Transcription

CYBEREVOLUTIONWHITE PAPEREn Route to StrengtheningResilience in Asia-Pacific

2WHITE PAPERCONTENTSExecutive Summary3The shifting cyber threat landscape across Asia-Pacific4Recent cyber trends in Asia-Pacific8Key drivers of cyber challenges in Asia-Pacific18Asia-Pacific’s evolving regulatory climate20How companies can build cyber resilience22A call to action24AUTHORSJaclyn YeoSenior Research AnalystMMC Asia Pacific Risk [email protected] van der EndeVice President, Asia Pacific & JapanMandiant, a FireEye EyeBryce BolandVivek ChudgarPatty HullingerPatrick NeighornTony SapienzaLynn ThorneTimothy WellsmoreMarsh & McLennan CompaniesMatthew McCabe, Marsh, USStephen R Vina, Marsh, USRichard D Green, Marsh, AsiaDouglas Ure, Marsh Risk Consulting, AsiaKelly Butler, Marsh, AustraliaLeslie Chacko, MMC Global Risk CenterWolfram Hedrich, MMC Asia Pacific Risk Center

CYBER EVOLUTION: EN ROUTE TO STRENGTHENING RESILIENCE IN ASIA-PACIFIC3Knowing no boundaries, cyber incidents ordata fraud and thefts that originate fromNorth America or the European continentquickly impact APAC.Executive SummaryThe cyber threat landscape is morphingconstantly and dramatically. Around the world,cyber dependency grows as increasing digitalinterconnection among people, things, andorganizations expand. Asia-Pacific (APAC) isno different.Cyber challenges in APAC, such as lowcybersecurity investments and long dwell times,can be attributed to the complex geopoliticaltensions, exposed critical infrastructure, andthe severe shortage of cybersecurity talents inthe region.Knowing no boundaries, cyber incidents or datafraud and thefts that originate from NorthAmerica or the European continent quicklyimpact APAC, inflicting significant financial andpersonal data losses, as well as severe businessinterruptions. These compound the effects ofinformation infrastructure and network failures.Fortunately, the regulatory climate in APAC ischanging – slowly but surely. Although mostAPAC countries today are not legally obliged toreport any cyber incidents and many remainsilent, countries such as Singapore and Australiaalready have plans to adopt mandatory breachnotification laws in 2018. The sooner governmentsand businesses recognize today’s cyberlandscape poses a top enterprise risk, the betterprepared they can be to take active steps toaddress the inevitable breach.Beyond currency volatility to political instabilityand evolving regulations, conducting businessacross borders today involves more risks – andcompanies must add cyber to their list of riskconcerns. Financial services, energy and utilities,and telecommunications are among the mostinvestigated industries in APAC, highlightingthe urgent need for higher awareness levels,stronger mitigation measures, and improvedcybersecurity postures.As trusted cyber advisers, FireEye and Marsh &McLennan Companies – each a leader in its ownfield – have collaborated to produce this whitepaper to help organizations across APAC buildand strengthen their enterprise cyber resilience.

4WHITE PAPERThe shiftingcyber threatlandscapeacrossAsia-PacificCyber criminals and other threatactors with malicious intent are moresophisticated than ever, finding newand inventive ways to carry out attacks.Globally, more companies have acceptedthis reality and are proactively protectingthemselves against cyber attackers. Ingeneral, companies are more likely to adopta posture of continuous cybersecurity.1The growing interconnectedness betweenboth digital and physical worlds and theincreasing dependence on IT systems hasexponentially expanded the surface areasfor cyber attacks. This, coupled with therising sophistication by cyber criminals,has evolved to become a major risk forenterprises and society. Besides dramaticallyincreasing the value of informationstored on network systems, the growingdigital connectivity of people, things, andcompanies has given rise to more frequentcyber attacks, data fraud and theft, andcompounded the effects of informationinfrastructure and network failure.12What does this mean for the APAC region?The APAC region, which typically includesmuch of East Asia, South Asia, SoutheastAsia, and Oceania, is heterogeneous anddiffers widely in terms of cybersecuritycommitments and preparedness. Accordingto the Global Cybersecurity Index 2017,2Singapore topped the world rankingin terms of its commitment to raisecybersecurity awareness, together withseveral APAC countries that scored relativelyhigh on the index: Malaysia (3rd), Australia(7th), Japan (11th), and South Korea (13th).However, other key populous economiesin Asia did not fare as well, such as India,China, and Indonesia, which ranked 23, 32,and 70 respectively.Countries in APAC, in general, have faredrelatively badly in dealing with thesecybersecurity disruptions due to lowercyber awareness levels. The reasons forthis are shown in Figure 1.The cybersecurity posture of an organization refers to its overall cybersecurity strength, relating to theInternet and the vulnerability to the external threats.BRINK News 2017. Singapore tops global cybersecurity index.

