"Deloitte" isn't a single company so there's no such thing as "global standards" for them. Each region and sometimes country is separate. It's not even a real company as it is a partnership so the partners are paying for the work to secure their systems and they would rather have the cash themselves.
But to be fair, this won't be because they've consciously decided to be insecure; they're just too busy raking in oodles of cash to think about it.
Biting the hand that feeds IT
