special report cyber risks of asia-pacific companies and the

April 2013

Cyber Risks of Asia-Pacific Companies and the Role of the Risk Manager

SPECIAL REPORT


Sponsored by:2 Apri l 2013

The Internet knows no borders. Never before has the world been so interconnected,

which has been a boon to global commerce. The digitization of information, and the

access to that information enabled by the Internet, also has been a boon to criminals.

Cybercrime is on the increase throughout the world, and no organization in any coun-

try can consider itself immune from attack. Given the globalization of both commerce

and cybercrime, it is perhaps surprising that significant regional differences exist in

organizations’ response to the threats of data breaches, privacy violations, industrial

cyber-espionage, hacktivism and cyber-terrorism. Asia-Pacific companies frequently

excel in the governance aspects of data security and privacy regulation compliance,

but security experts often note that many fall short in implementing comprehensive

plans to protect their data. As the cyber threat landscape grows more dangerous, and as more Asian countries

pass privacy laws and arm regulators with the tools to enforce them, it becomes all the more urgent for companies

to harden their defenses.

IntroductionLast year the hacktivist collective, Anonymous, launched “Operation Japan,” a series of cyber-attacks to protest

a recent revision to Japan’s copyright law. Targets included websites of the Finance Ministry, the Supreme Court,

and a regional office at the Land, Infrastructure, Transport and Tourism Ministry, as well as the websites of the

ruling Democratic Party of Japan and major opposition Liberal Democratic Party. This was the first time Japanese

government agencies have come under attack by hacktivists.1

“Operation Japan” was only one of a number of high profile attacks on Asian targets in 2012. A massive as-

sault by Anonymous, protesting the “Great Firewall” of China, reportedly defaced hundreds of government and

official websites throughout the country. In February, the website of Malaysia’s stock market was hit with a denial

of service cyber-attack. Asia, in fact, was described by security expert Martin McKeay, of Akamai Technologies

in an interview as a “hotspot” of distributed denial of service (DDoS) attacks. In a DDoS attack, hackers attempt

to disrupt or bring down a website by overwhelming it with a barrage of messages. According to McKeay, DDoS

attacks are the most common way in Asia for politically or socially motivated hackers to damage organizations to

draw attention to their causes.2

ADVISEN SPECIAL REPORT

SPECIAL REPORT


Hacktivists – hackers motivated by political or social causes – of course are only one aspect of the rapidly evolv-

ing cyber threat landscape faced by Asian companies. Many organizations come under attack by cybercriminals

looking to access bank accounts or payment card data, or to steal other information of value. One of the largest

and most expensive breaches of all times involved an Asian company: the 2011 attack on Sony’s Playstation

Network resulted in personal information of about 77 million users being compromised. State sponsored hackers

are accused of mounting sophisticated attacks against companies and government agencies to access secret in-

formation. The so-called Luckycat cyber espionage campaign, for example, targeted companies in Japan as well

as in India. In Japan, the attackers used the Tohoku earthquake disaster to lure potential victims into opening a

malicious .PDF attachment to an email.3 Government hackers and their proxies also have been accused of launch-

ing attacks against both public and private sector enemies. In a very recent incident, North Korea is suspected of

being behind a cyber attack that caused computer networks at major South Korean banks and top TV broadcast-

ers to crash simultaneously.

Data security is a global issue, and Asian companies are vulnerable to the full range of security risks. Discussions

about cybercrimes, cyber hacktivism and cyber terrorism have become “a mainstream agenda item for the corpo-

rate risk world in Asia,” according to Murray Wood, Regional Managing Director, Asia for Aon Risk Solutions. Ex-

perts note, however, that many companies attempt to address these problems on a piecemeal basis – to address

specific issues rather than taking a holistic, enterprise-wide approach to data security and privacy protection.4

Some experts caution that a more urgent and robust response to data security threats among Asian companies

has been hampered by generally less stringent regulatory requirements. According to these observers, Asian data

breaches tend to be lower profile than data breaches in Europe and, especially, North America. There remains

a strong tendency “to sweep actual incidents under the carpet,” according to P.F. Vilquin, director of security for

