During the recent ‘Norton Rose Fulbright Media Roundtable: Data Protection and Cybersecurity’ media briefing, three experts from the law firm, with expertise in cybersecurity technology and regulation issues, answered various questions from the media.
The speakers from Norton Rose Fulbright LLP included Anna Gamvros (Head of Data Protection, Privacy and Cybersecurity, Asia Pacific), Stella Cramer (Head of Technology and Innovation, Asia Pacific and Head of FinTech, SE Asia) and Steven Hadwin (Director, Head of Operations - Data Protection, Privacy and Cybersecurity).
During the session, the experts discussed the impact of COVID-19 and the need for increased cyber resilience, data breach liability and enforcement trends in Asia and globally. They also touched on rapidly evolving risks such as ransomware.
To start the discussion, they listed some of the biggest cyber and data security risks and threats in the region and globally, and how they have evolved over the years. For Anna Gamvros, there is an observation with many organisations that have implemented rollouts of new and temporary infrastructure to cope with increased demands during the pandemic.
According to Anna, these rollouts have often happened quickly or may have been implemented as a short-term fix. “Parts of the IT infrastructure may have been neglected to some extent, which may lead to exposing some vulnerabilities or leaving vulnerabilities available for threat actors. There has been a lot of exposing of vulnerabilities, particularly [with the] increase in remote working,” she added.
While the use of technologies such as cloud and IoT enable organisations to improve, grow and innovate, Stella Cramer mentioned that CEOs on the ground are quite concerned about the vulnerabilities of cyber risks around those areas of technologies.
As the stakes get higher, the threats have also become greater. Stella claimed that there are now more sophisticated ransomware attacks, adding, “Threat actors are no longer just encrypting data – they are posting them. They are looking for the corporate [sector] that may have more sensitive data. They are looking at targeting in jurisdictions where there may be higher fines and penalties to really maximise the leverage on corporates to pay ransoms.”
With all these vulnerabilities and threats, the speakers were asked the best ways for organisations to assess their exposure to these risks and mitigate them. Steve Hadwin said while many companies are well prepared to respond to cyber incidents, their plans are often assumed to on-premises environments.
“There is an assumption that face-to-face meetings can be convened for example, which is no longer the case and because people are all working remotely. There's now much greater reliance on the ongoing availability of various networks, which unfortunately is not always going to be possible in the event of a significant incident,” he explained. He also suggested that organisations take a fresh start from the perspective of large-scale remote working and make any changes that might be necessary.
In the case of APAC, organisations in the region are compelled to implement tighter security measures and governance for their data and systems, as regulators are now more particular in terms of handling cyber incidents and compliance.
When asked what trends she sees across Asia in terms of how regulators are handling breaches in the region, Anna said that there are significant powers in data protection laws in this part of the world.
“When you are reporting incidents, expect some kind of questioning or investigation following. The regulators themselves are becoming much more sophisticated in how they handle the investigations. They are not just asking questions. They are really looking into what security you have in place,” she stated.
This includes what was the technical setup of the organisations for their cybersecurity, their history of past vulnerabilities and what processes organisations had to make sure they had the most robust security infrastructure in place.
Anna ended by saying that there is also a focus on data retention. Organisations have to make sure to have better cyber hygiene with respect to how much data they are keeping. In addition, companies need to be transparent with their policies about how long they keep their data, and all of these steps can help organisations to keep up with regulations that are just getting tighter in the current digital landscape.