Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Cybersecurity & Data Breaches

Cybersecurity Regulation in Asia: The Tightening Lines of Defense

offset_202677 Retouched 300x254In September, we proudly launched our online client cybersecurity resource portal: Ready, Set, Respond.  The portal was designed by our cross-practice team of global practitioners to provide in-house counsel with the tools they need to not only prepare for the inevitable cybersecurity incident, but to quickly and easily stay up to date on the evolving state of cybersecurity regulation around the world.  Today, we’re taking a closer look at the Asia region with our partner Mark Parsons. Visit Ready, Set, Respond for more information or to take advantage of the tools and data available there.

The Regional Context

The past twelve months have seen a number of regulators in the Asia region take a significant step forward in meeting the growing cybersecurity challenge. The reasons why the region’s regulatory response has generally lagged that seen in the West are complex and varied. It does seem clear, however, that public awareness of cyber risks and cybersecurity incidents has been lower in the region compared to jurisdictions where data breach notification laws have been in force for some time. This awareness has influenced the pace and approach of lawmakers and regulators.

The historic lack of mandatory data breach notification laws has led to an unwarranted perception that cybersecurity risks are correspondingly lower in the Asia region than they are elsewhere. Breach notification laws generally lead to cyber incidents becoming matters of public knowledge, which can cause immediate reputational impacts on businesses themselves. While the Asia region is not generally seen to be as litigious in relation to cyber incidents as the United States — and it is clear that this too is a key variable — the increasingly widespread passage of breach notification requirements in the Asia region in recent years has signaled a change in the regulatory environment that is driving awareness and raising the reputational stakes.

Data breach notification laws are, of course, only as effective as their enforcement and the day-to-day culture of compliance that leads to notifications actually being made. We cannot expect the comparatively recent passage of notification laws to be an immediate solution to cybersecurity risks in the region, particularly given that a number of these laws are voluntary in nature. Cybersecurity regulation, like many other areas of the law, is event-driven. It seems clear, for example, that the current push we are seeing towards more detailed cybersecurity regulation in the financial hub jurisdictions in Asia is influenced by some well-publicized cybercrime incidents earlier this year in Bangladesh and Vietnam involving the SWIFT inter-bank settlements system. In response, the financial services regulators in these key centers have stepped up their oversight of cybersecurity threat assessment and readiness planning and their investment in cyber expertise. These decisive steps are important and we expect the next twelve months to be critical in establishing benchmarks and information sharing protocols that will influence standards across industries going forward.

Another critical factor in the region’s cybersecurity regulatory landscape that cannot be ignored is the approach being taken by lawmakers in the People’s Republic of China (the PRC). The dimensions of cybersecurity regulation here are broad and complex, involving geopolitics and trade issues that go beyond fundamental concerns about securing data, systems, and infrastructure from attack. Given the scale and importance of the PRC national economy to the region and the world, the approach to cybersecurity regulation coming forward in the PRC is of fundamental importance to the cybersecurity regulatory dynamics currently in play.

Cybersecurity Regulation: The Shifting Status Quo

The Asia region cybersecurity regulatory environment has much of its current focus in data protection law. Cybersecurity regulation, however, is clearly not just about data protection. Cybersecurity regulation draws on wider concerns for matters such as national security and law enforcement, the integrity of critical infrastructure, networks and systems, the protection of intellectual property rights and confidential information, in addition to other policy issues. In most of the more developed jurisdictions across the region, these wider concerns are addressed — to varying degrees — on a piecemeal basis in areas such as criminal law, anti-terrorism law, telecommunications law, intellectual property law, and in the technology risk management requirements applicable to regulated industries. Cybersecurity regulation, as a discrete area of regulation, does much more than simply knit this diverse selection of laws together. It seeks to set standards in areas such as threat identification, risk assessment and mitigation measures, and incident response and facilitate information sharing. It seeks to create a basis for proactive and adaptive management of cyber risks. We are only now beginning to see clear regulatory movement towards laws of this nature in the region. This being the case, it is the region’s data protection laws, which have seen a significant push in recent years, that are setting the current regulatory benchmark in the cyber arena.

The APEC Privacy Framework

The Asia region had a number of early movers towards comprehensive, principles-based data protection regulation, most notably Japan, Hong Kong, and Macau, which passed laws in 1988, 1995, and 2005, respectively. With the agreement in 2005 by the Asia-Pacific Economic Co-operation (APEC) of its Privacy Framework, a formal impetus for other member economies to pass comprehensive data protection legislation came into being. In the wake of the APEC Privacy Framework, Malaysia, the Philippines, Singapore, South Korea, and Taiwan all joined the ranks of countries with comprehensive data protection laws. The PRC has moved towards data protection in a far more piecemeal fashion. But with the passage of principles-based data protection laws regulating the internet and telecommunications sectors and with similar reforms to the national consumer protection laws, there is now, on paper at least, substantial formal protection for personal data across wide areas of economic activity in the PRC. Indonesia has introduced some degree of data regulation, most notably a data localization law set to come into force in 2017. India, which is not an APEC member economy, has also passed a data protection law broadly consistent with the APEC Privacy Framework, meaning that most of Asia’s most substantial economies have now moved at least some way towards the comprehensive model.

