www.pwc.com/security
Cybercrime: Rising risks, reduced readiness Most US organizations are unprepared to combat today’s skilled and sophisticated cyber adversaries.
June 10, 2014
Key findings from the 2014 US State of Cybercrime Survey Caesar J. Sedek
Peter Durojaiye
Agenda
• Results of the 2014 US State of Cybercrime Survey • Introduction to the NIST* Cybersecurity Framework • Cybersecurity: The New Reality • Adapting to the New Reality • Q/A Session
* National Institute of Standards and Technology PwC
Speaker Bios Peter Durojaiye Manager (213) 830-8304
[email protected]
Peter is an experienced manager in PwC’s IT Security, Privacy & Risk Advisory practice. He has eight years of experience assessing, managing and implementing information security solutions. Peter specializes in IT strategy, information protection and security, increased compliance, delegated administration and policy-based user identity, and access management. He has led several security technologies implementations across multiple industries. Peter has deep ties to the greater Los Angeles market dating back to his academic studies at UCLA, where he obtained both his undergraduate and graduate degrees in Computer Science and Systems Engineering, respectively.
Caesar Julius Sedek, CISSP, CISM, CRISC, CIPP/IT Manager (213) 407-1810
[email protected]
Caesar is a manager in PwC’s IT Security, Privacy and Risk Advisory practice based in Los Angeles. He has nearly 20 years of information security experience, including managing and building operational security organizations using risk-based strategies. He specializes in delivering complex, multinational projects focusing on security strategy, information security program management, industry framework, and regulatory compliance including: ISO, NIST, ISF, CobIT, HIPAA, PCI-DSS and Safe Harbor. Caesar has a decade of experience in the Media and Entertainment industries specializing in intellectual property, content protection, anti-piracy and privacy. He has extensive international work experience and deep knowledge of international privacy regulations. PwC
2014 Cybersecurity Survey
PwC
4
A cross-industry survey of US business, security, IT, and law enforcement executives. The 2014 US State of Cybercrime Survey was co-sponsored by PwC, CSO magazine, the Software Engineering Institute CERT® Program at Carnegie Mellon University, and the United States Secret Service. • More than 55o responses from decision-makers such as CIOs, CSOs, CISOs, CTOs, CEOs, CFOs, law enforcement officers, and prosecutors from public and private sectors • More than 60 questions on topics related to security incidents, supply chain security, risk assessment, threat actors, technology safeguards, and law enforcement procedures • Forty-seven percent (47%) of respondents from organizations with 1,000 or more employees • Twenty-seven percent (27%) of respondents from organizations with annual security budgets of $1 million or more
PwC
5
The current US State of Cybercrime is menacing, and the future doesn’t look promising. The cybersecurity programs of US organizations have not kept pace with the spiraling persistence, tactical skills, and technological expertise of today’s global cyber adversaries.
• The FBI notified 3,000 US companies that they were victims of cyber intrusions in 2013. • High-profile breaches of US retailers continue. • The Heartbleed bug confirms the ingenuity and technical prowess of threat actors. • Critical infrastructures are increasingly at risk because their legacy architecture is easy to compromise. • The “Internet of Things” will introduce new security risks for businesses, consumers, & governments.
PwC
6
The risks and repercussions of cybercrime are rising. Survey respondents detected an average of 135 security incidents last year. Among those that could calculate financial costs—and most could not—the average annual monetary loss was $415,000, an increase of 176% over the year before. Cybercrime in the past year Experienced a cybercrime incident in past 12 months
77%
Do not know the financial impact of cybercrime incident
70%
My organization is more concerned about cybersecurity than in the past year The number of security incidents has increased over last year
PwC
59%
34%
7
Viruses, worms, and spyware are the most common incidents, but other frequent events are more serious. Incidents that can impact operations, reputation, financial performance, and privacy regulations convey significant risks—and they are not infrequent. Hackers (24%) and current employees (13%) are cited as the most frequent sources of these incidents. Serious types of incidents detected
Network slowed/unavailable
30%
E-mail, other applications unavailable
23%
Denial of service attacks
22%
Unauthorized access to/use of data, systems, networks
17%
Customer records compromised or stolen
12%
Private or sensitive information unintentionally exposed
12%
PwC
8
Cyber insecurity: 8 cybersecurity issues that should concern you 1 . Sp en d i n g w i th a m i s a l i g n ed st r a tegy isn ’t s m a r t Strategy should be linked to business objectives, with allocation of resources tied to risks.
