StrategicRISK Asia Pacific edition (Issue 17)

In this edition of StrategicRISK Asia-Pacific, we explore the changing cyber risk landscape and consider the human factor inherent in major cyber breach losses. Tellingly, cyber topped the list of concerns in our Australia risk management survey (with the results summarised on pages 4-7).

However, research suggests there has been a  degree of complacency among Asian corporates when it comes to addressing cyber threats. Take the length of time before a hack is discovered. Globally the average is 146 days but in Asia, it is an astounding 520 days, according to SWIFT. It is clear that organisations across Asia-Pacific need to up their game.

APAC has experienced a 40% increase in cyber attacks year-on-year – 47% in Southeast Asia. Identity attacks are double the global average, according to ThreatMetrix. And all around the region, stricter data breach notification requirements are coming into place. With these new rules come the significant costs of informing stakeholders about loss of sensitive data, potential regulatory fines and penalties, and crucially, the reputational fallout associated with the bad press that comes with a major breach. For retail organisations, there is also the loss of customer confidence. And as the US has demonstrated, major breaches can lead to shareholder litigation, implicating company directors and officers.

The average total cost of a data breach for ASEAN nations (including Singapore, Indonesia, the Philippines and Malaysia) was $2.29m in 2017, according to the latest research from Ponemon. And those costs are only moving in one direction: up. Ponemon warns that more than one in four organisations will suffer a data breach in the next two years, with Australia and ASEAN ranking third and fourth in breach probability (after South Africa and India). In such a climate, as many jurisdictions prepare  for new data protection laws and notification rules, breach resilience has never been more important.

Data protection laws vary significantly across Asia, although there has been significant development in recent years to embrace a European consent-based model. And over time,  the region is expected to move towards a more uniform standard of data protection laws, under the Asia-Pacific Economic Cooperation (APEC) Privacy Framework 2005.

In Australia, that time is now. Under the Privacy Amendment (Notifiable Data Breaches) Bill 2016, organisations that lose personal data will have to notify their customers and other stakeholders as soon as they become aware” a breach has occurred. Regulatory penalties for companies failing to notify affected customers could be as high as $1.8m. The new rules are due to come into effect on 22 February 2018, with an associated rise in data breach costs expected.

It is clear that organisations need to be better prepared and work to become more breachresilient. Cyber security is just the first line of defence. It needs to be backed up with staff awareness and education, control over employees’ access to data and safeguarding systems to prevent malicious tampering.

Most of all, organisations need clear breach response plans that are tried and tested, so that senior managers can act quickly in that critical 72- hour window following the discovery of a breach. The burden on risk managers is huge. Cyber is a risk like no other and the goalposts keep moving as the threat evolves.

Tackling it effectively requires close collaboration with all parties across an organisation, including senior managers, IT and HR, as well as an external SWAT team of legal, forensic IT and crisis management experts. Insurance may or may not be part of the solution, but certainly an ongoing dialogue with brokers and cyber underwriters is advisable.

Click the link below to download the latest edition.