Asia-Pacific and Japan at CA Technologies in a ZDNet interview. When “awareness remains low, maturity doesn’t

improve,” said Vilquin.5 Progress is expected to accelerate, however, as legislation and penalties governing pri-

vacy and security become more prevalent throughout the region.6

It was not very long ago that organizations were principally concerned about defending their information systems

from attack by comparatively unsophisticated hackers and virus writers. Hackers often were amateurs more at-

tracted to the thrill of breaking into a system than causing harm. Viruses could be destructive, but they also were

relatively easy to identify and neutralize. Today organizations need to defend against a wide range of attacks from

highly sophisticated professional crime rings, politically and socially motivated activists, terrorist organizations,

and even foreign governments.

While organizations must take steps to defend against all threats from all sources, they typically dedicate the most

resources to defending against the theft of valuable information, especially personal information about customers.

The largest investments tend to be on perimeter security tools such as firewalls and anti-malware software.7 This

focus is understandable. Malicious data breaches are the most costly cyber-related event and can have long term

consequences for a company’s brand and reputation.

Sponsored by:

The threat landscape


3 Apri l 2013


Data security is a global issue,

and Asian companies are

vulnerable to the full range of

security risks.

Being hacked, however, is only one way for data to be compromised. A Ponemon Institute analysis of data

breaches by Japanese companies found that the most common cause of compromised data was negligence,

such as losing a laptop computer, which accounted for 40 percent of breaches. Hackers were responsible for 33

percent, and system glitches for 27 percent.8 A comprehensive privacy and data security program should address

all the various ways data can be compromised.

Rapidly developing technology and changing social practices are transforming the

cyber threat landscape at an accelerated pace. Among the most significant new chal-

lenges for Asia-Pacific companies are managing the data security exposures of cloud

computing and mobile devices.

A recent study on the adoption of cloud computing in the Asia-Pacific region found

that while businesses increasingly are leveraging cloud platforms, many remain ap-

prehensive and have not yet taken full advantage of cloud computing.9 Nonetheless,

a recent survey commissioned by NTT Communications and conducted by IDG Research Services, found that 28

percent of APAC IT decision makers have implemented clouds in one or more locations, while 31 percent plan to

implement clouds in the next 12 months, and 26 percent look to pilot-test cloud projects.10 A persistent concern of

Chief Information Security Officers (CISOs) in many organizations is heightened vulnerability to security breaches

in a cloud computing environment.11 Cloud computing also can complicate compliance with privacy laws since

data can be physically stored almost any place in the world and some privacy laws have strict cross-border

requirements.

Mobile devices such as smartphones and tablets present a host of data security challenges, not the least being

that they are prone to being lost or stolen. Use of these devices is very high in the Asia-Pacific region. APAC mar-

kets have the highest penetration of mobile phones in the world,12 and consultancy IDC notes that “Australia, Hong

Kong, Korea, and Singapore spearhead the move toward new technologies and usage patterns that are often

eventually adopted by markets all over the world.”13 People often use their personal devices for work purposes,

requiring companies to implement Bring Your Own Device (BYOD) policies. Research by BT shows that Asian IT

professionals lead their European and North American counterparts in implementing BYOD policies: 96 percent of

Chinese, and 91 percent of Singaporean IT managers reporting that they were currently rolling out BYOD or will be

in the next two years. The global average is 81 per cent, according to BT.14

Sponsored by:

Sources of Compromised Data: Japan

Source: Ponemon Inst itute


4 Apri l 2013


Every category of cyber-related event has costs associated with it. A DDoS attack, for example, can block access

to a company’s website, prohibiting transactions from taking place and potentially causing damage to the target

company’s reputation. The most costly events, however, typically are assaults on a company’s systems by crimi-

nals to access valuable data. Such a breach can cost a large organization hundreds of millions of dollars.