3
2 . Business p a r t n e rs fl y u n d er t he secur i t y r a d a r Recent contractor data leaks and payment card heists have proved that adversaries can and will infiltrate systems via third parties, but most organizations do not address third-party security.
4 0
1 0 0 1 0 1 0 1 1 1 0
1 1 01 1 1 0 0 0 0 1 0 0 0 10
0 1 00 0 0 1 10 10 00 1 1 1 0 01 010
11 0
1
0
0
3. A m i s s i n g li n k i n t he s u p p l y c h a i n Flow of data to supply chain partners continues to surge, yet they are not required to comply with privacy and security policies.
10
010 0
Boardroom
1
4. Slo w m o ves i n m o b i l e secur i t y Mobile technologies and risks are proliferating but security efforts are not keeping up. 5. Fai ling t o a s s e s s fo r t h r e a t s is r i s k y b u s i n es s Organizations typically include cyber risks in enterprise riskmanagement programs but do not regularly assess threats.
CEO
5
6. It t a k e s a t e a m t o b e a t a cro o k External collaboration is critical to understanding today’s threats and improving cybersecurity but most don’t work with others.
CFO
IT/IS
7. Got suspicious e m p l o yee b e h a vior? Cybersecurity incidents carried out by employees have serious impact, yet are not addressed with the same rigor as external threats like hackers.
2
8 HR
6
8. Un t r a i n e d e m p l o yees d r a i n r evenue Employee vulnerabilities are well known, but businesses do not train workers in good cybersecurity hygiene.
Employees
7 PwC
9
Despite increasing threats, most respondents do not strategically invest in cybersecurity. Only 38% of overall respondents said they prioritize security investments based on greatest risk and impact to the organization’s business strategy. Heavily regulated industries like Banking and Finance are much more likely to do so. Have methodology to prioritize security based on risk 61%
33%
33%
31%
27% 20%
Banking & Finance
PwC
Healthcare
Insurance
Information & Telecommunications
Government
Education
10
Respondents do not evaluate the cybersecurity capabilities of third-party and supply chain partners. As recent high-profile data breaches have proved, third-party partners can provide access to troves of confidential data. Failure to ensure that third parties comply with cybersecurity practices is potentially dangerous. Third-party processes in place 44% 41%
31% 27%
Process for evaluating third parties before launch operations
PwC
Process for assessing third parties with which share data or networks before launch operations
Include security provisions in contract negotiations with external vendors and suppliers
Conduct incident-response planning with third-party supply chain
11
Mobility has generated a deluge of business data, but deployment of mobile security has not kept pace with use. Smartphones, tablets, and the “bring your own device” trend have elevated security risks, yet only 31% of respondents have a mobile security strategy in place. Other security efforts continue to trail the use of these devices. Mobile device security safeguards in place Remote wipe capability
50%
Device encryption
38%
Strong authentication on devices
37%
Mobile device management software
36%
Protection of corporate e‐mail and calendaring on employee‐ and user‐owned devices
36%
Ban of non‐corporate‐supplied devices in the workplace/network access Geo‐fencing capability None
PwC
20% 5% 16%
12
Organizations do not thoroughly assess their ecosystem for cyber risks. While 81% of respondents say they include cyber threats in enterprise risk-management, most do not implement the tools and processes necessary for comprehensive assessment. Tools & processes used to assess risks Conduct periodic risk assessments
47%
Perform security event analysis
40%
Conduct vulnerability management
40%
Periodic systems penetration testing Participate in Information Sharing & Analysis Center Conduct cyber threat research
PwC
32% 25% 23%
13
Employees represent a significant, but unchecked, threat. While “bad guys” like hackers and nation-states dominate headlines, 28% of respondents say employees are a source of security incidents. Yet only 49% have a plan for responding to insider threats. Top threats employees pose to network security
Victims of social engineering
58%
Lost laptop, smartphone, USB drive, or other sensitive materials
58% 45%
Unintentional destruction or manipulation of data
Vulnerabilities of mobile devices
44%
Attaching unauthorized devices to the network
43%
Unintentional theft of intellectual property
Vulnerabilities of remote access
PwC
40% 35%
14
Employee awareness can help deter incidents and reduce costs, but most organizations lack training programs. Respondents understand that employees present significant risks but they do not invest in training. Doing so can lessen the financial costs of cybersecurity events by as much as 76%.