5CYBER EVOLUTION: EN ROUTE TO STRENGTHENING RESILIENCE IN ASIA-PACIFICFigure 1. Key attributesfor low cyber awarenessand insurance1LEGACYSYSTEMSLong-standing business processespose resistance to change Risk management often keptin-house Inertia towards allocatingadditional resources (i.e. time,budget) to cybersecuritytechnologiesLACK OFNECESSITYInadequate regulations andlegislationLOWCYBER RISKAWARENESSIN APAC Apparent lack of urgencyand severity2 No single standardizedcybersecurity protocol ornotification requirements forbusinesses to adhereLACK OF GOODQUALITY DATALimited good quality actuarial data Challenge in measuring cyberrisk exposure Lack of cybersecurity maturityand readiness Often over-priced cyber insurancewith excess coverage that doesnot mitigate the risk effectively(Source: Asia Pacific Risk Center(APRC) analysis)3The Asia-Pacific (APAC) region, which typicallyincludes much of East Asia, South Asia, SoutheastAsia, and Oceania, is heterogeneous and differswidely in terms of cybersecurity commitmentsand preparedness.

6WHITE PAPER20COUNTRIES HITHARDEST GLOBALLYBY WANNACRYCHINAAPAC still has the highestdwell times due to a basic lackof investment in appropriatecybersecurity measures.VIETNAMINDIACompanies across the region can improvetheir cybersecurity in many ways. One crucialmeasure — dwell time — indicates that, in general,APAC companies lag well behind their globalcounterparts. Dwell time statistics (Figure 2) —the amount of time (in days) between networkintrusion and the detection of the threat actor —is highest in APAC when compared to the globalaverage, as well as the statistics in the Americas,and Europe, Middle East, and Africa (EMEA).The typical time between an attackercompromising a secured network and thebreach being detected (reported by FireEyeas “median dwell time” in its annual M-Trendsreport3) amounted to 172 days in the APACregion during 2016. This is almost twice as longas the global median dwell time of 99 days inthe same year. This indicates cyber criminals, onaverage, spend almost half a year undetectedwithin the compromised network — assessingand stealing valuable data and disruptingcritical operations before they are discovered.The decreased dwell time in APAC fromthe previous year might be considered animprovement that is only partially attributedto better testing methodologies4 (such as RedTeaming and Response Readiness Assessmentsto proactively understand security postures).345Attacks that are identified quickly — likeransomware and destructive wiper attacks —skew these statistics, but the difference is dueto the changing nature of the attacks, and notthe cybersecurity measures in place. APAC stillhas the highest dwell times due to a basic lack ofinvestment in appropriate cybersecurity measures.Moreover, the ever-evolving cyber risk landscapeand lack of best practices around managingcyber risk posture further exacerbate theseattacks. The threat of large cyber attacks hassignificantly increased in importance in 2017,according to the World Economic Forum’s 2017Executive Opinion Survey,5 an exclusive poll inwhich 12,400 executives across 136 countriesidentified the global and regional risks of highestconcern for doing business in their countries.Cyber risks have historically been among thetop five risks for executives in East Asia andthe Pacific, but the various high-profile cyberattacks in 2017 have prompted executives topay closer attention to the potential damagethese attacks may cause. Most notable amongthese incidents is the WannaCry ransomwareattack in May 2017 that severely disruptedbusinesses in major Asian economies, withChina, India and Vietnam reported to beamong the 20 countries hit hardest globally.FireEye, 2017. M-Trends 2017: A View from the Front Lines.BRINK News, 2017. Singapore tops global cybersecurity index.BRINK News, 2017. Politics and cyber are rising concerns for business leaders.