The total cost of a breach is the sum of the following components.

• Expensesrelatedtoidentifyingandrepairingthebreach

• Businessinterruptioncosts

• Finesandpenalties

• Notificationcosts

• Creditmonitoringorrelatedcosts

• Costsofpublicrelationsfirmsandotherconsultants

• Litigationcosts

• Otherlegalexpenses

• Lostbusinessduetodamagedbrandorreputation

The cost a breach will vary by its nature and the type of data involved. Cost also will vary by the country in which

the breach occurs and where affected customers are located. Fines and penalties, for example, vary widely by

country. In the United States disclosure of healthcare information in violation of the Healthcare Insurance Portability

and Accountability Act (HIPAA) has resulted in settlements in the millions of dollars. Companies doing business

in Europe face even more draconian fines – as high as 2 percent of yearly global sales for mishandling or losing

personal data under proposed European Union privacy rules. Regulators in a number of Asian countries, including

Hong Kong, South Korea, Taiwan also are empowered to levy fines.

The process of identifying and repairing a breach, what Ponemon calls “detection and escalation,” would logically

seem to be the cost least subject to variation by country. Ponemon statistics imply just the opposite – these costs

vary tremendously, ranging from an average per breach of USD $0.3 million in India to USD $1.2 million in Ger-

many. Japan, the only Asia-Pacific country represented in Ponemon’s global data breach study, fell squarely in the

middle, with an average cost of USD $0.7million per breach.15

Another factor that varies widely by country is breach notification costs. The United States, with notification laws

in 46 of 50 states, plus certain federal notification requirements, far exceeds every other country for notification

costs, with an average cost of more than USD $500,000 per breach. This compares to less than USD $100,000 for

Japan.16 Privacy laws in several Asian countries, including the Philippines, South Korea and Japan, contain breach

notification provisions.

The cost of a data breach

Sponsored by:


5 Apri l 2013


The most costly events,

however, typically are assaults

on a company’s systems by

criminals to access valuable

data.

Litigation costs also vary materially by country. The United States is notorious for being highly litigious, and

companies that have experienced data breaches have frequently been sued by those whose information was

compromised. U.S. courts, however, have generally been reluctant to award damages unless plaintiffs are able to

prove they suffered a loss as a result of a breach.

While litigation may be more likely in the United States than elsewhere, Asian companies should not assume they

will not be sued. Individuals have the right to bring action against data handlers under the laws of some Asian

countries, including Taiwan and South Korea, both of which permit collective/class action suits. In an important

recent development, the Seoul Western District Court in Korea ruled in favor of 2,882 petitioners who filed a col-

lective action against SK Communications, a telecommunications operator, for a breach involving personal data in

its possession. Importantly, the breach was not caused by intentional misconduct, but rather by carelessness and

mismanagement. This appears to be the first such ruling in Asia.17

One of the most significant – though difficult to quantify – sources of loss following a data breach is lost revenue

due to a damaged reputation. Reputation and brand image are among an organization’s most valuable assets,

and are highly vulnerable to negative events, including a data breach. Studies have shown that customers often

are reluctant to do business with a company that has experienced a large data breach, especially if it was their

own information that was lost.

“Having a robust incident response plan in place to mitigate any reputational damage that may occur as a result

of a breach is critical,” according to Lori Bailey, Global Head of Professional Liability, Zurich General Insurance.

Underscoring that point, a 2012 Ponemon Institute study, sponsored by Experian’s Data Breach Resolution,

found that depending upon the nature of the breach, the value of brand and reputation could decline between 17

percent and 31 percent.18 Another Ponemon Institute study on the costs of a data breach to Japanese companies,

found that lost business was the single largest component of the total per record cost of a breach in Japan.19

Despite the potential damage to brand and reputation that can be caused by a breach, the 2012 Carnegie Mellon

CyLab Governance survey found that board level attention to this issue is generally inadequate at companies

throughout the world.20

Asia, and especially the Asia-Pacific region, is undergoing rapid economic growth. As Asia becomes more pros-

perous, the need for privacy and data security regulation grows. Some countries have comparatively well-devel-

oped regulatory frameworks already in place, while others are at early stages of passing privacy legislation and

building the regulatory infrastructure to implement and enforce it. Differing approaches and stages of development

by country, as well as limited experience by regulators, can create compliance challenges.