Employee awareness & training initiatives in place
Security training program for new employees
46%
Periodic security education & awareness programs
44%
Employees are required to review & accept written inappropriate use policy Onsite first responders trained to properly handle digital evidence
PwC
40% 20%
How employee training can pay off $683,000: Annual losses of companies that do not have new employee training $162,000: Annual losses of companies that do have new employee training
15
NIST Cybersecurity Framework
PwC
16
NIST Cybersecurity Framework
The NIST Cybersecurity Framework (“CSF”) was developed through publicprivate collaboration and provides a common language to address and manage cyber risk in a cost-effective way based on business needs, without placing additional regulatory requirements on businesses. • The CSF does not introduce new standards or concepts; rather, it leverages and integrates industry-leading cybersecurity practices that have been developed by organizations like NIST and the International Standardization Organization (“ISO”) • The CSF comprises a risk-based compilation of guidelines that can help organizations identify, implement, and improve cybersecurity practices • The CSF is a reiterative process designed to evolve in synch with changes in cybersecurity threats, processes, and technologies • The CSF provides an assessment mechanism that enables organizations to determine their current cybersecurity capabilities, set individual goals for a target state, and establish a plan for improving and maintaining cybersecurity programs
PwC
17
Framework Components The Cybersecurity framework has three primary components: Profile, Implementation Tiers, and Core.
Profile: Current vs. Target Profile
Implementation Tiers: Risk Management Processes and Tolerance
Core: Functions, Categories, Subcategories
PwC
18
Framework Components – Core P
The Framework Core defines standardized cybersecurity activities, desired outcomes, and applicable references that constitutes a continuous cycle of effective cybersecurity.
T C
Functions
Definition
Categories
Identify
An understanding of how to manage cybersecurity risks to systems, assets, data, and capabilities
Asset management, business environment, governance, risk assessment, risk management strategy
Protect
The controls and safeguards necessary to protect or deter cybersecurity threats
Access control, awareness and training, data security, data protection processes, maintenance, protective technologies
Detect
Continuous monitoring to provide proactive and real-time alerts of cybersecurity-related events
Anomalies and events, continuous monitoring, detection processes
Respond
Incident-response activities
Response planning, communications, analysis, mitigation, improvements
Recover
Business continuity plans to maintain resilience and recover capabilities after a cyber breach
Recovery planning, improvements, communications
PwC
19
Framework Components – Tiers P
Implementation Tiers help create a context that enables organizations to understand how their current cybersecurity risk-management capabilities stack up against the characteristics described by the Framework.
T C
Tier 1: Partial • Risk-management is ad hoc, with limited awareness of risks and no collaboration with others Tier 2: Risk Informed • Risk-management processes and program are in place but are not integrated enterprise-wide; collaboration is understood but organization lacks formal capabilities Tier 3: Repeatable • Formal policies for risk-management processes and programs are in place enterprise-wide, with partial external collaboration Tier 4: Adaptive • Risk-management processes and programs are based on lessons learned and embedded in culture, with proactive collaboration PwC
20
Framework Components – Profile P
The Profile component enables organizations to align and improve cybersecurity practices based on their individual business needs, tolerance for risk, and available resources.
Current Profile Target Profile
Identify Gaps
PwC
T C
• Organizations will assess their “Current Profile” by measuring their existing programs against the recommended practices in the Framework Core. • Organizations then identify a “Target Profile” that focuses on the Framework Core categories and subcategories that align to the organization’s desired cybersecurity outcomes. • A comparison of the Current State Profile and Target State Profile will identify the gaps that should be closed to enhance cybersecurity and provide the basis for a prioritized roadmap.
21
How current cybersecurity compares with the CSF. To compare how the security programs of survey respondents achieve the recommended CSF guidelines, we identified key responses to this year’s US State of Cybercrime Survey questions that correspond with best practices as prescribed by the CSF’s Core functions.
