Informe de ciberresiliencia 2023
Este artículo 11 es parte 16 de este informe.
October 11, 2023 / 7 minuto(s) de lectura
APAC: Regulators and Companies Respond as Ransomware and Reputation Risks Intensify
Companies strengthen their overall cyber maturity as the level of cyber risk rises across Asia Pacific.
Conclusiones principales
- In response to rising risk, overall client cyber maturity improved from “basic” to “managed.”
- Regulators respond to recent high-profile breaches, driving corporate governance and risk leaders to fortify their risk oversight.
- Global trends indicate that ransomware attacks are on the rise* and insurers respond by demanding more focus on controls that form a critical part of the underwriting process.
* “Buyer-Friendly Cyber and E&O Market: How to Take Advantage | Aon.” Report. Aon. May 2023.
Cyber risk emerged as one of the top five risks for business leaders in the Asia Pacific (APAC) region for the first time, as measured by Aon’s 2021 Global Risk Management survey (Aon’s Survey)1. It also ranked as the most critical future risk topic over the next five years in Aon’s Survey. Together, this helps to represent the shifting threat landscape in the region and the C-suite’s perception that cyber presents a significant business operations risk. Results from Aon’s Cyber Quotient (CyQu)2 assessment also serves to reinforce that managing cyber risk is strategically important to top management, as clients reported that their overall cyber maturity improved from “basic” to “managed” (per CyQu scoring methodology 2.01 to 2.68)3 across the years 2020 to 2022.
There appear to be three chief drivers of risk in the region. Geopolitical tensions elevated the importance of managing supply chain risks, including cyber-attacks on critical dependencies in supply networks; cyber vulnerabilities in digital supply chains; and the exfiltration of intellectual property from strategic suppliers. Supply chain risk is of particular concern for strategically important industries located at regional hotspots4. In response to this risk, CyQu data showed that supply chain controls improved from the lowest CyQu maturity level, ”initial,” to a “managed” state between 2020 and 20225.
Regulatory6,7,8 and reputational9,10 risk drivers also intensified across the region. The prevalence of reputational crises following cyber incidents has intensified demands for improved corporate governance and risk leaders to play a more active role in cyber risk management. Recent high-profile data breaches in Australia and Asia11,12,13, impacted financial performance, attracted adverse regulatory scrutiny, eroded shareholder value and exposed corporate officers14. In response, a variety of industry, privacy, and consumer protection regulators in Singapore, Thailand, China, Vietnam, Australia and Indonesia have signaled that they will increase data protection review and enforcement15. In response, governance of cyber risk and data protection controls appear to have improved across the region, with clients reporting growth from a “basic” to a “managed” level between 2020 and 2022. This change helps to signify a deeper focus on improving risk oversight and addressing privacy topics for business leaders.
As with other regions, organizations and the APAC insurance market perceived ransomware as the primary cyber threat16. Companies across revenue bands and sectors reported that core control domains responsible for managing cyber-triggered operational disruption — e.g., access management, business resilience and endpoint systems — improved markedly from “basic” to “managed” levels. This advancement tracks with the 40 percent decline in ransomware events in APAC for 2022 (year-over-year)17.
Industries in Perspective
This year, we examined three industries in more depth: manufacturing, finance and insurance, and healthcare. Companies across all three sectors reported an overall cyber posture of “managed” in 2022. The finance and insurance sector demonstrated the most significant gain since 2020, moving to “managed” from the lowest score, or “initial” (<1 on the CyQu scale) readiness.
Business resilience remained at a basic level for manufacturing companies. However, clients reported that business continuity management (BCM) improved. Organizations still need to manage the operational risks sufficiently, while remote working topics and third-party risk management remain particularly acute vulnerabilities due to the inherent challenges of protecting distributed operational technology networks, manufacturing services and workforces18.
In contrast, finance and insurance companies reported “advanced” maturity in third-party risk management, reflecting the region’s prudent regulatory focus on this topic. Risk management improved to “managed,” demonstrating growing alignment between security teams and traditional banking and financial industry operational risk and insurable risk frameworks19.
Healthcare companies reported “advanced” physical security. However, application security remains at an “initial” stage and presents a significant vulnerability given the growth of connected medical devices and the use of more advanced Internet of Things in the healthcare industry20.
Now What? Suggested Actions for Asia Pacific Leaders
- Update and strengthen governance frameworks and risk management strategies concerning cyber risk. Privacy regulations across the region are adapting to new data breach threats and emerging technologies, such as artificial intelligence21. As such, it is paramount that senior business leaders properly evidence the adoption of good governance and risk management of cyber threats per best practices and regulatory requirements. This action will not only improve the business’s risk profile but may serve to mitigate potential regulatory and shareholder actions in the event of a breach.
- Keep vigilant on ransomware threats. While companies in the region have performed well in combating ransomware threats, global trends indicate that ransomware attacks are on the increase (+38 percent Q1 2023 over Q4 2022)22. Continue to focus on security controls that mitigate ransomware attacks, particularly those controls that form a critical part of the insurance underwriting process.
