At a recent press event in Hong Kong, insurer AIG said that it received an 87% spike in enquiries about cyber policies in the wake of the WannaCry ransomware incident earlier this year.

Even so, the message from the insurance industry is that companies need to start taking cybersecurity more seriously. “This is no longer an IT issue,” said John Kelly, AIG’s head of liability and financial lines for Greater China, Australasia and Korea. “Cyber is a board-level issue. It’s too important to ignore.”

High-profile incidents might scare some businesses into action, but regulation is likely to prove a more effective tactic. Companies are typically reluctant to admit that their networks have been hacked or their customers’ data stolen, so laws requiring companies to disclose such breaches can help escalate the issue to the level of senior executives and board members.

Breach notification rules were first adopted in the US in 2003 and in the EU in 2009, and are now arriving in Asia, including new requirements in China and Japan. However, the wildly different requirements and thresholds across the region are already creating problems for companies that become victims of security breaches.

“It’s a very uncertain process compared to the US,” said Anna Gamvros, a partner at Norton Rose Fulbright and co-head of the technology and innovation practice, who recently advised a client on a global breach. “Staying on top of the regulations can be difficult for companies. It’s important to have a plan in place.”

In some cases, notification periods are far too short. In the Philippines, for example, notification is required within three days — when companies are still likely to be getting to the bottom of what has happened, let alone being ready to inform customers. Some places are even worse. In Singapore, which is positioning itself as a fintech hub, the Monetary Authority of Singapore has instructed financial institutions to report all security breaches within one hour of their discovery.

Rules that are impossible to comply with are as useless as rules that aren’t enforced, so it is to be hoped that Asian regulators and lawmakers will move towards something approaching common standards that reduce the compliance challenge for companies and create a more reliable basis for enforcement.

What many Asian businesses may not realise, however, is that they are potentially already under the aegis of US and European data privacy and breach notification laws if they handle customer information belonging to citizens in those jurisdictions.

While some aspects of Singapore’s approach still need to be ironed out, the situation is better than in Hong Kong, where there isn’t even a cybersecurity bill on the horizon.

With such a disparate array of rules and regulations around the region, it is all the more important that in-house lawyers have a good plan in place before a cyber incident occurs.

[sharethis]
Tags: Cyber Security
Related Articles by Firm
Statutory Registration of Standard Terms and Conditions in Tanzania
All companies doing business in Tanzania should know the salient points of the Standard Form (Consumer Contracts) Regulations 2014 which takes effect on 29 December 2015.
Tanzania Bill Establishing the Petroleum Act 2015
Tanzania's proposed Petroleum Act 2015 introduces key changes to the Petroleum Exploration and Production Act 1980 and the Petroleum Act 2008.
Clasis Law (India) Newsletter August 2015
Analysis of the revocation of a company's drug patent and other key court rulings and updates on corporate and commercial matters
Ship arrest in China - Increased clarity from the Supreme People's Court
The Supreme People's Court of the PRC published the Regulations for Certain Issues Concerning the Application of Law Relating to Arrest and Auction of Ships which took effect on March 1, 2015.
The new CIETAC Arbitration Rules 2015
The New Rules adopt both best practices and the latest developments in international commercial arbitration and accommodate the increasing needs of the parties arbitrating at CIETAC.
Related Articles
Former Myanmar deputy finance minister joins Zico
Maung Maung Thein joins as executive chairman of local subsidiary Zico Law Myanmar.
M&A activity set to pick up
After a sluggish first half, activity could increase significantly during the remainder of 2017.
The T-shaped lawyer
Peter Connor explains how you can become more creative, innovative, collaborate more with your business colleagues and add more value for your organisation.
Related Articles by Jurisdiction
Latest Articles
Thailand: New Amendment to the Labor Law
The Labor Protection Act B.E. 2541 (“LPA”) was first enacted in February 1998; the LPA has been amended several times ...
New Ministerial Decision brings clarity to Private Joint Stock Companies
The private joint stock company is one of the forms of company contemplated by UAE Federal Law No. 2 of 2015 concerning commercial companies ...
Former Myanmar deputy finance minister joins Zico
Maung Maung Thein joins as executive chairman of local subsidiary Zico Law Myanmar.