Sponsored by:

Data security and privacy regulation in the Asia-Pacific Region


6 Apri l 2013


While litigation may be more

likely in the United States

than elsewhere, Asian

companies should not assume

they will not be sued.

“Privacy” and “data security” are separate but overlapping topics. “Privacy” concerns the rights of individuals

to retain control over their personal information, while “data security” addresses the means of keeping not only

private information on individuals secure, but also all other information contained in an organization’s databases.

From a regulatory perspective, governments are most concerned about protecting the privacy of their citizens.

Some countries have specific data protection laws, focused most specifically on personal information, while many

other countries have passed privacy laws that sometimes contain certain data security requirements. Most Asian

governments now have implemented some form of privacy regulation, many with significant implications for data

security.

Below is a brief summary of privacy regulation in Asia.21

Australia. Privacy regulation is at a mature level in Australia. The federal Privacy Act regulates “information pri-

vacy”’ Australia recognizes the concept of sensitive personal information, and comparatively strict consent, use

and security requirements are in force. The law does not require breach notification. While the federal regulatory

system is mature, it is relatively toothless; there are no fines for non-compliance. Major changes to the Privacy

Act will come into effect in March 2014, including fines of up to AUD $1.1 million. Various state laws also regulate

privacy.

China. China’s privacy regulation is weak. Specific privacy and data protection laws have not been passed, with

what little law there is applying to this realm is embedded in various other laws governing business conduct.

Hong Kong. An amendment to Hong Kong’s Personal Data (Privacy) Ordinance, many provisions of which be-

came effective on October 21, 2012, establishes a number of changes and new requirements. Most significantly,

the amendment imposes increased notification and consent requirements for data users, and enables fines and

potentially significant criminal penalties for data users that violate these requirements. DLA Piper designates Hong

Kong as a “mature data privacy jurisdiction.”

Japan. Japan’s Personal Information Protection Law (PIPL) applies to any company with offices in Japan that holds

personal data on 5,000 or more individuals, including employees. Enforcement is the responsibility of ministries of

each industry sector. Explicit consent is required for all disclosure of information to third parties. Businesses are

held responsible for unauthorized use or disclosure of data and must notify the affected individuals of any breach

of privacy. Fines and prison sentences of up to one year can be imposed under the law.

Malaysia. The Personal Data Protection (PDP) Act 2010 became operational January 1, 2013. The Act makes

it illegal for commercial organizations to sell personal information or allow the use of such data by third parties.

Infringement can result in fines or imprisonment of up to a year.

New Zealand. New Zealand has a mature regulatory system, but it is limited in its scope by the fact that the coun-

try does not have a statutory sensitive personal data concept. The Privacy Act 1993, however, does govern the

handling of private information by agencies. The principal regulator, the Privacy Commissioner, has no authority

to levy fines for non-compliance, but cases may be referred to the Human Rights Review Tribunal, which has the

authority to award a range of remedies including damages. Breach notification is not required.

Sponsored by:


7 Apri l 2013


Most Asian governments now

have implemented some form

of privacy regulation with

significant implications for

data security.

The Philippines. The Data Privacy Act of 2012 establishes privacy as a fundamental human right, and imposes

strict obligations on the use of personal data. The Philippines is one of a handful countries in Asia to have a

breach notification requirement, which applies to information that can be used for identity fraud. Fines and prison

sentences of up to six years can be imposed for violations.