7CYBER EVOLUTION: EN ROUTE TO STRENGTHENING RESILIENCE IN ASIA-PACIFIC172Median Dwell Times(in days)10699Dwell TimeGLOBALThe time between anattacker compromising asecured network and thebreach being detectedAMERICASEMEAAPACFigure 2. Asia-Pacific continuesto report the world’s highestdwell times(Source: APRC analysis; FireEyeM-Trends 2017)99

8WHITE PAPERCyber attacks with financial motivationswere perceived as the top cyber threatfor global corporations across industrysectors in APAC.Recent cybertrends inAsia-Pacific39%Financial motivationis perceived as thetop threat for globalcorporations doingbusiness in APAC54%Insider threats from errors to access are the second biggestconcern among companiesoperating in APACAccording to the global Marsh/Microsoft GlobalCyber Risk Perception Survey 2017 administeredbetween July and August 2017, cyber attackswith financial motivations were perceivedas the top cyber threats for internationalcorporations across industry sectors in APAC(39 percent). With extortion for financial gainthe key goal of stealing insider information orconfidential intellectual property, (see Figure 3),it is reasonable to expect that inventive cyberattack techniques will continue to emerge andevolve in the cyber risk landscape.Companies operating in APAC are also concernedabout insider threats on the whole. Respondentsranked employees or contractors with maliciousintent, human error, third-parties with access tothe network systems, and operational errors asthe next biggest threats (54 percent).

9CYBER EVOLUTION: EN ROUTE TO STRENGTHENING RESILIENCE IN ASIA-PACIFICQ: With regard to a cyber attack that delivers destructivemalware, which threat actor concerns you?Politicallymotivated threatOperational error10%6%Third party withauthorized access to yourIT resources14%39%Employee or contractorwith malicious intentFinanciallymotivated threat15%15%Human errorFigure 3. Survey of corporations’views on the top cyber threats whendoing business across Asia-Pacific(Source: APRC; dataset fromMarsh/Microsoft Global Cyber RiskPerception Survey)

10WHITE PAPEREstimating thefinancial costof WannacryglobalransomwareGlobal financial and economicloss estimates from the WannaCryattack that crippled systemsacross at least 150 countries7range between hundreds ofmillions to 4 billion, makingit one of the most damagingincidents involving so-called“ransomware,” in which datafrom infected computers isencrypted and a cryptocurrencyransom payment is demandedfor decryption of the data.The attack is likely to make 2017the worst year for ransomwarescam victim organizations.Similar schemes have resulted inlosses of up to 1 billion annually,8according to market researcherCybersecurity Ventures. Theyinclude lost productivity, the cost ofconducting forensic investigations,and data restoration and recovery.Often, external threats result in the databreaches that grab news headlines.While these breaches are often costly,external threats can generally beaddressed with traditional securitymeasures, such as gap analysis, firewalls,device and endpoint encryption, andvulnerability and patch management.However, potential threats that originatefrom within the companies may oftenbe more difficult to prevent, since theymay unintentionally pose a threat to theinternal network security. For example,some data breaches are due to humanerrors and are unintentional whensomeone falls for malicious phishingemails and clicks on infected links.Regardless of how data breaches occur,to mitigate insider, outsider, intentionaland unintentional threat risks, a moreholistic approach to cybersecurity isessential in this evolving cyber threatlandscape.Globally, malicious external threats werethe leading source of data breaches inthe first half of 2017, as revealed by thelatest breach level index.6Figure 4 illustrates some of the mostnoteworthy data breaches and cyberincidents in the APAC region sinceJune 2016.While the potential losses fromreduced productivity and effortsto mitigate the damage fromWannaCry are markedly significant,the actual ransom collected ismodest by comparison, totalingapproximately 150,000. Duringthe early stages of the attack, itwas found that ransom paymentsdid not result in a decryption keybeing provided, leaving mostvictims to rebuild and recover frombackups or other sources ratherthan pay the ransom.678Gemalto, 2017. Poor internet security practices take a toll – Findings from the first half 2017 (BreachLevel Index).CBS News, 2017. Cyberattack hit more than 100,000 groups in at least 150 countries, Europol says.Cybersecurity ventures, 2017. Cybercrime Report 2017 Edition.

