special report cyber risks of asia-pacific companies and the
TRANSCRIPT
Cyber Risks of Asia-Pacific Companies and the Role of the Risk Manager
Sponsored by:2 Apri l 2013
The Internet knows no borders. Never before has the world been so interconnected,
which has been a boon to global commerce. The digitization of information, and the
access to that information enabled by the Internet, also has been a boon to criminals.
Cybercrime is on the increase throughout the world, and no organization in any coun-
try can consider itself immune from attack. Given the globalization of both commerce
and cybercrime, it is perhaps surprising that significant regional differences exist in
organizations’ response to the threats of data breaches, privacy violations, industrial
cyber-espionage, hacktivism and cyber-terrorism. Asia-Pacific companies frequently
excel in the governance aspects of data security and privacy regulation compliance,
but security experts often note that many fall short in implementing comprehensive
plans to protect their data. As the cyber threat landscape grows more dangerous, and as more Asian countries
pass privacy laws and arm regulators with the tools to enforce them, it becomes all the more urgent for companies
to harden their defenses.
IntroductionLast year the hacktivist collective, Anonymous, launched “Operation Japan,” a series of cyber-attacks to protest
a recent revision to Japan’s copyright law. Targets included websites of the Finance Ministry, the Supreme Court,
and a regional office at the Land, Infrastructure, Transport and Tourism Ministry, as well as the websites of the
ruling Democratic Party of Japan and major opposition Liberal Democratic Party. This was the first time Japanese
government agencies have come under attack by hacktivists.1
“Operation Japan” was only one of a number of high profile attacks on Asian targets in 2012. A massive as-
sault by Anonymous, protesting the “Great Firewall” of China, reportedly defaced hundreds of government and
official websites throughout the country. In February, the website of Malaysia’s stock market was hit with a denial
of service cyber-attack. Asia, in fact, was described by security expert Martin McKeay, of Akamai Technologies
in an interview as a “hotspot” of distributed denial of service (DDoS) attacks. In a DDoS attack, hackers attempt
to disrupt or bring down a website by overwhelming it with a barrage of messages. According to McKeay, DDoS
attacks are the most common way in Asia for politically or socially motivated hackers to damage organizations to
draw attention to their causes.2
ADVISEN SPECIAL REPORT
SPECIAL REPORT
Cyber Risks of Asia-Pacific Companies and the Role of the Risk Manager
Hacktivists – hackers motivated by political or social causes – of course are only one aspect of the rapidly evolv-
ing cyber threat landscape faced by Asian companies. Many organizations come under attack by cybercriminals
looking to access bank accounts or payment card data, or to steal other information of value. One of the largest
and most expensive breaches of all times involved an Asian company: the 2011 attack on Sony’s Playstation
Network resulted in personal information of about 77 million users being compromised. State sponsored hackers
are accused of mounting sophisticated attacks against companies and government agencies to access secret in-
formation. The so-called Luckycat cyber espionage campaign, for example, targeted companies in Japan as well
as in India. In Japan, the attackers used the Tohoku earthquake disaster to lure potential victims into opening a
malicious .PDF attachment to an email.3 Government hackers and their proxies also have been accused of launch-
ing attacks against both public and private sector enemies. In a very recent incident, North Korea is suspected of
being behind a cyber attack that caused computer networks at major South Korean banks and top TV broadcast-
ers to crash simultaneously.
Data security is a global issue, and Asian companies are vulnerable to the full range of security risks. Discussions
about cybercrimes, cyber hacktivism and cyber terrorism have become “a mainstream agenda item for the corpo-
rate risk world in Asia,” according to Murray Wood, Regional Managing Director, Asia for Aon Risk Solutions. Ex-
perts note, however, that many companies attempt to address these problems on a piecemeal basis – to address
specific issues rather than taking a holistic, enterprise-wide approach to data security and privacy protection.4
Some experts caution that a more urgent and robust response to data security threats among Asian companies
has been hampered by generally less stringent regulatory requirements. According to these observers, Asian data
breaches tend to be lower profile than data breaches in Europe and, especially, North America. There remains
a strong tendency “to sweep actual incidents under the carpet,” according to P.F. Vilquin, director of security for
Asia-Pacific and Japan at CA Technologies in a ZDNet interview. When “awareness remains low, maturity doesn’t
improve,” said Vilquin.5 Progress is expected to accelerate, however, as legislation and penalties governing pri-
vacy and security become more prevalent throughout the region.6
It was not very long ago that organizations were principally concerned about defending their information systems
from attack by comparatively unsophisticated hackers and virus writers. Hackers often were amateurs more at-
tracted to the thrill of breaking into a system than causing harm. Viruses could be destructive, but they also were
relatively easy to identify and neutralize. Today organizations need to defend against a wide range of attacks from
highly sophisticated professional crime rings, politically and socially motivated activists, terrorist organizations,
and even foreign governments.