Singapore. The Personal Data Protection Act (“PDPA”) was passed by the Singapore Parliament in October 2012

and became law in January 2013. As passed, the law is a general framework, with Singapore’s Personal Data Pro-

tection Commission now issuing guidelines for implementation. The bill does not contain a definition of sensitive

personal information, nor does it impose any special requirements for the handling of such information. Addition-

ally, there is no generally applicable breach notification requirement. In principle, special data protection require-

ments will be determined on sector-by-sector basis by appropriate regulatory agencies.

South Korea. South Korea’s Personal Information Protection Act (PIPA), which came into force on September 30,

2011, has been described as the ”strictest in the world.” Express consent is required for collecting or transfer-

ring data, breach notification is required, the concept of sensitive personal information is recognized, and the law

has provisions for both fines and prison sentences for violations. Individuals may sue data handlers for damages

resulting from their breach of PIPA provisions.

Taiwan. The Personal Data Protection Act provides protection to personal data across all public and private enti-

ties and across all sectors. Medical information, genetic information, sex life, health examinations and criminal

records are subject to a higher level of protection. Fines up NT$1 million can be levied against individuals or

enterprises who profit from the collection, processing or use of personal data, or they may face a term of imprison-

ment of up to five years. Class action legal proceedings against parties who violate the law are permissible under

the new Act.

Of course, in a globalized economy, many APAC companies do business not only in Asia, but throughout the

world. As a result they may be subject to privacy and data security laws in other countries in which they do busi-

ness. This includes 46 separate state data breach notification laws in the United States. Asian companies with

securities registered in the United States also are subject to Securities and Exchange Commission guidance on

disclosing data breaches and other material data security information. Europe has historically been protective of

personal information, and the European Union now is considering far-reaching privacy regulations that would give

citizens of its member countries increased control over how their personal data is used.

Law firm DLA Piper recommends a holistic regional approach to developing a compliance program that recogniz-

es cultural “quirks” of each Asian jurisdiction, but avoids approaching compliance on a country-by-country basis.

The firm also recommends that organizations strive for the “gold standard” in compliance, and not fall into the trap

of complying on a de minimus basis in each country in which they operate.22

Sponsored by:


8 Apri l 2013


Of course, in a globalized

economy, many APAC

companies do business not

only in Asia, but throughout

the world.

Experts agree that most organizations around the world can do much more to manage their privacy and data

security exposures. Asian companies in particular could benefit from more attention and greater resources being

dedicated to implementing comprehensive data security programs. The regulatory environment throughout Asia

has been comparatively weak, which may have contributed to a lack of urgency in addressing data security is-

sues. Throughout the region, however, regulations are becoming more stringent, with a number of countries impos-

ing potential criminal liability for violations of privacy laws. “Risk awareness to a large extent is driven by in country

legislative developments to protect the consumer, personal data and rights of the consumer to privacy,” according

to Aon Risk Solutions’ Wood. “New pro-consumer laws are driving risk awareness to a new and unprecedented

level.” Furthermore, many large Asian companies operate on a global basis, and may be subject to far more

onerous regulations in other countries in which they do business. A Ponemon Institute study found that regulatory

compliance was the top reason for IT security funding for UK companies.23 It is expected that compliance increas-

ingly will be a significant driver of data security initiatives in the APAC region as well.

Regulatory issues often motivate heightened attention to data security issues. The potential costs of regulatory

non-compliance, however, often are dwarfed by other significant costs associated with a data breach. Fines may

run in the hundreds of thousands, or perhaps even millions, of dollars, but a large data breach can cost a com-

pany hundreds of millions of dollars. A 2007 data breach at U.S. retailer TJX, in which more than 45 million credit

and debit card numbers were stolen, is estimated to have cost the company more than USD $250 million.24 Dam-

age to brand or a company’s reputation is one of the most significant exposures. “The Zurich/Advisen surveys of

risk manager have found that reputational risk consistently is viewed as the highest risk an organization can face,”

according to Zurich’s Bailey.

