Deloitte releases ‘Cyber regulation in Asia Pacific’ report
As cyber-attacks and data breaches become inevitable in today’s digital economies, some regulators in Asia-Pacific believe financial services are increasingly at risk of a systemic cyber event. As such events will pose a major threat to the financial system, across the region regulators are moving rapidly to strengthen their regulatory and supervisory capabilities.
According to Deloitte’s Cyber regulation in Asia Pacific report, released today, cyber-attacks globally and within Asia Pacific are increasing in frequency and sophistication. The cost of cybercrime is estimated to reach up to US$575bn a year[1], with financial services organisations a key target.
Kevin Nixon, Global & Asia-Pacific Leader, Centre for Regulatory Strategy, Deloitte said: “The financial system relies on confidentiality of data, protection of deposits, and provision of critical services. All of this has come under threat given the increase recently in the frequency of cyber-attacks.
“As financial institutions become more data-driven digital businesses and more financial services are delivered online, cyber risks are increasing. If these cyber risks and responses are not well managed, they could threaten the stability of the financial system.
“We believe that this means only those financial institutions with robust cyber security and cyber risk management will be able to maintain trust and enhance their competitive edge to retain customers.”
In response to these risks, regulators are considering appropriate standards and supervisory tools, and are actively urging firms to enhance capabilities so as to address these emerging threats. The Deloitte Cyber regulation in Asia Pacific report outlines a number of existing challenges Asia Pacific organisations face in relation to cyber security and examines how regulators across the region are seeking to tackle them.
Varied regulatory approaches
Although cyber threats cut across borders, regulatory approaches to cyber risk in Asia Pacific are varied and localised. “There are no significant steps yet taken towards harmonised standards across the region,” said Nixon. “Financial institutions struggle to understand the regulatory differences at a country level or be aware of emerging threats so as to design cyber risk programs that are coherent and robust across jurisdictions. However fortunately there is a general consistency with regulatory approaches going beyond just security to focus on governance, vigilance and response.”
Outsourcing work
The need to defend against outsourcing risk is an emerging and growing area of concern, in particular for those economies where IT services are widely contracted out to jurisdictions with weaker cyber security regimes.
Lack of human resources capabilities
The fact that financial institutions operating in Asia Pacific are short on dedicated IT security specialists and cyber professionals means there is difficulty in staying up to date with the pace of change in the cyber landscape. Another challenge is that many financial institutions lack management recognition or understanding of the importance of cyber security and so can fail to adopt a coordinated approach across functions.
The Deloitte’s report provides insights into developing a framework for overcoming these challenges and for strengthening cyber resilience.
James Nunn-Price, Asia-Pacific Cyber Risk Leader, Deloitte said: “Cyber-attacks are inevitable, and once regulators and organisations accept this, they can focus on building holistic, dynamic, enterprise wide cyber risk programs that are continually tested and updated to allow for agility and swift recovery.
“Strategies that enhance security will enable organisations to stay vigilant for emerging threats, and ensure a flow of insights through to the cyber ecosystem and attract senior support and oversight, will be the ones that best position financial institutions to stay ahead of regulatory expectations.”
Beyond this, industry and regulators should work together to further the development of cyber skills and expertise, to foster common standards and approaches, to support information sharing and to facilitate coordinated responses to incidents and attacks.
For more information, please visit the Deloitte Asia Pacific Centre for Regulatory Strategy and Deloitte Cyber Intelligence Centre.
[1] Symantec Internet Security Threat Report Volume 21 (April 2016) https://www.symantec.com/content/dam/symantec/docs/reports/istr‑21‑2016‑en.pdf
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about to learn more about our global network of member firms.
Deloitte provides audit, consulting, financial advisory, risk advisory, tax and related services to public and private clients spanning multiple industries. Deloitte serves four out of five Fortune Global 500® companies through a globally connected network of member firms in more than 150 countries bringing world-class capabilities, insights, and high-quality service to address clients’ most complex business challenges. To learn more about how Deloitte’s approximately 225,000 professionals make an impact that matters, please connect with us on Facebook, LinkedIn, or Twitter.
About Deloitte Australia
In Australia, the member firm is the Australian partnership of Deloitte Touche Tohmatsu. As one of Australia’s leading professional services firms, and winner of both the Australian Financial Review/CFO Audit Firm of the Year and Accounting Firm of the Year awards 2013, Deloitte Touche Tohmatsu and its affiliates provide audit, tax, consulting, and financial advisory services through approximately 6,000 people across the country. Focused on the creation of value and growth, and known as an employer of choice for innovative human resources programs, we are dedicated to helping our clients and our people excel. For more information, please visit Deloitte’s web site at www.deloitte.com.au.
About Deloitte’s Centre for Regulatory Strategy
The Deloitte Centre for Regulatory Strategy is a source of critical insights and advice, designed to assist the world’s largest financial institutions manage the strategic and aggregate impact of regional and international regulatory policy. With regional hubs in the Americas, Asia Pacific and EMEA, the Centre combines the strength of Deloitte’s network of experienced risk, regulatory, and industry professionals — including a deep roster of former regulators, industry specialists, and business advisers — with a rich understanding of the impact of regulations on business models and strategy. The Centre is led by some of Deloitte’s most prominent risk & regulatory experts including Kevin Nixon, David Strachan and Christopher Spoth.
About Deloitte’s Cyber Intelligence Centre
Deloitte’s Cyber Intelligence Centre integrates leading technology with the experience and knowledge of our cyber-security analysts to provide relevant business intelligence to help protect your organisation against cyber-threats. The Cyber Intelligence Centre offers clients the following services and solutions:
- Cyber Watch
Adopt an intelligence-led approach to managing cyber risk. Cyber Watch provides advanced online internet surveillance and reconnaissance so you’re aware of active or growing external threats targeting your organisation and detailed information leakage. Find out more
- Cyber Monitor
Building on Cyber Watch, Cyber Monitor provides an advanced security information and event management (SIEM) solution that consumes and monitors your logs for the presence of compliance and cyber-security issues providing the added internal threat analysis and business context to enable response.
- Cyber Respond
Effective outsourced retained or on-demand cyber-incident response service coordinating fast, thorough, decisive response activity including advanced malware, cyber incident response team (CIRT) and forensic investigation capability to minimise the impact of a breach and likelihood of future cyber-attacks.
- Cyber Check
Cyber Check conducts personalised online vulnerability scanning and management to discover and fix these vulnerabilities before hackers do, allowing you to secure critical business assets.
- Cyber Govern
A managed governance, risk and compliance capability, which can capture, coordinate, and assess the security risk and compliance issues within a business, as well as benchmark across industries.
- Cyber Prepare
Methods, processes, capability and enablers to ensure cyber readiness and preparation at all levels of the organisation. This includes executive reporting, resiliency, and other programs.
- Cyber Protect
A data loss preventions and advanced persistent threat (APT) solution that monitors sensitive information as it flows across and out of your network alerting you to compliance or cyber security issues.
- Digital Identity Services
A managed identity service that provides organisations with effective and efficient lifecycle processes, privileged access management and also builds online digital trust between an organisation and its customers.
Liability limited by a scheme approved under Professional Standards Legislation.