While organizations must take steps to defend against all threats from all sources, they typically dedicate the most
resources to defending against the theft of valuable information, especially personal information about customers.
The largest investments tend to be on perimeter security tools such as firewalls and anti-malware software.7 This
focus is understandable. Malicious data breaches are the most costly cyber-related event and can have long term
consequences for a company’s brand and reputation.
Sponsored by:
The threat landscape
Cyber Risks of Asia-Pacific Companies and the Role of the Risk Manager
3 Apri l 2013
ADVISEN SPECIAL REPORT
Data security is a global issue,
and Asian companies are
vulnerable to the full range of
security risks.
Being hacked, however, is only one way for data to be compromised. A Ponemon Institute analysis of data
breaches by Japanese companies found that the most common cause of compromised data was negligence,
such as losing a laptop computer, which accounted for 40 percent of breaches. Hackers were responsible for 33
percent, and system glitches for 27 percent.8 A comprehensive privacy and data security program should address
all the various ways data can be compromised.
Rapidly developing technology and changing social practices are transforming the
cyber threat landscape at an accelerated pace. Among the most significant new chal-
lenges for Asia-Pacific companies are managing the data security exposures of cloud
computing and mobile devices.
A recent study on the adoption of cloud computing in the Asia-Pacific region found
that while businesses increasingly are leveraging cloud platforms, many remain ap-
prehensive and have not yet taken full advantage of cloud computing.9 Nonetheless,
a recent survey commissioned by NTT Communications and conducted by IDG Research Services, found that 28
percent of APAC IT decision makers have implemented clouds in one or more locations, while 31 percent plan to
implement clouds in the next 12 months, and 26 percent look to pilot-test cloud projects.10 A persistent concern of
Chief Information Security Officers (CISOs) in many organizations is heightened vulnerability to security breaches
in a cloud computing environment.11 Cloud computing also can complicate compliance with privacy laws since
data can be physically stored almost any place in the world and some privacy laws have strict cross-border
requirements.
Mobile devices such as smartphones and tablets present a host of data security challenges, not the least being
that they are prone to being lost or stolen. Use of these devices is very high in the Asia-Pacific region. APAC mar-
kets have the highest penetration of mobile phones in the world,12 and consultancy IDC notes that “Australia, Hong
Kong, Korea, and Singapore spearhead the move toward new technologies and usage patterns that are often
eventually adopted by markets all over the world.”13 People often use their personal devices for work purposes,
requiring companies to implement Bring Your Own Device (BYOD) policies. Research by BT shows that Asian IT
professionals lead their European and North American counterparts in implementing BYOD policies: 96 percent of
Chinese, and 91 percent of Singaporean IT managers reporting that they were currently rolling out BYOD or will be
in the next two years. The global average is 81 per cent, according to BT.14
Sponsored by:
Sources of Compromised Data: Japan
Source: Ponemon Inst itute
Cyber Risks of Asia-Pacific Companies and the Role of the Risk Manager
4 Apri l 2013
ADVISEN SPECIAL REPORT
Every category of cyber-related event has costs associated with it. A DDoS attack, for example, can block access
to a company’s website, prohibiting transactions from taking place and potentially causing damage to the target
company’s reputation. The most costly events, however, typically are assaults on a company’s systems by crimi-
nals to access valuable data. Such a breach can cost a large organization hundreds of millions of dollars.
The total cost of a breach is the sum of the following components.
