Full disclosure | S-RM discusses the cyber regulatory landscape

Welcome to the final episode in our four-part podcast series, Full disclosure, where we explore key cyber regulatory challenges across different regions – UK, Europe, US, and Asia.

In this episode, host Matthew Mettenheimer (Associate Director, Cyber Advisory) speaks with Mark Farley (Head of Proactive Services, APAC) and Kyle Schwaeble (Head of Incident Response, APAC) about the cyber regulations impacting businesses in the APAC region.

Listen to the S-RM Insider podcast

The number of sophisticated cyber attacks occurring in the APAC region is increasing, presenting a significant threat to businesses operating there. However, at the same time, we are witnessing a steady trend away from mere data protection towards comprehensive cyber resilience across the region.

Mark Farley states, "The main trend is regulation driving cyber resilience, particularly around critical national infrastructure", the systems, facilities, and networks that are key to the effective functioning of APAC countries, whether that be in technology, energy, banking, transport, maritime, or healthcare. He elaborates on how Hong Kong, Malaysia, and Singapore are all introducing or expanding cyber security laws in 2024. Matthew Mettenheimer comments, "As the region gets more of a spotlight, getting ahead of these regulations and understanding which security requirements impact your business will prove crucial".

As the region gets more of a spotlight, getting ahead of these regulations and understanding which security requirements impact your business will prove crucial”

"At this stage, cyber security budgets in the region haven't necessarily caught up with the evolving threat landscape and certainly not with the regulatory environment" states Kyle Schwaeble. However, several of these laws grant regulators the authority to actively investigate breaches, requiring companies to provide information and/or facilitate investigations. He hopes that the new and expanding regulations will encourage broader cyber awareness, spurring business leaders to allocate more resources towards cyber security in order to mitigate the risk of cyber incidents occurring.

At this stage, cyber security budgets in the region haven't necessarily caught up with the evolving threat landscape and certainly not with the regulatory environment”

Mark, Matt, and Kyle point out how although many of these laws are looking at the same thing – building up resilience – there are nuanced differences, particularly around data residency and breach notification requirements. For instance, countries in APAC have various requirements for data residency, with some mandating data must remain within the country and others allowing for overseas data transfer under specific conditions. Unlike Europe’s GDPR, APAC does not have a single, consolidated piece of data protection regulation, making it challenging for multinational companies to achieve compliance across several jurisdictions. Then, in relation to notification of cyber-related incidents, incident response plans must be tailored to the regulatory specifics of each country. Kyle offers a stark illustration, "In India, for example, notification of a data breach is required within six hours of its identification". "Six hours for notification is the fastest timeline I've seen around the globe so far," Matthew remarks in response.

SMEs in focus

Many of the regulations indirectly impact small and medium enterprises (SMEs), compelling larger organisations to impose stricter cyber security standards on their suppliers. Mark and Kyle both stress the importance of extending cyber security resilience to SMEs, which are often targeted due to their typically weaker security postures, yet utilised by larger organisations within their supply chains. "A lot of instances recently have stemmed from SMEs which haven't been under regulation," Mark comments. And, although there is a cascading effect from these regulations, "Cyber awareness among SMEs isn't where it should be," Kyle remarks, underscoring the necessity to extend cyber security education and awareness to smaller businesses. With third-party risk in mind and reflecting on the recent global CrowdStrike outage, Matthew notes that this is a timely reminder of the importance of business continuity and disaster recovery planning. He observes, "It's almost comical that these regulations were coming up and focusing on resiliency and business continuity events right before one of the largest IT outages in the history of the globe".

Conclusion

There is a pressing need for businesses in Asia to understand not only which regulatory obligations apply to them but also the nuances of those laws especially when it comes to differences in data residency and breach notification requirements. Businesses must adapt accordingly to protect their clients and brand reputation. The new and expanding regulations underscore a regional movement towards robust cyber resilience, aimed at protecting critical national infrastructure. And, the need to determine the risks coming out of critical suppliers (especially SMEs) has been highlighted by recent global events. The dynamic regulatory landscape of APAC demands vigilance, investment, and a forward-thinking approach.