On a positive note for Asian companies, the 2012 Carnegie Mellon CyLab Governance survey found that 76 per-

cent of Asian companies have a board risk committee responsible for privacy and security, which exceeds both

North America and Europe. Asian companies also surpassed European companies, and compared favorably

to U.S. companies, as concerns board level attention to IT operations, computer and information security, and

vendor management (though the report notes for all regions, the level of board attention to these matters is insuffi-

cient to assure a robust information security program).25 In fact, from a board level governance perspective, Asian

companies overall scored very well compared to companies elsewhere in the world. It is perhaps surprising then

that many data security experts believe that Asian companies often lag their Western counterparts in data security

defenses and readiness to respond to a breach.26

One important area where Asian companies trail European and American companies is in the appointment of

a Chief Information Security Officer. The Ponemon Institute has found that companies with a dedicated CISO,

on average, have lower data breach costs. Asian organizations seemingly are behind their North American and

European peers. Of the eight countries represented in Ponemon’s 2011 Cost of Data Breach Study: Global, Japan,

the only APAC country included, had the lowest percentage of companies with a CISO.27 The 2012 Carnegie Mel-

lon CyLab Governance survey found that, at 52 percent, Asian companies are less likely to have a CISO or chief

security officer compared to U.S. organizations at 58 percent and Europe at 72 percent.

Sponsored by:


9 Apri l 2013


Experts agree that most

organizations around the

world can do much more to

manage their privacy and

data security exposures.

The Ponemon Institute identifies a lack of enterprise collaboration as a “major barrier to tackling risk and privacy

challenges.”28 Cooperation by almost every department in an organization is now viewed as important to a suc-

cessful data security program. Surveys of risk managers in Europe and North America conducted by Advisen Ltd.

on behalf of Zurich found that most companies now have implemented, or are in the process of implementing,

enterprise-wide solutions that encompass not only technological solutions such as firewalls and encryption, but

also business policies on information access and usage, as well as employee education. “What once was viewed

as exclusively an ‘IT issue’ now has far-reaching effects across an organization, so management of the entire risk

is crucial to success,” according to Bailey.

An action recommended in the 2012 Carnegie Mellon CyLab Governance survey

to improve an organization’s security posture and reduce risk is to establish a

cross-organizational team to coordinate and communicate on privacy and secu-

rity issues. According to respondents to the Zurich/Advisen surveys, many U.S.

and European organizations now have created data security teams or committees

with representatives from throughout the organization, including the risk manage-

ment department. “The risk manager is often viewed as the conduit to a providing

a holistic risk management approach to security and privacy risk across all areas

of an organization,” explained Bailey.

Half of European respondents to the Zurich/Advisen survey claimed their organization takes a multi-departmental

approach to their information security risk management efforts, and more than 60 percent of U.S. respondents said

their organization has a multi-departmental information security risk management team or committee. The insur-

ance/risk management department was included as a part of the multi-departmental team in nearly 80 percent

of U.S. organizations that have such a team. While no similar survey has been conducted of Asian companies,

anecdotal evidence suggests that such an enterprise-wide approach to data security is less common, and that

risk managers are less likely to be significantly involved in data security issues.

Increasingly, companies recognize that there is no foolproof solution to data security. Although some experts

contend that 90 percent of breaches could be avoided by following security basics,29 motivated hackers have

demonstrated that even the world’s most heavily guarded systems are vulnerable. Companies need to make a

concerted effort to protect their information assets, but they also should consider insurance protection for those

situations where valuable data is compromised, or if their business otherwise falls victim to cyber predators. Many

policies now provide not only indemnification for the costs associated with a covered event, but also access to

experts who can provide essential support following a data breach.

