At a recent press event in Hong Kong, insurer AIG said that it received an 87% spike in enquiries about cyber policies in the wake of the WannaCry ransomware incident earlier this year.

Even so, the message from the insurance industry is that companies need to start taking cybersecurity more seriously. “This is no longer an IT issue,” said John Kelly, AIG’s head of liability and financial lines for Greater China, Australasia and Korea. “Cyber is a board-level issue. It’s too important to ignore.”

High-profile incidents might scare some businesses into action, but regulation is likely to prove a more effective tactic. Companies are typically reluctant to admit that their networks have been hacked or their customers’ data stolen, so laws requiring companies to disclose such breaches can help escalate the issue to the level of senior executives and board members.

Breach notification rules were first adopted in the US in 2003 and in the EU in 2009, and are now arriving in Asia, including new requirements in China and Japan. However, the wildly different requirements and thresholds across the region are already creating problems for companies that become victims of security breaches.

“It’s a very uncertain process compared to the US,” said Anna Gamvros, a partner at Norton Rose Fulbright and co-head of the technology and innovation practice, who recently advised a client on a global breach. “Staying on top of the regulations can be difficult for companies. It’s important to have a plan in place.”

In some cases, notification periods are far too short. In the Philippines, for example, notification is required within three days — when companies are still likely to be getting to the bottom of what has happened, let alone being ready to inform customers. Some places are even worse. In Singapore, which is positioning itself as a fintech hub, the Monetary Authority of Singapore has instructed financial institutions to report all security breaches within one hour of their discovery.

Rules that are impossible to comply with are as useless as rules that aren’t enforced, so it is to be hoped that Asian regulators and lawmakers will move towards something approaching common standards that reduce the compliance challenge for companies and create a more reliable basis for enforcement.

What many Asian businesses may not realise, however, is that they are potentially already under the aegis of US and European data privacy and breach notification laws if they handle customer information belonging to citizens in those jurisdictions.

While some aspects of Singapore’s approach still need to be ironed out, the situation is better than in Hong Kong, where there isn’t even a cybersecurity bill on the horizon.

With such a disparate array of rules and regulations around the region, it is all the more important that in-house lawyers have a good plan in place before a cyber incident occurs.

[sharethis]
Tags: Cyber Security
Related Articles by Firm
Statutory Registration of Standard Terms and Conditions in Tanzania
All companies doing business in Tanzania should know the salient points of the Standard Form (Consumer Contracts) Regulations 2014 which takes effect on 29 December 2015.
Tanzania Bill Establishing the Petroleum Act 2015
Tanzania's proposed Petroleum Act 2015 introduces key changes to the Petroleum Exploration and Production Act 1980 and the Petroleum Act 2008.
Clasis Law (India) Newsletter August 2015
Analysis of the revocation of a company's drug patent and other key court rulings and updates on corporate and commercial matters
The new CIETAC Arbitration Rules 2015
The New Rules adopt both best practices and the latest developments in international commercial arbitration and accommodate the increasing needs of the parties arbitrating at CIETAC.
Tanzania: Prospecting for and mining of radioactive minerals
New uranium mining projects have recently been announced in Tanzania. This briefing looks at the legislative framework surrounding radioactive minerals in Tanzania.
Related Articles
Adding value to M&A deals
A lively panel of general counsel discussed the issue at the IBA’s M&A conference in Hong Kong.
Benchmarking the in-house team’s evolution
Lawyers are increasingly expected to be much more actively involved in risk management, technology, strategy and project management.
Berwin Leighton Paisner and Bryan Cave in talks to merge
The two firms have confirmed they are in discussions about combining to create a new, fully integrated, global law firm ...
Related Articles by Jurisdiction
Latest Articles
UAE VAT Executive Regulation Update: Free Zone Guidance
The UAE Ministry of Finance has announced the Executive Regulation for the Federal Decree-Law ...
Canada: Intellectual Property Bulletin
The New Patented Medicines (Notice of Compliance) Regulations and Certificate of Supplementary Protection Regulations ...
Asset searches in the digital age
Social media and other technology are changing the way asset searches are conducted in a dispute ...