Recover
Identify
Business continuity plans to maintain resilience & recover capabilities after a breach
Know how to manage risks to systems, assets, data, & capabilities
Respond
Protect
Policies & activities necessary for prompt responses to incidents
Controls & safeguards to protect assets and deter threats
Detect
Continuous monitoring & realtime alerts of events PwC
22
Most respondents’ cybersecurity programs lack key components of the Framework’s Core guidelines (cont.) We found that the vast majority of respondents’ cybersecurity programs fall very short of the CSF guidelines. Program to identify assets Practices, policies, & technologies in sensitive place Identify Prioritize security investments based on risk/impact to business strategy
38%
Hired a Chief Security Officer (CSO) or Chief Information Security Officer (CISO)
28% 8%
Supply chain risk management program
Protect 49%
Identity management tools
44%
Data Loss Prevention technology Incident response team
PwC
31%
23
Most respondents’ cybersecurity programs lack key components of the Framework’s Core guidelines (cont.) Implementation of critical detection practices and technologies is particularly weak. Practices, policies, & technologies in place Detect 40%
Vulnerability management
33%
Cyber threat intelligence analysis
26%
Use of SIEM technologies
Respond Have formal policies & procedures for reporting & responding to cyber events
54%
Participate in Information Sharing & Analysis Centers (ISACs)
25%
Computer forensics
25% Recover 53%
Have a methodology to determine effectiveness of security Have satisfactory outside communications firms (PR, crisis management) PwC
20% 24
Benefits beyond improved cybersecurity
Beyond the improved cybersecurity posture, NIST CSF can deliver ancillary benefits including:
• Effective collaboration and communication of security posture with executives and industry organizations • Potential future improvements in legal exposure and even assistance with regulatory compliance • Enabling security leaders to effectively communicate security practices, goals, and compliance requirements with third-party partners, service providers, and regulators
PwC
25
Cybersecurity: The New Reality
PwC
26
Putting cybersecurity into perspective
• •
PwC
Cybersecurity represents many things to many different people Key characteristics and attributes of cybersecurity: ─ Broader than just information technology and not limited to just the enterprise ─ Increasing attack surface due to technology connectivity and convergence ─ An ‘outside-in view’ of the threats and potential impact facing an organization ─ Shared responsibility that requires cross functional disciplines in order to plan, protect, defend and respond 27
The cyber challenge now extends beyond the enterprise Global Business Ecosystem
Traditional boundaries have shifted; companies operate in a dynamic environment that is increasingly interconnected, integrated, and interdependent. •
The ecosystem is built around a model of open collaboration and trust—the very attributes being exploited by an increasing number of global adversaries.
•
Constant information flow is the lifeblood of the business ecosystem. Data is distributed and disbursed throughout the ecosystem, expanding the domain requiring protection.
•
Adversaries are actively targeting critical assets throughout the ecosystem—significantly increasing the exposure and impact to businesses.
Years of underinvestment in security has impacted organizations’ ability to adapt and respond to evolving, dynamic cyber risks.
PwC
Pressures and changes which create opportunity and risk
28
Profiles of threat actors Adversary Nation State
Organized Crime
Hacktivists
Insiders
PwC
Targets
Motives
Impact
• Economic, political, and/or military advantage
• Trade secrets • Sensitive business information • Emerging technologies • Critical infrastructure
• Loss of competitive advantage • Disruption to critical infrastructure
• Immediate financial gain • Collect information for future financial gains
• Financial / Payment Systems • Personally Identifiable Information • Payment Card Information • Protected Health Information
• Costly regulatory inquiries and penalties • Consumer and shareholder lawsuits • Loss of consumer confidence
• Influence political and /or social change • Pressure business to change their practices
• Corporate secrets • Sensitive business information • Information related to key executives, employees, customers & business partners
• Disruption of business activities • Brand and reputation • Loss of consumer confidence
• Personal advantage, monetary gain • Professional revenge • Patriotism
• • • •
Sales, deals, market strategies Corporate secrets, IP, R&D Business operations Personnel information
• • • •
Trade secret disclosure Operational disruption Brand and reputation National security impact
29
Evolving perspectives Considerations for businesses adapting to the new reality Historical IT Security Perspectives
Today’s Leading Cybersecurity Insights
Scope of the challenge
• Limited to your “four walls” and the extended enterprise
• Spans your interconnected global business ecosystem
Ownership and accountability
• IT led and operated
• Business-aligned and owned; CEO and board accountable
Adversaries’ characteristics
• One-off and opportunistic; motivated by notoriety, technical challenge, and individual gain
• Organized, funded and targeted; motivated by economic, monetary and political gain
Information asset protection