The APEC Privacy Framework states a set of principles for collecting, processing, and transferring personal data that is similar in approach to the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, the principles that underlie European national data protection laws and the new General Data Protection Regulation. The core requirement is that personal data be collected fairly with the data subject’s voluntary, informed consent and that once collected, the data should be processed securely in accordance with the purposes for which it has been collected.

The APEC Privacy Framework does not prescribe a duty to notify regulators or impacted data subjects of a breach of data security. But a number of APEC member economies have gone beyond the formal requirements of the Privacy Framework and enacted mandatory data breach requirements. India, the Philippines, South Korea, and Taiwan have all gone in this direction. Sector-specific breach notification obligations can be found in Japan and China, and voluntary (but strongly encouraged) data breach notification obligations apply in Hong Kong and Singapore. The trend is clearly towards binding notification requirements, noting that internationally the European General Data Protection Regulation has taken a step towards mandatory, 72-hour notice of data breaches, and most U.S. states have breach notification laws. Closer to home in the Asia region, legislative changes will likely bring notification requirements to Australia, Thailand, and Indonesia in the coming years.

The Cybersecurity Environment

The drive for mandatory breach notification requirements comes as Asia finds itself to be by no means immune to cybersecurity threats. Large data breaches are now being more routinely reported in newspapers. In some jurisdictions, such as Japan, it has been an accepted practice for large corporations and public institutions to announce breaches and make formal public apologies for them, as seen most recently in June 2016 with the revelation by Japanese travel agent JTB of a cyberattack resulting in the theft of 8 million customers’ data. South Korea has similarly seen a scourge of cyberattacks, with a 2014 attack that reportedly compromised 70 percent of the country’s national identity card numbers. It is notable that these two countries — South Korea in particular — have stepped up their data protection laws in response to widespread public concern.

Hong Kong became the focus of world-wide attention in December 2015 with the announcement that toymaker VTech had suffered a hacking of personal details of 5 million adult customers and 6 million children.

What may well prove to generate the most concrete results in terms of advancing cybersecurity regulation are the recent cyberattacks directed at banks in the region using the SWIFT inter-bank messaging system, reportedly causing losses of US$81 million to a Bangladesh bank. A similar malware-driven heist, potentially a practice run for the successful robbery in Bangladesh, was thwarted in Vietnam the previous year. These attacks spurred SWIFT to call for broader-based regulatory action to set standards for cyber threat assessments and incident response and reporting. SWIFT underlined the severity of its concerns by signaling that institutions proving to be the “weakest link” in its system may be denied access to it in future.

The SWIFT incidents proved to be a wake-up call to the region’s financial services regulators, that, with limited exception, have not yet tabled detailed cybersecurity standards and procedures to their authorized institutions. Given the importance of the stability and integrity of financial systems to regional economies, it is fair to say that regulators in this sector have over the years generally imposed more in the way of technology risk management (TRM) requirements than the regulators in other sectors. However, as explained by Hong Kong’s banking regulator, the Monetary Authority (HKMA) in its September 2015 circular, cybersecurity involves threat patterns and risks that are in many cases very different from the categories of risk that existing TRM requirements were developed to address. The HKMA’s September 2015 circular noted that there already is a substantial body of TRM regulation applicable to Hong Kong institutions, but that this was not enough. Without prescribing any additional or upgraded standards, the HKMA stated its expectation that cybersecurity be escalated to become a board-level issue and that institutions would need to work to develop their own credible benchmarks to assess their performance.