• Expensesrelatedtoidentifyingandrepairingthebreach
• Businessinterruptioncosts
• Finesandpenalties
• Notificationcosts
• Creditmonitoringorrelatedcosts
• Costsofpublicrelationsfirmsandotherconsultants
• Litigationcosts
• Otherlegalexpenses
• Lostbusinessduetodamagedbrandorreputation
The cost a breach will vary by its nature and the type of data involved. Cost also will vary by the country in which
the breach occurs and where affected customers are located. Fines and penalties, for example, vary widely by
country. In the United States disclosure of healthcare information in violation of the Healthcare Insurance Portability
and Accountability Act (HIPAA) has resulted in settlements in the millions of dollars. Companies doing business
in Europe face even more draconian fines – as high as 2 percent of yearly global sales for mishandling or losing
personal data under proposed European Union privacy rules. Regulators in a number of Asian countries, including
Hong Kong, South Korea, Taiwan also are empowered to levy fines.
The process of identifying and repairing a breach, what Ponemon calls “detection and escalation,” would logically
seem to be the cost least subject to variation by country. Ponemon statistics imply just the opposite – these costs
vary tremendously, ranging from an average per breach of USD $0.3 million in India to USD $1.2 million in Ger-
many. Japan, the only Asia-Pacific country represented in Ponemon’s global data breach study, fell squarely in the
middle, with an average cost of USD $0.7million per breach.15
Another factor that varies widely by country is breach notification costs. The United States, with notification laws
in 46 of 50 states, plus certain federal notification requirements, far exceeds every other country for notification
costs, with an average cost of more than USD $500,000 per breach. This compares to less than USD $100,000 for
Japan.16 Privacy laws in several Asian countries, including the Philippines, South Korea and Japan, contain breach
notification provisions.
The cost of a data breach
Sponsored by:
Cyber Risks of Asia-Pacific Companies and the Role of the Risk Manager
5 Apri l 2013
ADVISEN SPECIAL REPORT
The most costly events,
however, typically are assaults
on a company’s systems by
criminals to access valuable
data.
Litigation costs also vary materially by country. The United States is notorious for being highly litigious, and
companies that have experienced data breaches have frequently been sued by those whose information was
compromised. U.S. courts, however, have generally been reluctant to award damages unless plaintiffs are able to
prove they suffered a loss as a result of a breach.
While litigation may be more likely in the United States than elsewhere, Asian companies should not assume they
will not be sued. Individuals have the right to bring action against data handlers under the laws of some Asian
countries, including Taiwan and South Korea, both of which permit collective/class action suits. In an important
recent development, the Seoul Western District Court in Korea ruled in favor of 2,882 petitioners who filed a col-
lective action against SK Communications, a telecommunications operator, for a breach involving personal data in
its possession. Importantly, the breach was not caused by intentional misconduct, but rather by carelessness and
mismanagement. This appears to be the first such ruling in Asia.17
One of the most significant – though difficult to quantify – sources of loss following a data breach is lost revenue
due to a damaged reputation. Reputation and brand image are among an organization’s most valuable assets,
and are highly vulnerable to negative events, including a data breach. Studies have shown that customers often
are reluctant to do business with a company that has experienced a large data breach, especially if it was their
own information that was lost.
“Having a robust incident response plan in place to mitigate any reputational damage that may occur as a result
of a breach is critical,” according to Lori Bailey, Global Head of Professional Liability, Zurich General Insurance.
Underscoring that point, a 2012 Ponemon Institute study, sponsored by Experian’s Data Breach Resolution,
found that depending upon the nature of the breach, the value of brand and reputation could decline between 17
percent and 31 percent.18 Another Ponemon Institute study on the costs of a data breach to Japanese companies,
found that lost business was the single largest component of the total per record cost of a breach in Japan.19
Despite the potential damage to brand and reputation that can be caused by a breach, the 2012 Carnegie Mellon
CyLab Governance survey found that board level attention to this issue is generally inadequate at companies
throughout the world.20
Asia, and especially the Asia-Pacific region, is undergoing rapid economic growth. As Asia becomes more pros-
perous, the need for privacy and data security regulation grows. Some countries have comparatively well-devel-
oped regulatory frameworks already in place, while others are at early stages of passing privacy legislation and
building the regulatory infrastructure to implement and enforce it. Differing approaches and stages of development
by country, as well as limited experience by regulators, can create compliance challenges.