CYBER EVOLUTION: EN ROUTE TO STRENGTHENING RESILIENCE IN ASIA-PACIFICGlobal ransomware - Petya13AUSTRALIA (JUN 2017)2017 notable breachesand cyber incidents inAsia-PacificSeveral Australian businesses, including couriercompanies, transportation systems, and legal firms,were hit by a vicious global ransomware attackthat demanded 30014 in Bitcoin for each incidentbreach.DDoS and business interruption11SINGAPORE (OCT 2016)Local telecommunications providers suffered adistributed denial-of-service (DDoS) attack on theirdomain name system, resulting in a service outagethat disrupted internet connectivity amongst the470,000 subscribers.Phishing attacks by external actors9AUSTRALIA (JUN 2016)A large Australian firm suffered a significantbreach from financially motivated cyber threatactors via phishing emails that targeted employeeswith access to financial systems. The attacker stoleAU 1.2 million, but the actual total damage isestimated to be more than AU 2 million.Global ransomware - WannaCry12CHINA (MAY 2017)More than 29,000 institutions were infected by themalware and 15% of universities' internet protocoladdresses were attacked. Other critical informationinfrastructure affected were railway systems,hospitals, and govenment services.Installed malware and data breach10S. KOREA (JUL 2016)The South Korean government was demandedransom (more than US 2 billion) after personalidentifiable information was leaked due to illegallyinstalled malware in a large online shopping site.Figure 4. Notable Breachesin APAC from 2016 to 2017(Source: APRC)M-Trends 2017, Page 40. APAC Notable Breaches, June 2016.M-Trends, Page 40. APAC Notable Breaches, July 2017.11Channel News Asia, 2016. DDoS attack on StarHub first of its kind on Singapore's Telco.12AP News, May 2017. The Latest: 29,000 Chinese institutions hit by cyberattack.13ABC News, 2017. Petya cyber attack: Ransonware virus hits computer servers across globe, Australian office affected.14Straits Times, 2017. Cyberattack reachs Asia and Australia as new targets hit by ransomware demand.91011

12WHITE PAPERHighly targeted industriesin Asia-PacificConducting business internationally has alwaysinvolved additional risks. Besides currencyvolatility, political instability and evolvingregulatory climates, businesses mustadd cyber risks to their list of concerns.According to FireEye, financial services recordedthe largest share of FireEye clients (31 percent)investigated in cyber attacks, while the othersectors are almost equally at risk, each recordingbetween 5 – 10 percent. (See Figure 5.)31%FireEye financialservices clientstargeted in cyberattacks

13CYBER EVOLUTION: EN ROUTE TO STRENGTHENING RESILIENCE IN ASIA-PACIFICFigure 5. Percentage of FireEyeinvestigations in Asia-Pacific byindustry(Source: FireEye M-Trends 2017)OthersTransportation& Logistics7%GovernmentFinancial Services5%31%5%Business & ProfessionalServices5%Media &Entertainment7%7%Manufacturing10%7%High TechRetail & HospitalityEnergy & Utilities7%9%TelecommunicationsOthers include:Biotech & Pharmaceuticals,Healthcare, Construction &Engineering, and Non-profit

