At a recent press event in Hong Kong, insurer AIG said that it received an 87% spike in enquiries about cyber policies in the wake of the WannaCry ransomware incident earlier this year.

Even so, the message from the insurance industry is that companies need to start taking cybersecurity more seriously. “This is no longer an IT issue,” said John Kelly, AIG’s head of liability and financial lines for Greater China, Australasia and Korea. “Cyber is a board-level issue. It’s too important to ignore.”

High-profile incidents might scare some businesses into action, but regulation is likely to prove a more effective tactic. Companies are typically reluctant to admit that their networks have been hacked or their customers’ data stolen, so laws requiring companies to disclose such breaches can help escalate the issue to the level of senior executives and board members.

Breach notification rules were first adopted in the US in 2003 and in the EU in 2009, and are now arriving in Asia, including new requirements in China and Japan. However, the wildly different requirements and thresholds across the region are already creating problems for companies that become victims of security breaches.

“It’s a very uncertain process compared to the US,” said Anna Gamvros, a partner at Norton Rose Fulbright and co-head of the technology and innovation practice, who recently advised a client on a global breach. “Staying on top of the regulations can be difficult for companies. It’s important to have a plan in place.”

In some cases, notification periods are far too short. In the Philippines, for example, notification is required within three days — when companies are still likely to be getting to the bottom of what has happened, let alone being ready to inform customers. Some places are even worse. In Singapore, which is positioning itself as a fintech hub, the Monetary Authority of Singapore has instructed financial institutions to report all security breaches within one hour of their discovery.

Rules that are impossible to comply with are as useless as rules that aren’t enforced, so it is to be hoped that Asian regulators and lawmakers will move towards something approaching common standards that reduce the compliance challenge for companies and create a more reliable basis for enforcement.

What many Asian businesses may not realise, however, is that they are potentially already under the aegis of US and European data privacy and breach notification laws if they handle customer information belonging to citizens in those jurisdictions.

While some aspects of Singapore’s approach still need to be ironed out, the situation is better than in Hong Kong, where there isn’t even a cybersecurity bill on the horizon.

With such a disparate array of rules and regulations around the region, it is all the more important that in-house lawyers have a good plan in place before a cyber incident occurs.

Tags: Cyber Security
Related Articles by Firm
Myanmar Opened its Broadcasting and TV Market
The Broadcasting Law 2015 opens commercial licenses for TV or radio for bidding under an independent supervisory authority. This offers wide opportunities to investors from broadcasting infrastructures to broadcasting services.
Clasis Law (India) Newsletter August 2015
Analysis of the revocation of a company's drug patent and other key court rulings and updates on corporate and commercial matters
The new CIETAC Arbitration Rules 2015
The New Rules adopt both best practices and the latest developments in international commercial arbitration and accommodate the increasing needs of the parties arbitrating at CIETAC.
Tanzania: Prospecting for and mining of radioactive minerals
New uranium mining projects have recently been announced in Tanzania. This briefing looks at the legislative framework surrounding radioactive minerals in Tanzania.
Related Articles
KWM targets Greater Bay Area with international centre
King & Wood Mallesons is getting on board with China’s plan to integrate Hong Kong, Macau and nine cities in Guangdong.
Reed Smith launches “innovation hours” to encourage new ideas
The scheme follows a successful pilot that saw attorneys across the firm devoting hundreds of hours to six projects in 2017.
In-House Community names its Counsels of the Year 2018
In-House Community named NetApp’s Valerie Velasco as its In-House Counsel of the Year at its annual awards dinner last night.
Related Articles by Jurisdiction
Latest Articles
Taylor Root & Asian-mena Counsel Market Update and Salary Guide 2018
Asian-mena Counsel is delighted to partner with Taylor Root once again for their 12th annual report for the in-house legal and compliance sector ...
Global Developments on Best Execution
Currently a hot topic for global regulators, firms are recommended to review their global best execution compliance practices ...
Initial Coin Offerings: Another brainteaser in the virtual currency bandwagon
The position of virtual currencies and ICOs in India remains murky.