Sponsored by:
Data security and privacy regulation in the Asia-Pacific Region
Cyber Risks of Asia-Pacific Companies and the Role of the Risk Manager
6 Apri l 2013
ADVISEN SPECIAL REPORT
While litigation may be more
likely in the United States
than elsewhere, Asian
companies should not assume
they will not be sued.
“Privacy” and “data security” are separate but overlapping topics. “Privacy” concerns the rights of individuals
to retain control over their personal information, while “data security” addresses the means of keeping not only
private information on individuals secure, but also all other information contained in an organization’s databases.
From a regulatory perspective, governments are most concerned about protecting the privacy of their citizens.
Some countries have specific data protection laws, focused most specifically on personal information, while many
other countries have passed privacy laws that sometimes contain certain data security requirements. Most Asian
governments now have implemented some form of privacy regulation, many with significant implications for data
security.
Below is a brief summary of privacy regulation in Asia.21
Australia. Privacy regulation is at a mature level in Australia. The federal Privacy Act regulates “information pri-
vacy”’ Australia recognizes the concept of sensitive personal information, and comparatively strict consent, use
and security requirements are in force. The law does not require breach notification. While the federal regulatory
system is mature, it is relatively toothless; there are no fines for non-compliance. Major changes to the Privacy
Act will come into effect in March 2014, including fines of up to AUD $1.1 million. Various state laws also regulate
privacy.
China. China’s privacy regulation is weak. Specific privacy and data protection laws have not been passed, with
what little law there is applying to this realm is embedded in various other laws governing business conduct.
Hong Kong. An amendment to Hong Kong’s Personal Data (Privacy) Ordinance, many provisions of which be-
came effective on October 21, 2012, establishes a number of changes and new requirements. Most significantly,
the amendment imposes increased notification and consent requirements for data users, and enables fines and
potentially significant criminal penalties for data users that violate these requirements. DLA Piper designates Hong
Kong as a “mature data privacy jurisdiction.”
Japan. Japan’s Personal Information Protection Law (PIPL) applies to any company with offices in Japan that holds
personal data on 5,000 or more individuals, including employees. Enforcement is the responsibility of ministries of
each industry sector. Explicit consent is required for all disclosure of information to third parties. Businesses are
held responsible for unauthorized use or disclosure of data and must notify the affected individuals of any breach
of privacy. Fines and prison sentences of up to one year can be imposed under the law.
Malaysia. The Personal Data Protection (PDP) Act 2010 became operational January 1, 2013. The Act makes
it illegal for commercial organizations to sell personal information or allow the use of such data by third parties.
Infringement can result in fines or imprisonment of up to a year.
New Zealand. New Zealand has a mature regulatory system, but it is limited in its scope by the fact that the coun-
try does not have a statutory sensitive personal data concept. The Privacy Act 1993, however, does govern the
handling of private information by agencies. The principal regulator, the Privacy Commissioner, has no authority
to levy fines for non-compliance, but cases may be referred to the Human Rights Review Tribunal, which has the
authority to award a range of remedies including damages. Breach notification is not required.
Sponsored by:
Cyber Risks of Asia-Pacific Companies and the Role of the Risk Manager
7 Apri l 2013
ADVISEN SPECIAL REPORT
Most Asian governments now
have implemented some form
of privacy regulation with
significant implications for
data security.
The Philippines. The Data Privacy Act of 2012 establishes privacy as a fundamental human right, and imposes
strict obligations on the use of personal data. The Philippines is one of a handful countries in Asia to have a
breach notification requirement, which applies to information that can be used for identity fraud. Fines and prison
sentences of up to six years can be imposed for violations.
Singapore. The Personal Data Protection Act (“PDPA”) was passed by the Singapore Parliament in October 2012
and became law in January 2013. As passed, the law is a general framework, with Singapore’s Personal Data Pro-
tection Commission now issuing guidelines for implementation. The bill does not contain a definition of sensitive
personal information, nor does it impose any special requirements for the handling of such information. Addition-
ally, there is no generally applicable breach notification requirement. In principle, special data protection require-
ments will be determined on sector-by-sector basis by appropriate regulatory agencies.
