Takeaways from a Simulated Cyber Attack

1. MARCH 1, 2018 Summary Report Cyber attack simulation exercise

2. 1 Copyright©2017byTheBostonConsultingGroup,Inc.Allrightsreserved. The CyberCanada attack simulation exercise was attended by 100+ Canadian leaders representing a wide-range of organizations from both the private and public sector. Some of the views shared by participants, and captured here, may appear to be conflicting. This is a reflection of different opinions voiced and/or differences between the various individuals and groups represented. A short recap of the learning objectives, feedback shared by attendees during the module readouts, and questions to consider asking your organizations have been included in this short report. To ensure privacy, opinions have not been attributed to any individuals. A brief summary of the discussions during the CyberCanada attack simulation exercise

3. 2 Copyright©2017byTheBostonConsultingGroup,Inc.Allrightsreserved. Recap: the Table Top eXercise (TTX) had specific learning objectives Experience what your management team goes through when under cyberattack • Basic cybersecurity concepts • Cybersecurity as a strategic business risk • The impacts of people, culture, process, procedures and technology on cyber resilience • How to advance cyber resilience beyond the technical part The Experience Understand by doing

4. 3 Copyright©2017byTheBostonConsultingGroup,Inc.Allrightsreserved. Module 1: The Compromise Strengths and weaknesses of CEO's communications • Strengths: out in front, confident, clear, available, took ownership • Weaknesses: other management was not informed, too much information was shared, not enough assurance, not genuine enough, lack of preparation, false statements made Responsibilities of the Management Board • Ensure business continuity • Determine regulatory reporting requirements • Decide on internal communications • Get handle on scope, control the message • Engage the Board What will you do next? • Impact assessment from BUs + Functions • Determine what insurance the company has • Consult legal counsel • Solicit Public Relations support • Determine recovery and comms plans • Determine plan of action • Decide what should be the cadence for updates Summary of responses shared during Module 1 3 2 1

5. 4 Copyright©2017byTheBostonConsultingGroup,Inc.Allrightsreserved. Module 2: The Briefing Views regarding ransom payment and who should make the decision • Much disagreement on whether or not to pay the ransom • Ransom payment considerations: assess the financial impact with cost/benefit analysis, will we get back the data, can operations resume without paying, who is the attacker, ask for extension on deadline, discuss with law enforcement • Who should make decision: some said Board should decide, others said C-Suite should decide with advice from Board Thoughts on engaging the community • Engage the entire ecosystem • Third parties: cybersecurity consultants, legal, PR, insurance, law enforcement, call centers, ransom negotiator • Stakeholders: employees, customers, partners, suppliers, shareholders, government, regulators What are next steps? • Assess the business impact and set long-term strategy • Get back to operations, assign responsible parties • Look at the culture that allowed this to happen • Fire the CEO 3 2 1 Summary of responses shared during Module 2

6. 5 Copyright©2017byTheBostonConsultingGroup,Inc.Allrightsreserved. Module 3: The Response Experts you would contact during a cyber attack and when • Engage law enforcement early; they have intel • Crisis response consultants and forensics teams can help • Different responses for different jurisdictions and industries • Prepare before the attack: meet with law enforcement and establish the relationship beforehand • Collaborate with industry partners Following this exercise, what will you do differently? • Ask the organization questions about cybersecurity • Raise cybersecurity to the Board level • “Culture is to punish the victim” has to stop • Establish relationships with law enforcement and national CERT • Don't wait for an attack to happen, plan incident response now • Set cybersecurity long-term vision/strategy; and be agile • Cybersecurity is not a cost center; it's a business enabler How has digitalization impacted cybersecurity and business strategy? • Increased the number of unknowns and interdependencies • Has caused information overload creating a need to educate the public • IoT has increased the risk by increasing the attack surface Summary of responses shared during Module 3 3 2 1

7. 6 Copyright©2017byTheBostonConsultingGroup,Inc.Allrightsreserved. Key questions you should be asking your organization Crown jewels How does your organization know which systems, data, and assets have the most value and do you conduct tests on breaching those systems? Technology How are the users of your cybersecurity tools properly trained on how to get the best results from them? Culture How is cybersecurity ingrained into the culture of your organization the same way as safety, quality, ethics and compliance? Third parties How do you secure suppliers, acquisitions, business partners, and customers with the same rigor as you secure your enterprise? Design for Cyber How are your products, networks, and systems designed with cybersecurity in mind—from the first design concept meeting through every stage? Business enabler How have you integrated cybersecurity into your business strategy so that your business can safely and securely innovate and grow faster? Consequences How do you optimize your budget between reducing vulnerabilities and reducing the consequences of a breach? Preparation What kind of plans do you have in place for incident response, business continuity & disaster recovery? Do you regularly practice executing these plans?

8. 7 Copyright©2017byTheBostonConsultingGroup,Inc.Allrightsreserved. Boards are in a unique strategic position to improve cyber resilience. And they are ultimately responsible for cyber risk in their companies BCG jointly with the Forum established 10 Board Principles for cyber resilience • Responsibility for Cyber Resilience • Command of the Subject • Accountable officer • Integration of Cyber Resilience • Risk assessment and reporting • Risk appetite • Resilience plans • Community • Review • Effectiveness See also the Forum's comprehensive report on "Advancing Cyber Resilience: Principles and Tools for Boards" (2017) Source: BCG and World Economic Forum See the publication at: http://www3.weforum.org/docs/IP/2017/Adv_Cyber_Resilience_Principles-Tools.pdf 1 2 3 4 6 5 8 7 9 10

9. 8 The services and materials provided by The Boston Consulting Group (BCG) are subject to BCG's Standard Terms (a copy of which is available upon request) or such other agreement as may have been previously executed by BCG. BCG does not provide legal, accounting, or tax advice. The Client is responsible for obtaining independent advice concerning these matters. This advice may affect the guidance given by BCG. Further, BCG has made no undertaking to update these materials after the date hereof, notwithstanding that such information may become outdated or inaccurate. The materials contained in this presentation are designed for the sole use by the board of directors or senior management of the Client and solely for the limited purposes described in the presentation. The materials shall not be copied or given to any person or entity other than the Client (“Third Party”) without the prior written consent of BCG. These materials serve only as the focus for discussion; they are incomplete without the accompanying oral commentary and may not be relied on as a stand-alone document. Further, Third Parties may not, and it is unreasonable for any Third Party to, rely on these materials for any purpose whatsoever. To the fullest extent permitted by law (and except to the extent otherwise agreed in a signed writing by BCG), BCG shall have no liability whatsoever to any Third Party, and any Third Party hereby waives any rights and claims it may have at any time against BCG with regard to the services, this presentation, or other materials, including the accuracy or completeness thereof. Receipt and review of this document shall be deemed agreement with and consideration for the foregoing. BCG does not provide fairness opinions or valuations of market transactions, and these materials should not be relied on or construed as such. Further, the financial evaluations, projected market and financial information, and conclusions contained in these materials are based upon standard valuation methodologies, are not definitive forecasts, and are not guaranteed by BCG. BCG has used public and/or confidential data and assumptions provided to BCG by the Client. BCG has not independently verified the data and assumptions used in these analyses. Changes in the underlying data or operating assumptions will clearly impact the analyses and conclusions. Copyright©2017byTheBostonConsultingGroup,Inc.Allrightsreserved.

10. bcg.com