Sponsored by:

Source: Advisen/Zurich

% Companies w. Mult i-departmental Teams


10 Apri l 2013


Insurance for costs associated with data breaches and related events now is provided by about 50 insurers

worldwide, according to Advisen data, with many of the leading global insurers now offering coverage to Asian

organizations. The most recent Zurich/Advisen surveys, however, indicate that only 44 percent of U.S. companies

and 12 percent of European companies purchase coverage. Nonetheless, these numbers are up from 35 percent

and 8 percent respectively the prior year, and represent an environment of increasing awareness about insur-

ance products and capabilities. Anecdotal information suggests that even fewer Asian companies buy insurance,

although Asian firms were nearly identical with American and European firms as concerns board level involvement

with cyber insurance issues.30

Cyber criminals respect no national borders or regional boundaries. Companies everywhere are exposed to similar

threats. Nonetheless, the ways in which organizations respond to these threats varies by region. Asian organiza-

tions score well in comparison to European and U.S. companies as regards board level attention to data security

issues. Asian organizations also outperform European and U.S. companies in implementing BYOD policies, which

help to address one of the most vexing new data security issues. However, many data security experts concur that

Asian organizations lag their European and American peers in some other aspects of deploying effective data and

privacy protections.

Weak and nonexistent privacy laws and regulation is an often-cited reason for a lack of urgency on the part of

many Asia-Pacific organizations. That situation has change dramatically over the past several years, however,

with most countries in the region now having privacy laws on the books and a regulatory infrastructure in place to

enforce them. More companies are giving greater emphasis to privacy or data security issues, but experts warn

that many still are doing too little too late.

Data security authorities widely agree that data security and privacy protection no longer are exclusively IT mat-

ters. These issues involve an entire organization, and require an enterprise-wide solution. A growing number of

organizations have created data security committees or teams with representation from throughout the organiza-

tion, including the insurance/risk management department. Privacy protection and data security are new domains

for many risk managers, but ones where their skill sets can prove valuable.

Risk managers also are in a position assess the value of cyber-related insurance products since data security

measures will never provide 100 percent protection. Insurance not only provides indemnification for many costs

incurred in a data breach or other cyber incident, many insurers also offer ready access to professional services

that can help mitigate the negative consequences of a breach. “The risks are real, security is continually being

challenged and risk transfer solutions are developing,” concludes Aon Risk Solutions’ Wood. “It is an exciting area

to watch.”

Sponsored by:

Conclusion


11 Apri l 2013


Data security authorities

widely agree that data

security and privacy

protection no longer are

exclusively IT matters.

Sponsored by:


12 Apri l 2013


NOTES:

1 “Anonymous hacks Japanese govt sites,” ZD-Net http://www.zdnet.com/anonymous-hacks-japanese-govt-sites-2062305268/

2 “Asia ‘hotspot’ for DDoS attacks, but no need to overreact,” ZDNet Anonymous hacks Japanese govt sites, ZDNet http://www.zdnet.com/anony-mous-hacks-japanese-govt-sites-2062305268/

3 Luckycat Redux: Inside an APT Campaign with Multiple Targets in India and Japan, Trend Micro Research Paper http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf

4 “Asian firms can do more to protect data,” ZD-Net http://www.zdnet.com/asian-firms-can-do-more-to-protect-data-2062200286/

5 “Asian firms can do more to protect data,” ZD-Net http://www.zdnet.com/asian-firms-can-do-more-to-protect-data-2062200286/

6 “’10 years’ before Asia’s biz security catches up to US,” ZDNet http://www.zdnet.com/10-years-before-asias-biz-security-catches-up-to-us-2062304736/

7 “Companies invest in the wrong IT security tools, report says,” Finance Tech News http://www.financetechnews.com/wrong-it-security-tools/

8 2011 Cost of Data Breach Study: Japan, Ponemon Institute, March 2012 http://www.ponemon.org/ local/upload/f i le/2011_%20CODB_JP_Final_5.pdf

9 Special Report: The State of Cloud Computing Security in Asia, Trend Micro http://www.trend-micro.com/cloud-content/us/pdfs/about/white-papers/wp_state-of-cloud-computing-security-in-asia.pdf

10 Cited in “Are hybrid clouds the secret weapon of Asia Pacific enterprises?” Com-puterworld http://www.computerworld.com/s/article/9233280/Are_hybrid_clouds_the_secret_weapon_of_Asia_Pacific_enterprises_