South Korea. South Korea’s Personal Information Protection Act (PIPA), which came into force on September 30,
2011, has been described as the ”strictest in the world.” Express consent is required for collecting or transfer-
ring data, breach notification is required, the concept of sensitive personal information is recognized, and the law
has provisions for both fines and prison sentences for violations. Individuals may sue data handlers for damages
resulting from their breach of PIPA provisions.
Taiwan. The Personal Data Protection Act provides protection to personal data across all public and private enti-
ties and across all sectors. Medical information, genetic information, sex life, health examinations and criminal
records are subject to a higher level of protection. Fines up NT$1 million can be levied against individuals or
enterprises who profit from the collection, processing or use of personal data, or they may face a term of imprison-
ment of up to five years. Class action legal proceedings against parties who violate the law are permissible under
the new Act.
Of course, in a globalized economy, many APAC companies do business not only in Asia, but throughout the
world. As a result they may be subject to privacy and data security laws in other countries in which they do busi-
ness. This includes 46 separate state data breach notification laws in the United States. Asian companies with
securities registered in the United States also are subject to Securities and Exchange Commission guidance on
disclosing data breaches and other material data security information. Europe has historically been protective of
personal information, and the European Union now is considering far-reaching privacy regulations that would give
citizens of its member countries increased control over how their personal data is used.
Law firm DLA Piper recommends a holistic regional approach to developing a compliance program that recogniz-
es cultural “quirks” of each Asian jurisdiction, but avoids approaching compliance on a country-by-country basis.
The firm also recommends that organizations strive for the “gold standard” in compliance, and not fall into the trap
of complying on a de minimus basis in each country in which they operate.22
Sponsored by:
Cyber Risks of Asia-Pacific Companies and the Role of the Risk Manager
8 Apri l 2013
ADVISEN SPECIAL REPORT
Of course, in a globalized
economy, many APAC
companies do business not
only in Asia, but throughout
the world.
Experts agree that most organizations around the world can do much more to manage their privacy and data
security exposures. Asian companies in particular could benefit from more attention and greater resources being
dedicated to implementing comprehensive data security programs. The regulatory environment throughout Asia
has been comparatively weak, which may have contributed to a lack of urgency in addressing data security is-
sues. Throughout the region, however, regulations are becoming more stringent, with a number of countries impos-
ing potential criminal liability for violations of privacy laws. “Risk awareness to a large extent is driven by in country
legislative developments to protect the consumer, personal data and rights of the consumer to privacy,” according
to Aon Risk Solutions’ Wood. “New pro-consumer laws are driving risk awareness to a new and unprecedented
level.” Furthermore, many large Asian companies operate on a global basis, and may be subject to far more
onerous regulations in other countries in which they do business. A Ponemon Institute study found that regulatory
compliance was the top reason for IT security funding for UK companies.23 It is expected that compliance increas-
ingly will be a significant driver of data security initiatives in the APAC region as well.
Regulatory issues often motivate heightened attention to data security issues. The potential costs of regulatory
non-compliance, however, often are dwarfed by other significant costs associated with a data breach. Fines may
run in the hundreds of thousands, or perhaps even millions, of dollars, but a large data breach can cost a com-
pany hundreds of millions of dollars. A 2007 data breach at U.S. retailer TJX, in which more than 45 million credit
and debit card numbers were stolen, is estimated to have cost the company more than USD $250 million.24 Dam-
age to brand or a company’s reputation is one of the most significant exposures. “The Zurich/Advisen surveys of
risk manager have found that reputational risk consistently is viewed as the highest risk an organization can face,”
according to Zurich’s Bailey.
On a positive note for Asian companies, the 2012 Carnegie Mellon CyLab Governance survey found that 76 per-
cent of Asian companies have a board risk committee responsible for privacy and security, which exceeds both
North America and Europe. Asian companies also surpassed European companies, and compared favorably
to U.S. companies, as concerns board level attention to IT operations, computer and information security, and
vendor management (though the report notes for all regions, the level of board attention to these matters is insuffi-
cient to assure a robust information security program).25 In fact, from a board level governance perspective, Asian
companies overall scored very well compared to companies elsewhere in the world. It is perhaps surprising then
that many data security experts believe that Asian companies often lag their Western counterparts in data security
defenses and readiness to respond to a breach.26
One important area where Asian companies trail European and American companies is in the appointment of
a Chief Information Security Officer. The Ponemon Institute has found that companies with a dedicated CISO,
on average, have lower data breach costs. Asian organizations seemingly are behind their North American and
European peers. Of the eight countries represented in Ponemon’s 2011 Cost of Data Breach Study: Global, Japan,
the only APAC country included, had the lowest percentage of companies with a CISO.27 The 2012 Carnegie Mel-
lon CyLab Governance survey found that, at 52 percent, Asian companies are less likely to have a CISO or chief
security officer compared to U.S. organizations at 58 percent and Europe at 72 percent.