• One-size-fits-all approach
• Prioritize and protect your “crown jewels”
Defense posture
• Protect the perimeter; respond if attacked
• Plan, monitor, and rapidly respond when attacked
Security intelligence and information sharing
• Keep to yourself
• Public/private partnerships; collaboration with industry working groups
PwC
30
Adapting to the New Reality
PwC
31
Keeping pace with the new reality Operating in the global business ecosystem requires you to think differently about your security program and investments. Engage and commit with the business • Leadership, ownership, awareness and accountability for addressing the cyber-risks that threaten the business • Business alignment and enablement of objectives
Board, Audit Committee, and Executive Leadership
Investment Activities Projects and Initiatives Functions and Services
Security Strategy and Roadmap
Security Program, Resources and Capabilities
PwC
Resource Prioritization
Risk and Impact Evaluation
Business Alignment and Enablement
Rationalize and prioritize investments • Critical assets are constantly evaluated given they fundamental to the brand, business growth and competitive advantage • Threats and impact to the business are considered as investment activities are contemplated
Transform and execute the security program • New and enhanced capabilities are needed to meet the ever changing cybersecurity challenges • A comprehensive program includes cross functional coordination and collaboration • The security implications related to the convergence of Information Technology, Operational Technology and Company Products and Services are addressed 32
Why organizations have not kept pace Years of underinvestment in certain areas has left organizations unable to adequately adapt and respond to dynamic cyber risks.
Board, Audit Committee, and Executive Leadership Engagement
Product & Service Security Threat Modeling & Scenario Planning
Critical Asset User Identification and Administration Protection
Ecosystem & Supply Chain Security
Public/Private Information Sharing
Monitoring and Detection
Technology Debt Management
Privileged Access Management Incident and Crisis Management
Global Security Operations
Technology Adoption and Enablement
Process and Technology Fundamentals
Notification and Disclosure
Threat Intelligence
Patch & Configuration Management
Secure Mobile and Cloud Computing
Operational Technology Security
Physical Security
Insider Threat
Breach Investigation and Response
Security Technology Rationalization Compliance Remediation
Resource Prioritization
Risk and Impact Evaluation
Business Alignment and Enablement
consectetur Security Culture adipiscing elit and Mindset
Security Strategy and Roadmap
Security Program, Functions, Resources and Capabilities
PwC
33
Have you kept pace? Questions to consider when evaluating your ability to respond to the new challenges. Identify, prioritize, and protect the assets most essential to the business
Understand the threats to your industry and your business
Evaluate and improve effectiveness of existing processes and technologies
Board, Audit• Committee, and Executive Engagement Who are your adversaries and whatLeadership are their • Have you patched and upgraded your
Have you identified your most critical assets and know where they are stored and transmitted? How do you evaluate their value and impact to the business if compromised? Do you prioritize the protection of your crown jewels differently than other information assets?
• •
• •
PwC
Operational Technology Security
Physical Security
Insider Threat Product & Service Security
Threat Modeling & Scenario Planning
Critical Asset User Identification and Administration Protection
Public/Private Information Sharing
Ecosystem & Supply Chain Security
How are you gaining visibility into internal and external security events and activities? Security Are you applying correlation and analytics to identify patterns or exceptions? How do you timely and efficiently determine when to take action?
Security Technology Rationalization Compliance Remediation
Develop a cross-functional incident response plan for effective crisis management
Security Strategy and Roadmap
Security Culture consectetur and Mindset adipiscing elit
Establish values and behaviors to create and promote security effectiveness
Have your business leaders undertaken • cyberattack scenario planning? Program, Functions, Resources and Capabilities • Do you have a defined cross functional structure, • process and capability to respond? • Are you enhancing and aligning your plan to • ongoing business changes? •
Technology Debt Management
Privileged Access Management
Breach Investigation and Response
Monitoring and Detection
Process and Technology Fundamentals
Incident and Crisis Management
Global Security Operations
Technology Adoption and Enablement
Configuration Management
and Cloud Computing Notification and Disclosure
Threat Intelligence
Enhance situational awareness to detect and respond to security events •
•
core platforms and technology? • How are you securing new technology adoption and managing vulnerability with your legacy technology? • Have you evolved your security architecture and Secure Mobile associated processes? Patch &
Resource Prioritization
Risk and Impact Evaluation
•
•
motivations? What information are theyand targeting and what Business Alignment Enablement tactics are they using? How are you anticipating and adapting your strategy and controls?
