Cybersecurity considerations for TMT companies

• Automated software generation: The rapid pace of AI-generated code has led to an increase in software vulnerabilities. This is a significant challenge as the volume of code generated by AI tools is substantial, and ensuring its security is critical. It needs to be secured from the outset.
• Privacy concerns: The use of AI in handling personal data, prompt logs, and data usage raises significant privacy issues. Organizations need to ensure that AI systems comply with various global regulations, such as GDPR and CCPA, to manage and protect personal data responsibly. Some companies are implementing centralized systems to track and manage AI systems handling private data to ensure compliance with regulations.
• Dynamic libraries and SBOMs: The use of dynamic libraries and software bill of materials (SBOMs) in AI increases the threat exposure of software. This dynamic nature makes it challenging to maintain security and track vulnerabilities effectively.

• These include social engineering, phishing, and stolen credentials, which are exploited by bad actors both within enterprises and through hacking products sold by TMT companies. Modern authentication platforms and procedures are required to enhance security.
• Identity will move from access control to trust brokerage. With distributed work and partner ecosystems prevalent at TMT companies, identity threat detection & response will become critical.
• Non-human identities: Address the management of non-human and machine identities in the cybersecurity considerations.
• Anti-ransomware controls: There are a plethora of proactive and reactive measures TMT companies should be employing to protect against ransomware attacks. Many of these are standard components of a robust cybersecurity program.
  • Proactive measures include endpoint detection, response, and protection platforms; secure email and web gateways; multi-factor authentication; and strengthening the human element via strong password practices and awareness training.
  • Reactive measures include ransomware detection tools, network segmentation, and having data recovery and incident response plans.

• Encryption challenges: Quantum computing poses challenges to current encryption mechanisms. TMT companies will have to prepare and implement new encryption keys and certificates that can withstand the computational power of quantum computers. Implementing post-quantum cryptography (PQC) will require careful consideration of algorithm selection, integration with existing systems, and potential performance trade-offs. 2026 may mark the transition from theoretical to tactical PQC.
• Preparation for quantum: By 2030, legacy algorithms like RSA-2048 and ECC-256 will be officially deprecated, and companies are expected to transition to PQC. By 2035, these algorithms will be completely disallowed, according to the NIST standards published in Aug 2024^1. TMT companies will have to switch to quantum-safe certificates using NIST-approved PQC standards for general encryption and digital signatures and should start to inventory their systems and plan migration strategies using Public Key Infrastructure standards.

Third-party risk has become a significant concern due to the global nature of the supply chain and procurement for many TMT companies. Third party/vendor vulnerability and software supply chain attacks are consistent top risks, emphasizing TPRM and scalable trust models. This attack vector highlights the importance of securing the extended network of third-party relationships to protect against potential vulnerabilities and threats.

• Global ecosystem and M&A activities: TMT companies involved in global M&A increase their exposure to third-party risks due to differing cybersecurity regulations and standards across jurisdictions.
• Prime providers to other industries: TMT companies, as providers of foundational products and services to other industries, are attractive targets for attackers due to the scope of access a vulnerability could afford. By maintaining transparency and trust, TMT organizations can further the responsible adoption of their products and services.
• Compromised third parties: Attackers are increasingly targeting third parties through methods like ransomware and malware, which can then impact the primary TMT company’s ability to deliver service.

Client challenge

• The client was seeking to unify the security program that supports all their core products and infrastructure (including AI) under one security portfolio
• Additional goals included engraining security into all offerings and increasing the online safety of their products with enhanced security and privacy controls

KPMG approach

• KPMG assessed global cyber security requirements, privacy and data protection controls, and leading online product safety features
• We leveraged specialized skills across various domains to stand up a vulnerability management program, operationalize identity access management tools and processes, build a GRC framework, and automate the client’s 3^rd party security risk

Client challenges

• The client was preparing for a merger and post-close integration and migration activities, including with the cybersecurity systems
• Major technology debt, redundant processes, gaps in operations and tools for holistic cyber integration
• Strong need for workforce to maintain day-to-day business operations

KPMG actions

• KPMG was engaged to support the development of a multi-faceted cyber integration strategy and roadmap, re-engineer business processes to drive alignment with target standards, establish a technology inventory to support new asset operations, identify, migrate, and integrate data across the two organizations, and provide human capital support to mitigate the impact to day-to-day operations
• Specifically, KPMG provided cybersecurity integration assistance across identity and access management, governance, risk and compliance (GRC), security operations, secure DevOps, and data security