14The followingindustries in theAPAC regioncurrently appear tobe at particular riskfor cyber intrusion:WHITE PAPERFINANCIAL SERVICES31%Cyber crime is the greatest threat to the financialservices industry. Victims often include a wide rangeof financial institutions, including banks, investmentservices, and insurance companies, among others.Developing trends in cyber crime include: Increases in attempted and successfulexploitation of banks’ client-side connections,such as those used for interbank paymentservices Exploitation of payment card industry informationand protocols Use of malware to bypass multi-factorauthentication15FireEye, 2017. Target Cyber Criminals to Stop Cyber Crime.Cyber espionage is another significant threat to theindustry; financial services have seen attackers usinga higher-than-average number of watering holes —such as compromised third-party websites trustedby members of the finance industry — to delivermalware and profile targets while appearing todeliver legitimate traffic. Threat actors use economiccyber espionage to acquire intellectual propertyand sensitive information for long-term economicadvantages, either for themselves or on behalf oftheir sponsors, which can include nation-states orbusiness competitors.15

15CYBER EVOLUTION: EN ROUTE TO STRENGTHENING RESILIENCE IN ASIA-PACIFICENERGY ANDUTILITIES10%This industry faces cyber threats mostly fromAdvanced Persistent Threat (APT) groups that willlikely attempt to steal IP to improve their state’sdomestic infrastructure, or provide an advantage innegotiations with foreign companies. In the eventof conflicts, APT groups may seek to assist theirsponsoring government by disrupting an adversary’senergy supply and utility services, while interferingwith its ability to provide its residents with essentialpublic services.Unlike cybercriminals intent on compromisingorganizations to steal and monetize clients’personally identifiable information, payment cardinformation, and customers’ credentials, attacks onthe operational technology (OT) side of the industryfocus primarily on disrupting systems such asindustrial control systems that operate and controlthe generation and supply of fuel, electricity, andwater. More notable and potentially far more severe,the OT side of this sector has seen threat levelsincrease significantly since 2014.Attacks of this nature have far-reachingconsequences that inconvenience a significantnumber of users. For example, in the 2015 Ukrainianutility attack, simultaneous localized power outagesoccurred across the country. This resulted inapproximately 80,000 energy customers in one cityenduring an outage for six hours,16 while 125,000energy customers in another city faced outagesfor two hours. Attackers appeared to be motivatedmostly by geo-political agendas.TELECOMMUNICATIONS9%The telecommunications industry today provides awide array of global services that connect millionsof customers around the world; this diverse businessecosystem faces increasingly frequent cyber risks.APT groups target the telecommunications industryin particular, given its prominent role in our modernsociety today and its importance to both thecivilian and military spheres. They may also seekto gain access to clients’ networks, or conductmore traditional espionage activities related tosurveillance. Other factors that may influencefurther targeting of the sector include: Greater numbers of linked devices and theInternet of Things to the telecommunicationsnetwork significantly expose vulnerabilities andincrease the surface area for attacks The development of new technologies andprocesses often attracts APT groups engaging ineconomic espionage to benefit their sponsoringcountry’s domestic industry Disclosures regarding alleged involvementin espionage or surveillance may puttelecommunications companies at risk of threatsfrom hacktivists seeking to protest such activitiesand embarrass organizations involvedAcross APAC, the three most-investigated industries— financial services, energy and utilities, andtelecommunications — exemplify the urgent needfor higher awareness levels, stronger mitigationmeasures, and improved cybersecurity postures. Theshare of targeted attacks in these industries is muchlower in more cyber-mature regions such as the US,at 15, three and two percent, respectively.Across APAC, the three most-investigated industries —financial, energy and utilities, and telecommunications— exemplify the urgent need for higher awarenesslevels, stronger mitigation measures, and improvedcybersecurity postures.16FireEye, 2017. Sandworm Team and the Ukrainian Power Authority Attacks.

