certain areas has left organizations unable to adequately adapt and respond to dynamic cyber risks.

Board, Audit Committee, and Executive Leadership Engagement

Product & Service Security Threat Modeling & Scenario Planning

Critical Asset User Identification and Administration Protection

Ecosystem & Supply Chain Security

Public/Private Information Sharing

Monitoring and Detection

Technology Debt Management

Privileged Access Management Incident and Crisis Management

Global Security Operations

Technology Adoption and Enablement

Process and Technology Fundamentals

Notification and Disclosure

Threat Intelligence

Patch & Configuration Management

Secure Mobile and Cloud Computing

Operational Technology Security

Physical Security

Insider Threat

Breach Investigation and Response

Security Technology Rationalization Compliance Remediation

Resource Prioritization

Risk and Impact Evaluation

Business Alignment and Enablement

consectetur Security Culture adipiscing elit and Mindset

Security Strategy and Roadmap

Security Program, Functions, Resources and Capabilities

PwC

33

Have you kept pace? Questions to consider when evaluating your ability to respond to the new challenges. Identify, prioritize, and protect the assets most essential to the business

Understand the threats to your industry and your business

Evaluate and improve effectiveness of existing processes and technologies

Board, Audit• Committee, and Executive Engagement Who are your adversaries and whatLeadership are their • Have you patched and upgraded your

Have you identified your most critical assets and know where they are stored and transmitted? How do you evaluate their value and impact to the business if compromised? Do you prioritize the protection of your crown jewels differently than other information assets?

• •

• •

PwC

Operational Technology Security

Physical Security

Insider Threat Product & Service Security

Threat Modeling & Scenario Planning

Critical Asset User Identification and Administration Protection

Public/Private Information Sharing

Ecosystem & Supply Chain Security

How are you gaining visibility into internal and external security events and activities? Security Are you applying correlation and analytics to identify patterns or exceptions? How do you timely and efficiently determine when to take action?

Security Technology Rationalization Compliance Remediation

Develop a cross-functional incident response plan for effective crisis management

Security Strategy and Roadmap

Security Culture consectetur and Mindset adipiscing elit

Establish values and behaviors to create and promote security effectiveness

Have your business leaders undertaken • cyberattack scenario planning? Program, Functions, Resources and Capabilities • Do you have a defined cross functional structure, • process and capability to respond? • Are you enhancing and aligning your plan to • ongoing business changes? •

Technology Debt Management

Privileged Access Management

Breach Investigation and Response

Monitoring and Detection

Process and Technology Fundamentals

Incident and Crisis Management

Global Security Operations

Technology Adoption and Enablement

Configuration Management

and Cloud Computing Notification and Disclosure

Threat Intelligence

Enhance situational awareness to detect and respond to security events •

•

core platforms and technology? • How are you securing new technology adoption and managing vulnerability with your legacy technology? • Have you evolved your security architecture and Secure Mobile associated processes? Patch &

Resource Prioritization

Risk and Impact Evaluation

•

•

motivations? What information are theyand targeting and what Business Alignment Enablement tactics are they using? How are you anticipating and adapting your strategy and controls?

How is leadership engaged and committed to addressing cyber risks facing the business? What sustained activities are in place to improve awareness and sensitivity to cyber risks? How have your business practices evolved to address the threats to your business?

34

Take a strategic approach to cybersecurity: Five key steps Remember that support from executive leaders and the Board will be critical to implementing these steps and the ongoing success of the cybersecurity program.

1

Ensure that your cybersecurity strategy is aligned with business objectives and is strategically funded

2

Identify your most valuable information assets, and prioritize protection of this high-value data

3

Understand your adversaries, including their motives, resources, and methods of attack

4

Assess cybersecurity of third parties and supply chain partners, and ensure they adhere to your security policies and practices

5 PwC

Collaborate with others to increase awareness of cybersecurity threats and response tactics

35

How We Can Help

We can help you understand your dynamic cyber challenges, adapt and respond to risks, and protect the assets most critical to the business. Industry and sector aligned solutions

Align with the business Prioritize investments, allocate resources, and align security capabilities with the strategic imperatives and initiatives of the organization.

Strategy, Governance & Management

Emerging Sustainable Technologies Security & Market Trends Behaviours

Manage risk and regulations Efficiently and effectively identify, evaluate and manage risk to the business while addressing the evolving regulatory requirements.

Secure by design Security Security Architecture & Strategy Services

Adapt to the future Assess the opportunities and security related risks of new technology adoption and dynamically changing business models.

We combine our industry specific experience and perspectives to address relevant trends, challenges and opportunities our clients face in their industry and the markets they serve.

Cyber Risk & Crisis Compliance Management Response

Anticipate and respond to security crises

Threat, Security & Intelligence Governance and Vulnerability Management Compliance Strategy through Execution --- + --Attest & Assure

Identity & Cyber Threat Access Assessment Management

Incident &

Management

Business led approach – diverse capabilities We leverage and integrate our business, technical, regulatory, analytical, and investigative knowledge and know-how to deliver actionable and sustainable solutions.

Address threats and weaknesses Anticipate changes in the risk landscape through situational awareness of the internal and external factors impacting the business ecosystem.

Enable secure access

Technology Crisis

Plan, detect, investigate, and react timely and thoroughly to security incidents, breaches and compromises.

PwC

Create sustainable security solutions to provide foundational capabilities and operational discipline.

Provide integrated and secure processes, services, and infrastructure to enable appropriate controls over access to critical systems and assets.

Safeguard critical assets Information & Privacy Protection

Identify, prioritize, and protect sensitive or high value business assets.

Questions?

PwC

September 2010 37

For more information on Cybersecurity…

www.pwc.com/cybersecurity − Results of 2014 Global State of Information Security − 2014 US State of Cybercrime Survey Whitepaper − 10Minutes on the stark realities of cybersecurity − Why you should adopt the NIST Cybersecurity Framework − Cyber economic espionage in corporate America: What comes next? − PwC’s cyber video series

PwC

38

Questions? Gary Loveland PwC, Principal (949) 437-5380 [email protected] Peter Durojaiye PwC, Manager IT SP&R (310) 529-4693 [email protected] Caesar J. Sedek PwC, Manager IT SP&R (213) 407-1810 [email protected] © 2014 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC US refers to the US member firm, and PwC may refer to either the PwC network of firms or the US member firm. Each member firm is a separate legal entity. Please see www.pwc.com/strucutre for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors. PricewaterhouseCoopers has exercised reasonable care in the collecting, processing, and reporting of this information but has not independently verified, validated, or audited the data to verify the accuracy or completeness of the information. PricewaterhouseCoopers gives no express or implied warranties, including but not limited to any warranties of merchantability or fitness for a particular purpose or use and shall not be liable to any entity or person using this document, or have any liability with respect to this document. This report is intended for internal use only by the recipient and should not be provided in writing or otherwise to any other third party without PricewaterhouseCoopers express written consent. April 2014 PwC 39