Sponsored by:
Cyber Risks of Asia-Pacific Companies and the Role of the Risk Manager
9 Apri l 2013
ADVISEN SPECIAL REPORT
Experts agree that most
organizations around the
world can do much more to
manage their privacy and
data security exposures.
The Ponemon Institute identifies a lack of enterprise collaboration as a “major barrier to tackling risk and privacy
challenges.”28 Cooperation by almost every department in an organization is now viewed as important to a suc-
cessful data security program. Surveys of risk managers in Europe and North America conducted by Advisen Ltd.
on behalf of Zurich found that most companies now have implemented, or are in the process of implementing,
enterprise-wide solutions that encompass not only technological solutions such as firewalls and encryption, but
also business policies on information access and usage, as well as employee education. “What once was viewed
as exclusively an ‘IT issue’ now has far-reaching effects across an organization, so management of the entire risk
is crucial to success,” according to Bailey.
An action recommended in the 2012 Carnegie Mellon CyLab Governance survey
to improve an organization’s security posture and reduce risk is to establish a
cross-organizational team to coordinate and communicate on privacy and secu-
rity issues. According to respondents to the Zurich/Advisen surveys, many U.S.
and European organizations now have created data security teams or committees
with representatives from throughout the organization, including the risk manage-
ment department. “The risk manager is often viewed as the conduit to a providing
a holistic risk management approach to security and privacy risk across all areas
of an organization,” explained Bailey.
Half of European respondents to the Zurich/Advisen survey claimed their organization takes a multi-departmental
approach to their information security risk management efforts, and more than 60 percent of U.S. respondents said
their organization has a multi-departmental information security risk management team or committee. The insur-
ance/risk management department was included as a part of the multi-departmental team in nearly 80 percent
of U.S. organizations that have such a team. While no similar survey has been conducted of Asian companies,
anecdotal evidence suggests that such an enterprise-wide approach to data security is less common, and that
risk managers are less likely to be significantly involved in data security issues.
Increasingly, companies recognize that there is no foolproof solution to data security. Although some experts
contend that 90 percent of breaches could be avoided by following security basics,29 motivated hackers have
demonstrated that even the world’s most heavily guarded systems are vulnerable. Companies need to make a
concerted effort to protect their information assets, but they also should consider insurance protection for those
situations where valuable data is compromised, or if their business otherwise falls victim to cyber predators. Many
policies now provide not only indemnification for the costs associated with a covered event, but also access to
experts who can provide essential support following a data breach.
Sponsored by:
Source: Advisen/Zurich
% Companies w. Mult i-departmental Teams
Cyber Risks of Asia-Pacific Companies and the Role of the Risk Manager
10 Apri l 2013
ADVISEN SPECIAL REPORT
Insurance for costs associated with data breaches and related events now is provided by about 50 insurers
worldwide, according to Advisen data, with many of the leading global insurers now offering coverage to Asian
organizations. The most recent Zurich/Advisen surveys, however, indicate that only 44 percent of U.S. companies
and 12 percent of European companies purchase coverage. Nonetheless, these numbers are up from 35 percent
and 8 percent respectively the prior year, and represent an environment of increasing awareness about insur-
ance products and capabilities. Anecdotal information suggests that even fewer Asian companies buy insurance,
although Asian firms were nearly identical with American and European firms as concerns board level involvement
with cyber insurance issues.30
Cyber criminals respect no national borders or regional boundaries. Companies everywhere are exposed to similar
threats. Nonetheless, the ways in which organizations respond to these threats varies by region. Asian organiza-
tions score well in comparison to European and U.S. companies as regards board level attention to data security
issues. Asian organizations also outperform European and U.S. companies in implementing BYOD policies, which
help to address one of the most vexing new data security issues. However, many data security experts concur that
Asian organizations lag their European and American peers in some other aspects of deploying effective data and
privacy protections.