Hong Kong’s Cyber Fortification Initiative

On 24 May 2016, the HKMA took more direct action, issuing a circular to Hong Kong banks announcing its Cybersecurity Fortification Initiative (also known as the CFI), an initiative with three key pillars:

  • The Cyber Resilience Assessment Framework: The Cyber Resilience Assessment Framework is envisaged to be a self-assessment tool for institutions to assess their vulnerability to cyber risks. The objective is both to support and refine institutions’ assessment of their readiness to detect and respond to cyber threats and to give the HKMA greater visibility of the financial services industry’s overall level of preparedness. The core of the initiative is a self-assessment and benchmarking process that will be supplemented by “intelligence-led cyberattack simulation testing” that will supplement traditional penetration testing with simulation test scenarios based on real-time cyber threat intelligence.
  • The Professional Development Program: The Professional Development Program aims to increase the number and level of expertise of cybersecurity professionals in Hong Kong. There is an explicit link to the resourcing needs that CFI will no doubt generate, with the HKMA explaining its desire that the self-assessments carried out by suitably qualified professionals. The HKMA proposes to collaborate with the Hong Kong Applied Science and Technology Research Institute and the Hong Kong Institute of Bankers to develop the program, targeting the end of 2016 to open the program.
  • The Cyber Intelligence Sharing Platform: In line with cybersecurity initiatives in the U.S., the EU, and elsewhere, the HKMA’s cybersecurity program seeks to improve industry sharing of intelligence about cyber threats as a means of better identifying and containing emerging threats. The platform, which the HKMA intends to develop in collaboration with the Hong Kong Association of Banks, will support the collection, analysis, and sharing of detailed cyber threat reports. The HKMA expects all banks to join and participate.

The HKMA’s Cyber Fortification Initiative is, at the time of printing, out for industry consultation. While the results remain to be seen, there is expectation that the initiative should lead to the development of clearer standards for cybersecurity threat identification, risk management, and incident response. The developments here in Hong Kong’s financial services sector will likely have implications for industry generally in Hong Kong, and have influence in the region beyond.

The PRC: “Secure and Controllable”

The PRC’s approach to cybersecurity regulation has captured much in the way of international headlines in the past year, a response to a flurry of new legislative initiatives that paint a picture of cybersecurity policy under a heavy influence of geopolitics and the country’s particular national security and political environment. The passage of the National Security Law in the summer of 2015 coincided with the publication of the first draft of a national Cyber Security Law. With the subsequent passage of a Counter-Terrorism Law in January 2016, a second draft of the Cyber Security Law in July 2016, and the publication of new draft TRM guidelines by financial services sector regulators, we see a clear trend towards the PRC concept of “secure and controllable” technology that takes a heavy regulatory hand, in particular, towards state access to and approval of technology, through premarket certification (involving the potential disclosure of source codes), data localization measures and, in the case of the financial services regulators’ guidelines, specific quotas for the use of “secure and controllable” technologies, a term of art widely perceived to be favoring homegrown Chinese technology.

The second draft of China’s Cyber Security Law does not offer any relaxation from the already controversial first draft. The definitions of “network operators” and “critical information infrastructure operators” which would be regulated under this law are expansive, potentially reaching to include almost any business with a substantial online user base.

It is no wonder then that significant controversy over the scope and intent of these new laws and measures persists. Multinational technology companies see the reforms as protectionist, or in the extreme a new form of forced technology transfer. International businesses across a range of sectors see a threat in these regulatory pressures to adopt unproven indigenous technologies certified by the authorities as being “secure and controllable” on the basis that this may well be counter-productive to their information security policies.

The direction of cybersecurity regulation in the PRC is unique and poses particular challenges to multinational businesses, opening up wider lines of enquiry around technology and data hosting strategies, the security of communications and unique local law issues such as the risk of coming into possession of state secrets, which carries heavy penalties under PRC law. These next few years will be critical in defining how the PRC engages with the rest of the world through technology.

Conclusions: Navigating the Emerging Complexity

The pace of change and scale of risk is evolving rapidly in relation to cybersecurity in the Asia region. Part of the cause here is a natural maturing or catching up of regulatory approach, now becoming more closely focused on cyber risk management as significant incidents are emerging here and gaining significant publicity in the region as they are elsewhere. Part of the cause is shifting geopolitical and national security considerations and associated moves to localize data and technology that have economic and trade motives at their core.

It is clear that, looking past these challenging issues, the region would benefit from the development of common standards and approaches to cybersecurity, broader cooperation in relation to information sharing, coordinated incident response, and deeper pockets of regional expertise. With law makers still focusing on their own national approaches to these issues, the region is a long way from achieving these aims. We have not yet seen even early signs of meaningful cooperation.

It is worth noting here that there was a similar impulse behind the APEC Privacy Framework concluded in 2005, a common set of data protection principles applicable across the region that would lead to freer, more secure movement of data, the objective being to encourage public confidence in e-commerce and cross-border data transfers, and thereby stimulate regional economic growth. While the APEC Privacy Framework has done well to introduce comprehensive data protection law to the region, national approaches to implementation have differed significantly. So we are only just at the early stages of regulators seeking to develop a common approach that will achieve the broader aims of the accord.

It is unfortunately the case that cybersecurity concerns, dictated by harsher events, may bring more urgency to the need for regional cooperation and mutually supportive policies and standards.