Big-4 Consulting · Cyber & Privacy

PwC Cybersecurity Interview Pack

PwC's Cyber, Risk & Resilience practice runs a case-heavy interview loop with strong emphasis on regulatory craft (DORA, NIS2, GDPR) and client storytelling.

// hiring focus
- Cyber Strategy & Transformation - OT / Industrial Cyber - Privacy & Data Protection - Forensics & Incident Response - Financial Crime + Cyber convergence
PwC differentiates from the other Big 4 on privacy + regulatory depth (the legacy of the Strategy& and PwC Legal heritage). The cyber practice partners closely with FS Regulatory and Risk Assurance, so cross-functional fluency is rewarded. The interview process is one of the most case-driven of the Big 4. Expect at least two structured cases and a partner panel that probes both commercial instinct and ethics.
// hiring loop
- Recruiter screen - Online assessments (game-based + situational judgement) - Case interview round (live, 45m) - Partner / Director final — case continuation + behavioural + Q&A - Offer
// interviewer style + signals
Formal, regulator-aware, very UK-FS-inflected at experienced-hire grades. Partners value candidates who can 'sit comfortably with a PRA supervisor'. Expect probing on independence and ethical scenarios (audit-adjacent work).
// recent themes & hot topics
PRA / FCA operational-resilience deadlines, DORA Jan 2025 enforcement, AI assurance practice build-out, NIS2 + UK Cyber Resilience Bill, quantum-safe migration roadmaps for FS, post-Capita / MOVEit third-party programmes.

Sample interview questions

  1. 01

    A FTSE 100 insurer asks you to lead their DORA programme. Walk me through the first 90 days.

    Show strong-answer outline

    Day 1-30: discovery (legal entity mapping, register of ICT 3rd parties, current incident playbook). Day 30-60: gap analysis vs RTS, prioritisation, governance design. Day 60-90: mobilise workstreams, baseline TLPT scope, board update.

  2. 02

    How would you design a privacy programme for a generative-AI product?

    Show strong-answer outline

    Lawful basis review per processing activity, DPIA, training-data lineage + opt-out, output filtering, retention + deletion, vendor DPA review, EU AI Act conformity mapping, transparency notices.

  3. 03

    You discover a client has under-reported a breach to the regulator. What do you do?

    Show strong-answer outline

    Pause + document, escalate to engagement partner and Risk Management, refuse to sign off advice that perpetuates the under-reporting, advise client of obligations, withdraw if not remediated. Independence is non-negotiable.

  4. 04

    Pitch our OT cyber offering to a UK utility CISO.

    Show strong-answer outline

    Lead with NIS2 / OFGEM driver, then offering (Purdue assessment, IDS deployment, IR playbook, board reporting), then differentiation (regulated industries practice, cleared consultants), then commercial.

  5. 05

    Tell me about your most complex stakeholder situation.

    Show strong-answer outline

    STAR with a regulator, board or coalition stakeholder. Show influence, ethics, and a measurable outcome.

Frequently asked questions

Is the case different to MBB?

Yes — usually narrower (cyber-specific) but with deep regulatory texture. Less about market sizing, more about programme design.

Do I need a Big-4 background?

No. PwC actively hires from industry CISO orgs, government and military.

What's the partner round like?

Two partners, 60-75m. Expect 30m case + 30m behavioural + Q&A. Partners take it seriously — prep specific questions for them.

Run the PwC loop as a graded mock

Premium members get the full round structure, signals, and AI-graded practice.

Start free