Weak and nonexistent privacy laws and regulation is an often-cited reason for a lack of urgency on the part of
many Asia-Pacific organizations. That situation has change dramatically over the past several years, however,
with most countries in the region now having privacy laws on the books and a regulatory infrastructure in place to
enforce them. More companies are giving greater emphasis to privacy or data security issues, but experts warn
that many still are doing too little too late.
Data security authorities widely agree that data security and privacy protection no longer are exclusively IT mat-
ters. These issues involve an entire organization, and require an enterprise-wide solution. A growing number of
organizations have created data security committees or teams with representation from throughout the organiza-
tion, including the insurance/risk management department. Privacy protection and data security are new domains
for many risk managers, but ones where their skill sets can prove valuable.
Risk managers also are in a position assess the value of cyber-related insurance products since data security
measures will never provide 100 percent protection. Insurance not only provides indemnification for many costs
incurred in a data breach or other cyber incident, many insurers also offer ready access to professional services
that can help mitigate the negative consequences of a breach. “The risks are real, security is continually being
challenged and risk transfer solutions are developing,” concludes Aon Risk Solutions’ Wood. “It is an exciting area
to watch.”
Sponsored by:
Conclusion
Cyber Risks of Asia-Pacific Companies and the Role of the Risk Manager
11 Apri l 2013
ADVISEN SPECIAL REPORT
Data security authorities
widely agree that data
security and privacy
protection no longer are
exclusively IT matters.
Sponsored by:
Cyber Risks of Asia-Pacific Companies and the Role of the Risk Manager
12 Apri l 2013
ADVISEN SPECIAL REPORT
NOTES:
1 “Anonymous hacks Japanese govt sites,” ZD-Net http://www.zdnet.com/anonymous-hacks-japanese-govt-sites-2062305268/
2 “Asia ‘hotspot’ for DDoS attacks, but no need to overreact,” ZDNet Anonymous hacks Japanese govt sites, ZDNet http://www.zdnet.com/anony-mous-hacks-japanese-govt-sites-2062305268/
3 Luckycat Redux: Inside an APT Campaign with Multiple Targets in India and Japan, Trend Micro Research Paper http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf
4 “Asian firms can do more to protect data,” ZD-Net http://www.zdnet.com/asian-firms-can-do-more-to-protect-data-2062200286/
5 “Asian firms can do more to protect data,” ZD-Net http://www.zdnet.com/asian-firms-can-do-more-to-protect-data-2062200286/
6 “’10 years’ before Asia’s biz security catches up to US,” ZDNet http://www.zdnet.com/10-years-before-asias-biz-security-catches-up-to-us-2062304736/
7 “Companies invest in the wrong IT security tools, report says,” Finance Tech News http://www.financetechnews.com/wrong-it-security-tools/
8 2011 Cost of Data Breach Study: Japan, Ponemon Institute, March 2012 http://www.ponemon.org/ local/upload/f i le/2011_%20CODB_JP_Final_5.pdf
9 Special Report: The State of Cloud Computing Security in Asia, Trend Micro http://www.trend-micro.com/cloud-content/us/pdfs/about/white-papers/wp_state-of-cloud-computing-security-in-asia.pdf
10 Cited in “Are hybrid clouds the secret weapon of Asia Pacific enterprises?” Com-puterworld http://www.computerworld.com/s/article/9233280/Are_hybrid_clouds_the_secret_weapon_of_Asia_Pacific_enterprises_
11 The Notorious Nine: Cloud Computing Top Threats in 2013, Cloud Security Alliance https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Com-puting_Top_Threats_in_2013.pdf
12 “Asia-Pacific has the highest penetration of
mobile phones in the world,” TNW http://thenex-tweb.com/asia/2011/09/02/asia-pacific-has-the-highest-penetration-of-mobile-phones-in-the-world/
