High profile data breaches and cyber attacks of companies like Target, Sony and eBay have brought cyber risk to the top of many boardrooms agendas. But it’s not just big-name brands that are at risk
The big mover in this year’s StrategicRISK Asia Risk Report, despite being a bigger problem in survey is the number five risk ‘targeted cyber attack’, which rocketed up from ninth place in 2014.
Chief security officer and advisor for Microsoft Asia Pierre Noel knows all about this challenge and says the jump in ranking for cyber risk is “recognition of the intensity of the problem, as well as the lack of visibility from the majority of organisations”.
Australia-based Scentre Group chief risk officer Eamonn Cunningham is also not surprised by the jump in the rating for cyber risk. “All enterprises should regard this as a matter of ‘when’ rather than ‘if’,” Cunningham says.
Similarly, the second vice-president of the Risk and Insurance Management Association of Singapore and convenor of Singapore’s National Risk Management Working Group Daniel Tan Kuan Wei says it is “not surprising to see the big jump with the relentless attacks on companies worldwide”.
Associate vice president in the risk management and auditing office of Qisda, Danny Lin, says the worst of these events “such as Target, Sony Pictures, and iCloud” show that cyber attacks are on the rise against all industries.
Jeffrey Yeo, assistant director, Office of Enterprise Risk Management Nanyang Technological University, points out that the FBI now ranks cybercrime as one of its top law enforcement priorities.
“With more and more cases being reported in the media, corporate entities are now taking this more seriously than before, especially the catastrophic financial and reputational impacts of these entities,” he says.
FireEye Asia director of system engineering Steve Ledzian cautions that cyber risk is widely misunderstood in the region compared to the rest of the world. “Organisations in Asia are very interesting targets,” Ledzian said. “There is a lot going on in this region which makes organisations very valuable for attacks.”
The good news is that greater harmonisation of data protection laws across the region are starting to become a reality. ASEAN has stated its commitment to implementing standardised rules across its group of 10 countries. The South Korean government has issued new amendments to existing data protection laws, while Singapore and Malaysia have also implemented new ‘European-style’ privacy laws. Hong Kong and the Philippines also have privacy legislation.
In China, consumer protection laws have been amended to include data privacy principles. This is good news because Chinese businesses are at “ground zero” when it comes to cyber security, according to Lockton Singapore boss Peter Jackson. He says local players are “not aware” of the risks they are leaving themselves exposed to. “Their insurance policy purchasing is also pretty weak – even in quite big businesses – and a lot of that is because many of those businesses have grown organically very quickly and their sophistication in risk management isn’t as strong as it ought to be and it’s having to catch up,” he says.
Jackson says that catch-up will be largely driven by regulation. But with the Chinese government’s alleged hacks of global government databases, many commentators believe data breach notification laws are far from the agenda.
Jackson says: “If [cyber attacks] start to hurt Chinese business and Chinese interests then [the government] will put focus there.”