16WHITE PAPERCyber risk perceptionin Asia-PacificWhile cyber is perceived as a top risk acrossAPAC, this perception is inconsistent with theregion’s level of preparedness.More than half (58 percent) of the globalrespondents across major industries from theMarsh/Microsoft Global Cyber Risk PerceptionSurvey 2017 rank cyber as one of the topfive risks; almost two-thirds (65 percent) ofrespondents from larger companies with annualrevenues of more than 5 billion prioritize cyberas one of the top five risks under their company’srisk register. Yet, quantifying cyber risk is a keyroadblock businesses face.58%Respondents who rankcyber as one of the topfive risks50%Companies doing businessin the Pacific that don’testimate the financialimpact of a cyber incidentThe survey further revealed that more thanhalf of the respondents doing business in Asia(54 percent) and Pacific (50 percent) eitherdo not estimate or do not know whether theyestimate the financial impact of a cyber incident.This suggests that their true cyber exposureremains unknown, and that these companies areunprepared for potential cyber attacks.Quantifying cyber risk is a keyroadblock businesses face.

17CYBER EVOLUTION: EN ROUTE TO STRENGTHENING RESILIENCE IN ASIA-PACIFICQ: If your organization has estimated the financial impact of acyber incident, what is the worst potential loss value?Asia (N 474)Less than 1 million10% 1 - 10 million18% 10 - 50 million11%I do not knowWe have not estimated the financialimpact of a cyber incidentFigure 6. Perception of corporations’awareness of their organization’scyber risk exposure19%35%12%18%8%More than 50 millionPacific (N 359)9%10%17%33%(Source: APRC; dataset fromMarsh/Microsoft Global Cyber RiskPerception Survey)

18WHITE PAPERKey drivers ofcyber challengesin Asia-PacificSeveral recent high-profile cyber attacks struckAPAC and resulted in large-scale data andfinancial losses. Unsurprisingly, the most recentransomware attack incurred significant costs inservices and production disruptions as well asdata recovery costs across the region.The main causes for the region’s susceptibility toattacks are the lack of transparency requirements,a weak cyber-regulatory environment, lowinvestment in information security, and long dwelltimes, which are direct results of the low level ofcyber preparedness in APAC.In addition to having a cybersecurity landscapethat is less mature than in other regions, APACmust overcome several cybersecurity hurdles toimprove its defenses.

CYBER EVOLUTION: EN ROUTE TO STRENGTHENING RESILIENCE IN ASIA-PACIFICGeopoliticaltensionsAsia-Pacific is home to numerousgeopolitical conflicts. These conflictscreate uncertainty for governments,which in turn creates demand forinformation, which fuels cyberespionage and other intelligenceinformation. Cyber espionageoperations are mostly aimed atcollecting information to understandadversaries’ tactics and capabilities,and to identify key decision makers.While government agencies arecommon targets, so are someprivate-sector organizations.1718Exposed criticalinformationinfrastructureNo country today can crediblyclaim its entire critical informationinfrastructure (CII) system is welldefended against cyber attacks.Cyber attacks against CII systemswere not an important nationalconsideration in most of APAC untilrecently, when attacks became moresophisticated with malicious intents.Thus, CII systems that manage utilityplants, transportation networks,hospitals, and other essentialservices remain more vulnerableto increasingly frequent attacks.FireEye routinely observes statelinked offensive operations thatcould be part of forward militaryoperations. Successful cyber attackscan adversely affect CII systems anddisrupt essential services, in turnimpacting business and consumerconfidence levels.Cybersecurity Ventures, 2017. Cybersecurity Market Report.Center for Cyber Safety and Education, 2017. Global information security workforce study 2017.Cybersecuritytalent shortageThe worldwide spending on cyberdefense products and services isforecast to exceed 1 trillion17 from2017 to 2021. The lack of humancapital to drive these initiatives isanother key roadblock. The globalcybersecurity workforce continuesto face a serious 1.5 million18 talentshortage by 2020, amidst the recentcyber incidents, data breaches,and shifting industry dynamics andregulatory changes. As cyber risksbecome increasingly prevalent,companies must either find newrecruitment channels, or raise andenhance awareness of cybersecurityamong existing IT employees.19