13 “Asia/Pacific Quarterly Mobile Phone Track-er,” IDC http://www.idc.com/tracker/showpro-ductinfo.jsp?prod_id=103#.UUbR6Ibiax2
14 “Asia leads global BYOD race,” The Reg-ister http://www.theregister.co.uk/2012/05/17/asia_byod_bt/
15 2011 Cost of Data Breach Study: Global, Ponemon Institute http://www.symantec.com/content/en/us/about/media/pdfs/b-ponemon-2011-cost-of-data-breach-global.en-us.pdf
16 2011 Cost of Data Breach Study: Global, Ponemon Institute http://www.symantec.com/content/en/us/about/media/pdfs/b-ponemon-2011-cost-of-data-breach-global.en-us.pdf
17 “South Korea Court Opens the Door for Unin-tentional Data Breach Collective Actions,” Data Privacy Monitor, BakerHostetler http://www.data-privacymonitor.com/international-privacy-law/
18 “How data breaches harm reputations,” Experian http://www.experian.com/blogs/data-breach/2012/01/17/how-data-breaches-harm-reputations/
19 2011 Cost of Data Breach Study: Japan, Ponemon Institute, March 2012 http://www.ponemon.org/ local/upload/f i le/2011_%20CODB_JP_Final_5.pdf
20 Governance of Enterprise Security: CyLab 2012 Report, Carnegie Mellon University and CyLab http://www.rsa.com/innovation/docs/CMU-GOVERNANCE-RPT-2012-FINAL.pdf
21 Sources: “Data Protection Under the Ris-ing Sun: Rising Regimes in Asia,” DLA Piper Presentation to the IAPP Privacy Academy, 11 October 2012 https://www.privacyassociation.org/media/presentations/A12_Data_Protec-tion_PPT.pdf; Korea’s New Act: Asia’s Tough-est Data Privacy Law, Social Science Research Network http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2120983; Privacy Trends: Regulatory and Legal Considerations, presen-tation to North American CACS by Ken Leissler and Wayne Matus, http://www.isaca.org/Educa-tion/Upcoming-Events/Documents/2012-NA-CACS-Presentations/223-nac2012.pdf Privacy and Information Security Law Blog, Hunton & Williams http://www.huntonprivacyblog.com, en-
tries on Hong Kong, South Korea, Philippines; Taiwan’s new Personal Data Protection Law, Baker & McKenzie http://www.bakermckenzie.com/RRTaiwanPersonalDataProtectionLa-wOct10/;” Personal Data Protection Act to come into force Jan 1,” thestar online http://thestar.com.my/news/story.asp?file=/2012/12/12/nation/20121212153344&sec=nation;
22 “Data Protection Under the Rising Sun: Rising Regimes in Asia,” DLA Piper Presentation to the IAPP Privacy Academy, 11 October 2012 https://www.privacyassociation.org/media/presenta-tions/A12_Data_Protection_PPT.pdf
23 Cited in “Motivations, trends and mea-surement of IT security spending,” Help Net Security http://www.net-security.org/secworld.php?id=14112
24 “Data theft: Top 5 most expensive data breaches,” The Christian Science Monitor. http://www.csmonitor.com/Business/2011/0504/Data-theft-Top-5-most-expensive-data-breaches/3.-TJX-256-million-or-more
25 Governance of Enterprise Security: CyLab 2012 Report, Carnegie Mellon University and CyLab http://www.rsa.com/innovation/docs/CMU-GOVERNANCE-RPT-2012-FINAL.pdf
26 “’10 years’ before Asia’s biz security catches up to US,” ZDNet http://www.zdnet.com/10-years-before-asias-biz-security-catches-up-to-us-2062304736/
27 2011 Cost of Data Breach Study: Global, Ponemon Institute http://www.symantec.com/content/en/us/about/media/pdfs/b-ponemon-2011-cost-of-data-breach-global.en-us.pdf
28 The Role of Governance, Risk Management & Compliance in Organizations: Study of GRC practitioners, Ponemon Institute, sponsore by RSA http://www.emc.com/collateral/about/news/ponemon-report-egrc.pdf
29 “Corporate data too lucrative not to mine,” ZDNet http://www.zdnet.com/corporate-data-too-lucrative-not-to-mine-2062053191/
30 Governance of Enterprise Security: CyLab 2012 Report, Carnegie Mellon University and CyLab http://www.rsa.com/innovation/docs/CMU-GOVERNANCE-RPT-2012-FINAL.pdf