At a recent press event in Hong Kong, insurer AIG said that it received an 87% spike in enquiries about cyber policies in the wake of the WannaCry ransomware incident earlier this year.

Even so, the message from the insurance industry is that companies need to start taking cybersecurity more seriously. “This is no longer an IT issue,” said John Kelly, AIG’s head of liability and financial lines for Greater China, Australasia and Korea. “Cyber is a board-level issue. It’s too important to ignore.”

High-profile incidents might scare some businesses into action, but regulation is likely to prove a more effective tactic. Companies are typically reluctant to admit that their networks have been hacked or their customers’ data stolen, so laws requiring companies to disclose such breaches can help escalate the issue to the level of senior executives and board members.

Breach notification rules were first adopted in the US in 2003 and in the EU in 2009, and are now arriving in Asia, including new requirements in China and Japan. However, the wildly different requirements and thresholds across the region are already creating problems for companies that become victims of security breaches.

“It’s a very uncertain process compared to the US,” said Anna Gamvros, a partner at Norton Rose Fulbright and co-head of the technology and innovation practice, who recently advised a client on a global breach. “Staying on top of the regulations can be difficult for companies. It’s important to have a plan in place.”

In some cases, notification periods are far too short. In the Philippines, for example, notification is required within three days — when companies are still likely to be getting to the bottom of what has happened, let alone being ready to inform customers. Some places are even worse. In Singapore, which is positioning itself as a fintech hub, the Monetary Authority of Singapore has instructed financial institutions to report all security breaches within one hour of their discovery.

Rules that are impossible to comply with are as useless as rules that aren’t enforced, so it is to be hoped that Asian regulators and lawmakers will move towards something approaching common standards that reduce the compliance challenge for companies and create a more reliable basis for enforcement.

What many Asian businesses may not realise, however, is that they are potentially already under the aegis of US and European data privacy and breach notification laws if they handle customer information belonging to citizens in those jurisdictions.

While some aspects of Singapore’s approach still need to be ironed out, the situation is better than in Hong Kong, where there isn’t even a cybersecurity bill on the horizon.

With such a disparate array of rules and regulations around the region, it is all the more important that in-house lawyers have a good plan in place before a cyber incident occurs.

Tags: Cyber Security
Related Articles by Firm
Myanmar Opened its Broadcasting and TV Market
The Broadcasting Law 2015 opens commercial licenses for TV or radio for bidding under an independent supervisory authority. This offers wide opportunities to investors from broadcasting infrastructures to broadcasting services.
Clasis Law (India) Newsletter August 2015
Analysis of the revocation of a company's drug patent and other key court rulings and updates on corporate and commercial matters
The new CIETAC Arbitration Rules 2015
The New Rules adopt both best practices and the latest developments in international commercial arbitration and accommodate the increasing needs of the parties arbitrating at CIETAC.
Tanzania: Prospecting for and mining of radioactive minerals
New uranium mining projects have recently been announced in Tanzania. This briefing looks at the legislative framework surrounding radioactive minerals in Tanzania.
Related Articles
Old wine in a new bottle — or, thinking about thinking
Partners in law firms should be encouraged to reflect more deeply and know what they are good at — and charge accordingly.
Gender pay gap for law firm partners revealed
Male partners at the world’s top law firms earn almost a third more than their female colleagues, according to a new survey ...
Record number of submissions for In-House Community Counsels of the Year, 2018
Over 90 major In-House teams in Asia and the Middle East have submitted to be long-listed ...
Related Articles by Jurisdiction
Latest Articles
India: Valuation by Registered Valuer
“Price is what you pay, Value is what you get” ...
Data Protection and Cyber Security Law in Thailand
It is perceived that Thailand does not have adequate protection covering this very fast developing environment ...