Legal influences on the cyber risk landscape
Legislation and regulation often lags technology, and this is particularly evident in the cyber security area where nations continually play catch up.
Enterprises operating internationally must navigate a global legal landscape in constant flux - They must also establish strategies for managing security and data that comply with regulations locally and regionally.
This is particularly challenging for companies migrating information systems to the cloud. While there may be scale, cost and flexibility benefits associated with cloud computing services, it is essential to review contracts regarding how data will be treated, and identify any potential security gaps.
Law firm DLA Piper has developed Cybertrak - to track legislative changes regionally. Organisations which operate in multiple jurisdictions must navigate complex rules surrounding privacy, data and security. Scott Thiel, DLA Piper partner specialising in technology and privacy, says that organisations operating in multiple jurisdictions need to decide whether to take a “high watermark approach” and establish security and privacy settings that meet the most stringent conditions in the countries they operate, or tackle the issue country by country.
Neither is ideal – the costs associated with meeting high watermark regulation across the region could be high – while a piecemeal approach could be difficult to maintain especially given the rapid pace of change. However, failing to address the issue properly is a mistake with potentially serious financial implications; witness the company sued for $HK 1.5 million over a consumer’s “hurt feelings” regarding unauthorised exposure of their data.
|Cyber rules around the region
- Australia: the anticipated arrival of a new Privacy Amendment Bill and mandatory data breach notification for serious breaches is expected to be a game changer.
- China: racing ahead in terms of regulations and has a Security Draft Law which will have significant implications for international companies operating in the PRC.
- Hong Kong: specific and stringent security requirements, while there are no data breach notification rules, these are expected in 12-18 months. The first person to be jailed for a privacy breach was a Hong Kong-based insurance broker.
- Singapore: legislation in place for over two years and more meaningful enforcement is anticipated, while regulations are expected to evolve particularly for foreign enterprises.
- Japan: a mix of regulations impacting various industries, but strong culture of compliance, meaning level of enforcement is low because of fear of reputational damage.
- South Korea: a long tradition of privacy and security law, and robust enforcement with serious enterprise consequence.
- Thailand: some constitutional requirements but no breach notification.
Beyond compliance there is the opportunity to leverage investment in cyber security and data protection to deliver competitive advantage especially following the Panama Papers leak which threw the issue into sharp relief.
Organisations pitching for work, responding to tenders, or planning an IPO may find it an advantage to be able to reference a comprehensive, even audited, data collection, storage and use strategy along with a well-constructed and rehearsed cyber security plan. That plan should leverage technology solutions and services such as encryption, penetration testing, and employee education along with an appropriate insurance framework to mitigate and transfer the risk of financial consequences associated with a breach.
In the event of a breach this also streamlines discussions with regulators. An enterprise able to identify where its data is stored (whether on premises or in the cloud) and also reference the technologies, policies and procedures in place to protect that data, should also then be able to identify where the plan proved lacking in the event of a breach and provide a voluntary undertaking to the regulator to fix that issue.
Says Thiel; “Institutional awareness of how systems hang together will speed root problem analysis and rectification.”
|In the event of a breach...
- Refer to the data breach response plan
- Call lawyers to preserve privilege
- Involve communications and PR team
- Alert insurers to the breach
- Seek advice from lawyers and insurers regarding extortion (ransomware) attempts before any payments
- Engage incident response team to analyse breach and remediate
Aon cyber security summit, Aug 16
Aon’s Cyber Risk Symposium held across Australia recently, delivered important clarity regarding the global threat environment. Working with partners DLA Piper and Symantec, and leading cyber security experts, Aon reflected on the legal influences on the cyber risk landscape and the technology solutions and strategies available. It also explored the growing role played by cyber insurance in underpinning safe and sustainable business models.
Aon plc (NYSE:AON) is a leading global provider of risk management, insurance brokerage and reinsurance brokerage, and human resources solutions and outsourcing services. Through its more than 72,000 colleagues worldwide, Aon unites to empower results for clients in over 120 countries via innovative risk and people solutions. For further information on our capabilities and to learn how we empower results for clients, please visit: http://aon.mediaroom.com.