- Remain forward-looking in the calibration of cyber risk strategies. A myriad of drivers will better shape the outlook for cyber risk in the Asia Pacific region, including ongoing and escalating geopolitical tensions, challenges associated with the reconfiguring of supply chains, and the adoption of emerging technologies (AI, biometrics, smart digital-physical tech in manufacturing and the built environment). Frequently stress test cyber risk strategies against a broad set of complex scenarios to help ensure you are keeping pace with the demands of these megatrends. Include frequent scenario testing of incident response, BCM and crisis management strategies. Extend this by testing insurance limits and policy coverages against similarly complex cyber risk events to help identify silent cyber exposures and risk opportunities to better protect the balance sheet and safeguard shareholder value.
Referencias
1 “Cover – 2021 Global Risk Management Survey (aon.com)” Report. Aon. 2021.
2 Aon’s Cyber Quotient (CyQu). Patent-pending technology.
3 Behind the Data: Research Methodology (aon.com)
4 “Top conflict hot spots and crises in the world to worry about in 2023.” Tharoor, Ishaan. The Washington Post. Article. January 11, 2023.
5 Cyber Attacks on Supply Chains Are Causing a Widespread Impact (aon.com)
6 https://www.mofo.com/resources/insights/230130-new-wave-of-privacy-laws-in-the-apac-region
10 https://news.bloomberglaw.com/privacy-and-data-security/apra-intensifies-supervision-of-medibank-after-cyber-attack https://www.cnbc.com/2023/05/08/singapores-mas-imposes-additional-capital-requirement-on-dbs-bank.html
11 “Two Australian regulators open investigations into Optus after data breach.” Kay, Byron. Reuters. Article. October 11, 2022.
12 “APRA intensifies supervision of Medibank after cyberattack.” Libatique, Roxanne. Insurance Business Magazine. Article. November 29, 2022.
13 “APRAS tightening up on supply chain accountability.” Cela, Jessa and Harry, Dan. State of Flux. Blog.
14 “APRA expects boards to strengthen ability to oversee cyber resilience.” Article. Moody’s Analytics. November 23, 2021.
15 “Key changes in data privacy and cyber security laws across Southeast Asia.” Herbert Smith Freehills. Article. November 22, 2022.
16 “Buyer-Friendly Cyber and E&O Market: How to Take Advantage | Aon” Report. Aon. May 2023.
17 “Risk Based Security Data and Analysis.” Aon. Updated January 4, 2023.
18 “How Smart Manufacturing is Intensifying Business Risk” (aon.com)
19 Actions to Improve Cyber Resilience in Finance and Insurance Sector (aon.com)
20 Healthcare Cyber Profile Improved, but Resilience Work Remains (aon.com)
21 Regulations (current and forthcoming): Australia, Review of the Privacy Act (forthcoming 2023)and the Privacy Legislation Amendment (Enforcement and Other Measures) Act (enacted 2022); China, Personal Information Protection Law (enacted 2021); Indonesia, Personal Data Protection Act (enacted 2022); India, Digital Personal Data Protection Bill (proposed in 2022); Japan, Personal Information Protection Act (2022 amendments); Korea, Personal Information Protection Act (2023 amendments); Malaysia, Personal Data Protection Act 2010 (proposed 2022); New Zealand, Privacy Act 2020 (review anticipated 2023); Philippines, Guidelines on Administrative Fines (2022) published for the Data Privacy Act of 2012 (“PDPA”); Singapore, Personal Data Protection Act (enhanced financial penalties in 2022); Sri Lanka, Personal Data Protection Act No. 9 (enacted 2022); Thailand, Thai DPA measures and standards to implement the Personal Data Protection Act B.E, 2562 (2022); Vietnam, Decree on Protection of Personal Data (incoming).
22 “Buyer-Friendly Cyber and E&O Market: How to Take Advantage | Aon” Report. Aon. May 2023.
Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc. y Aon Risk Services, Inc. de Florida, y sus filiales autorizadas ofrecen los productos y servicios de seguros.
La información aquí contenida y las afirmaciones expresadas son de carácter general, no pretenden abordar las circunstancias de ninguna persona o entidad en particular y se facilitan únicamente con fines informativos. Esta información no sustituye el asesoramiento de un asesor jurídico o de un profesional de seguros cibernéticos y no debe utilizarse para tal fin. Si bien nos esforzamos por proporcionar información exacta y oportuna y utilizamos fuentes que consideramos fiables, no puede garantizarse que dicha información sea exacta en la fecha en que se recibe o que siga siéndolo en el futuro.
Madurez Cibernética por Región
La madurez cibernética general de las empresas puede diferir según la región. Obtenga más información sobre las brechas, los desafíos y las oportunidades, incluidas las medidas sugeridas que los líderes pueden tomar para desarrollar la resiliencia cibernética y empresarial.