20WHITE PAPERMost APAC countries today are notlegally obliged to report any cyberincidents and many remain silent.Asia-Pacific’s evolvingregulatory climateLimited information and disclosure regarding thescale and frequency of cyber attacks in the regionmay contribute to a false sense of security thatcould cost businesses dearly. Furthermore, mostcountries in Asia-Pacific today are not legallyobliged to report any cyber incidents, and manyremain silent—leading to the perception that cyberattacks are not as prevalent and severe as theytruly are.The transparency issue is further compounded bya lack of cybersecurity safeguards and standards.The collective result is that many companiesin APAC are not aware of cyber risks and databreach consequences, underpinning the region’ssusceptibility to cyber attacks.Even in the United States, where mandatorybreach notification laws were first enactedin 2003, timing requirements for notifyingaffected parties have often been inadequateand ambiguous. Companies are only requiredto disclose a breach to customers “as soon aspossible.” By way of comparison, the proposedEuropean General Data Protection Regulationmandates a breach notification within 72 hours.19Further, severe data breach incidents in the USrecently have resurfaced the nation's cyberlegislation debate of the timing for disclosure,and has catalysed amendments to data-breachnotification laws in several states to notifyaffected parties "without reasonable delay"and within 30 days.20 In addition, the legal andoperational processes for confirming identitiesto prevent fraud need to be rethought.21Progress is being made, however — especiallyamong APAC-region countries that recentlyadopted similar data breach notificationregulations. (See Figure 7.) Companies shouldwork closely with their legal counsel whendeveloping data privacy and security programsto ensure compliance with existing andemerging requirements.InterSoft Consulting, 2017. Art. 33 GDPR Notification of a personal data breach to the supervisory authority.Congressman Jim Langevin, Sep 2017. Langevin reintroduces the Personal Data Notification and Protection otection-act21Oliver Wyman, 2017. The Equifax data breach and its impact on identity verification.1920

21CYBER EVOLUTION: EN ROUTE TO STRENGTHENING RESILIENCE IN ASIA-PACIFICJAPANCHINA Cybersecurity guidelines forbusiness leadership (updatedDecember 2016) - expectexecutives to take on greater rolein cybersecurity Cyber Security Law came intoeffect (June 2017) Intended to strengthen cyberregulations (data privacy andresidency) but may create barriersto trade and innovation (datalocalization) Act on the Protection of PersonalInformation (amended May 2017)- new restrictions to the transferof personal information beyondJapanTHAILAND Draft Cyber Security Bill released(July 2017) Increase national cyber activitysurveillancePHILIPPINES Department of Information andCommunications Technology Act(May 2016) Plan, develop and promote thenational ICT development agendaINDONESIA Cyber Body and National EncryptionAgency (June 2017) Created in response to theWannaCry ransomware attackSINGAPORE Draft Cybersecurity Bill releasedfor public consultation - includesmandatory notification toauthorities and newly establishedinformation sharing framework Proposed changes to the PersonalData Protection Act (revised July2017) - mandatory disclosure tocustomersAU S T R A L I A Privacy Amendment (NotifiableData Breaches) Bill to be enactedin Feb 2018 Australian organizations topublicly disclose any data breachto affect customersFigure 7. Recent regulations and theireffect on companies doing businessin APAC(Source: APRC analysis)

22WHITE PAPERHow companies canbuild cyber resilienceCybersecurity investmentTo keep pace with today’s evolving threatlandscape, companies shou

As trusted cyber advisers, FireEye and Marsh & McLennan Companies – each a leader in its own field – have collaborated to produce this white paper to help organizations across APAC build and strengthen their enterprise cyber resilience. Knowing no boundaries, cyb