How is leadership engaged and committed to addressing cyber risks facing the business? What sustained activities are in place to improve awareness and sensitivity to cyber risks? How have your business practices evolved to address the threats to your business?
34
Take a strategic approach to cybersecurity: Five key steps Remember that support from executive leaders and the Board will be critical to implementing these steps and the ongoing success of the cybersecurity program.
1
Ensure that your cybersecurity strategy is aligned with business objectives and is strategically funded
2
Identify your most valuable information assets, and prioritize protection of this high-value data
3
Understand your adversaries, including their motives, resources, and methods of attack
4
Assess cybersecurity of third parties and supply chain partners, and ensure they adhere to your security policies and practices
5 PwC
Collaborate with others to increase awareness of cybersecurity threats and response tactics
35
How We Can Help
We can help you understand your dynamic cyber challenges, adapt and respond to risks, and protect the assets most critical to the business. Industry and sector aligned solutions
Align with the business Prioritize investments, allocate resources, and align security capabilities with the strategic imperatives and initiatives of the organization.
Strategy, Governance & Management
Emerging Sustainable Technologies Security & Market Trends Behaviours
Manage risk and regulations Efficiently and effectively identify, evaluate and manage risk to the business while addressing the evolving regulatory requirements.
Secure by design Security Security Architecture & Strategy Services
Adapt to the future Assess the opportunities and security related risks of new technology adoption and dynamically changing business models.
We combine our industry specific experience and perspectives to address relevant trends, challenges and opportunities our clients face in their industry and the markets they serve.
Cyber Risk & Crisis Compliance Management Response
Anticipate and respond to security crises
Threat, Security & Intelligence Governance and Vulnerability Management Compliance Strategy through Execution --- + --Attest & Assure
Identity & Cyber Threat Access Assessment Management
Incident &
Management
Business led approach – diverse capabilities We leverage and integrate our business, technical, regulatory, analytical, and investigative knowledge and know-how to deliver actionable and sustainable solutions.
Address threats and weaknesses Anticipate changes in the risk landscape through situational awareness of the internal and external factors impacting the business ecosystem.
Enable secure access
Technology Crisis
Plan, detect, investigate, and react timely and thoroughly to security incidents, breaches and compromises.
PwC
Create sustainable security solutions to provide foundational capabilities and operational discipline.
Provide integrated and secure processes, services, and infrastructure to enable appropriate controls over access to critical systems and assets.
Safeguard critical assets Information & Privacy Protection
Identify, prioritize, and protect sensitive or high value business assets.
Questions?
PwC
September 2010 37
For more information on Cybersecurity…
www.pwc.com/cybersecurity − Results of 2014 Global State of Information Security − 2014 US State of Cybercrime Survey Whitepaper − 10Minutes on the stark realities of cybersecurity − Why you should adopt the NIST Cybersecurity Framework − Cyber economic espionage in corporate America: What comes next? − PwC’s cyber video series
PwC
38
Questions? Gary Loveland PwC, Principal (949) 437-5380
[email protected] Peter Durojaiye PwC, Manager IT SP&R (310) 529-4693
[email protected] Caesar J. Sedek PwC, Manager IT SP&R (213) 407-1810
[email protected] © 2014 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC US refers to the US member firm, and PwC may refer to either the PwC network of firms or the US member firm. Each member firm is a separate legal entity. Please see www.pwc.com/strucutre for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors. PricewaterhouseCoopers has exercised reasonable care in the collecting, processing, and reporting of this information but has not independently verified, validated, or audited the data to verify the accuracy or completeness of the information. PricewaterhouseCoopers gives no express or implied warranties, including but not limited to any warranties of merchantability or fitness for a particular purpose or use and shall not be liable to any entity or person using this document, or have any liability with respect to this document. This report is intended for internal use only by the recipient and should not be provided in writing or otherwise to any other third party without PricewaterhouseCoopers express written consent. April 2014 PwC 39