Top three regulatory developments to watch in APAC

Australia: Updated SOCI Act

The Security of Critical Infrastructure Act (SOCI Act), first introduced in 2018, has been updated with new Risk Management Program (RMP) requirements.

Following a period of consultation at the end of last year, the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (CIRMP Rules) have now been registered under the SOCI Act.

The Rules commenced on 17 February 2023, kicking off a six-month grace period during which responsible entities for relevant critical infrastructure assets (CIA) will need to put in place a critical infrastructure risk management program (CIRMP).

The CIRMP must be signed off by the entity’s board, and is required to be regularly reviewed and reported on annually.

“One of biggest impacts of the amendments to the SOCI Act is the broadening of its application to 11 sectors across the economy,” Susan Kantor, special counsel, MinterEllison – with colleagues Donna Worthington, partner, risk and regulatory, and Shannon Sedgwick, partner, cyber security – told StrategicRISK.

For organisations in sectors that were previously not subject to strict cyber and risk management obligations, there may need to be a significant uplift to existing cyber security and risk programmes, to enable compliance with the requirements, said Kantor and colleagues.

“The new cyber reporting obligations, which largely apply across the board, are now the strictest reporting timeframes in Australia,” they added. 

Singapore: Ransomware threat

Cybercrime made up 48 percent of all crimes committed in Singapore in 2020 while ransomware attacks increased in frequency during 2021 , according to the Cyber Security Agency of Singapore (CSA).

In November 2020, Singapore’s Counter Ransomware Task Force (CRTF), which was set up to bring together Singapore Government agencies across relevant domains to strengthen Singapore’s counter-ransomware efforts, released a report.

The report stated that “the ransomware threat has made evident the need to ensure that regulatory gaps are addressed so that illicit ransom flows can be traced and the abuse of virtual assets stopped”.

“Singapore’s CRTF basically recognises and acknowledges the cross-border and cross-domain challenges posed by the growing ransomware threat,” said Peggy Chow, data and cyber security law specialist at Herbert Smith Freehills and Kenji Lee, data and cyber security law specialist at Herbert Smith Freehills Prolegis. “It then sets out a government-wide blueprint for agencies to counter ransomware effectively.

“In particular, the CRTF report highlights Singapore’s national position that the payment of ransoms to ransomware attackers is strongly discourage. In line with this approach, we expect the various agencies to provide more detailed guidance on ransom payments, including the potential mandatory reporting of ransomware payments in Singapore.”

While cyber insurance will remain a key pillar in Singapore’s counter-ransomware efforts, the CRTF recognises that the cyber insurance coverage of ransomware payments provides distorted incentives in the ransomware industry as policyholders would be more likely to pay ransoms if there is insurance coverage, thereby fuelling the ransomware industry.

Hong Kong: Operational risk management

In June 2022, the Hong Kong Monetary Authority (HKMA) announced several regulatory updates, including a revised supervisory policy on operational risk management.

The revised supervisory policy manual module (OR-1) on operational risk management implements the updated principles for sound management of operational risk. The revised policy should be implemented by all authorised institutions (AIs) no later than January 25, 2024.

Kishore Bhindi, counsel for the Financial Regulation Group and Albert Yuen, Counsel & Head of Technology, Media & Telecoms, both at Linklaters in Hong Kong, said the new OR-1 distils the HKMA expectations on operational risk management into the creation of a single operational resilience management framework or ‘ORMF’ which needs to be fully integrated into AIs’ overall risk management processes.

Operational risks have become an increasing complex issue, especially as greater reliance is placed on automated technology, more complex products, and outsourcing of functions accelerate.

“Failure to implement proper processes and procedures to control operational risks has resulted in significant operational losses for some AIs and caused major reputational harm.

“Risk managers should also be aware of the focus on ensuring that there is an established risk culture and proper processes at all levels of the AIs.

“While the board will be responsible for its implementation and developing the risk appetite and tolerance statement, there is an emphasis on making sure these elements are easy to understand for all stakeholders so that it can be communicated throughout the firm at all levels in order to ensure operational risk management is properly embedded,” added Bhindi and Yuen.