At a recent press event in Hong Kong, insurer AIG said that it received an 87% spike in enquiries about cyber policies in the wake of the WannaCry ransomware incident earlier this year.
Even so, the message from the insurance industry is that companies need to start taking cybersecurity more seriously. “This is no longer an IT issue,” said John Kelly, AIG’s head of liability and financial lines for Greater China, Australasia and Korea. “Cyber is a board-level issue. It’s too important to ignore.”
High-profile incidents might scare some businesses into action, but regulation is likely to prove a more effective tactic. Companies are typically reluctant to admit that their networks have been hacked or their customers’ data stolen, so laws requiring companies to disclose such breaches can help escalate the issue to the level of senior executives and board members.
Breach notification rules were first adopted in the US in 2003 and in the EU in 2009, and are now arriving in Asia, including new requirements in China and Japan. However, the wildly different requirements and thresholds across the region are already creating problems for companies that become victims of security breaches.
“It’s a very uncertain process compared to the US,” said Anna Gamvros, a partner at Norton Rose Fulbright and co-head of the technology and innovation practice, who recently advised a client on a global breach. “Staying on top of the regulations can be difficult for companies. It’s important to have a plan in place.”
In some cases, notification periods are far too short. In the Philippines, for example, notification is required within three days — when companies are still likely to be getting to the bottom of what has happened, let alone being ready to inform customers. Some places are even worse. In Singapore, which is positioning itself as a fintech hub, the Monetary Authority of Singapore has instructed financial institutions to report all security breaches within one hour of their discovery.
Rules that are impossible to comply with are as useless as rules that aren’t enforced, so it is to be hoped that Asian regulators and lawmakers will move towards something approaching common standards that reduce the compliance challenge for companies and create a more reliable basis for enforcement.
What many Asian businesses may not realise, however, is that they are potentially already under the aegis of US and European data privacy and breach notification laws if they handle customer information belonging to citizens in those jurisdictions.
While some aspects of Singapore’s approach still need to be ironed out, the situation is better than in Hong Kong, where there isn’t even a cybersecurity bill on the horizon.
With such a disparate array of rules and regulations around the region, it is all the more important that in-house lawyers have a good plan in place before a cyber incident occurs.