11 The Notorious Nine: Cloud Computing Top Threats in 2013, Cloud Security Alliance https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Com-puting_Top_Threats_in_2013.pdf

12 “Asia-Pacific has the highest penetration of

mobile phones in the world,” TNW http://thenex-tweb.com/asia/2011/09/02/asia-pacific-has-the-highest-penetration-of-mobile-phones-in-the-world/

13 “Asia/Pacific Quarterly Mobile Phone Track-er,” IDC http://www.idc.com/tracker/showpro-ductinfo.jsp?prod_id=103#.UUbR6Ibiax2

14 “Asia leads global BYOD race,” The Reg-ister http://www.theregister.co.uk/2012/05/17/asia_byod_bt/

15 2011 Cost of Data Breach Study: Global, Ponemon Institute http://www.symantec.com/content/en/us/about/media/pdfs/b-ponemon-2011-cost-of-data-breach-global.en-us.pdf


17 “South Korea Court Opens the Door for Unin-tentional Data Breach Collective Actions,” Data Privacy Monitor, BakerHostetler http://www.data-privacymonitor.com/international-privacy-law/

18 “How data breaches harm reputations,” Experian http://www.experian.com/blogs/data-breach/2012/01/17/how-data-breaches-harm-reputations/

19 2011 Cost of Data Breach Study: Japan, Ponemon Institute, March 2012 http://www.ponemon.org/ local/upload/f i le/2011_%20CODB_JP_Final_5.pdf

20 Governance of Enterprise Security: CyLab 2012 Report, Carnegie Mellon University and CyLab http://www.rsa.com/innovation/docs/CMU-GOVERNANCE-RPT-2012-FINAL.pdf

21 Sources: “Data Protection Under the Ris-ing Sun: Rising Regimes in Asia,” DLA Piper Presentation to the IAPP Privacy Academy, 11 October 2012 https://www.privacyassociation.org/media/presentations/A12_Data_Protec-tion_PPT.pdf; Korea’s New Act: Asia’s Tough-est Data Privacy Law, Social Science Research Network http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2120983; Privacy Trends: Regulatory and Legal Considerations, presen-tation to North American CACS by Ken Leissler and Wayne Matus, http://www.isaca.org/Educa-tion/Upcoming-Events/Documents/2012-NA-CACS-Presentations/223-nac2012.pdf Privacy and Information Security Law Blog, Hunton & Williams http://www.huntonprivacyblog.com, en-

tries on Hong Kong, South Korea, Philippines; Taiwan’s new Personal Data Protection Law, Baker & McKenzie http://www.bakermckenzie.com/RRTaiwanPersonalDataProtectionLa-wOct10/;” Personal Data Protection Act to come into force Jan 1,” thestar online http://thestar.com.my/news/story.asp?file=/2012/12/12/nation/20121212153344&sec=nation;

22 “Data Protection Under the Rising Sun: Rising Regimes in Asia,” DLA Piper Presentation to the IAPP Privacy Academy, 11 October 2012 https://www.privacyassociation.org/media/presenta-tions/A12_Data_Protection_PPT.pdf

23 Cited in “Motivations, trends and mea-surement of IT security spending,” Help Net Security http://www.net-security.org/secworld.php?id=14112

24 “Data theft: Top 5 most expensive data breaches,” The Christian Science Monitor. http://www.csmonitor.com/Business/2011/0504/Data-theft-Top-5-most-expensive-data-breaches/3.-TJX-256-million-or-more


26 “’10 years’ before Asia’s biz security catches up to US,” ZDNet http://www.zdnet.com/10-years-before-asias-biz-security-catches-up-to-us-2062304736/


28 The Role of Governance, Risk Management & Compliance in Organizations: Study of GRC practitioners, Ponemon Institute, sponsore by RSA http://www.emc.com/collateral/about/news/ponemon-report-egrc.pdf

29 “Corporate data too lucrative not to mine,” ZDNet http://www.zdnet.com/corporate-data-too-lucrative-not-to-mine-2062053191/
