Attorney James North regularly stages mock “war games” exercises with clients to test how they would deal with a cyber attack. Over the past year, he’s gone from doing these exercises typically once a month to almost every week.
North, who heads technology, media and telecommunications at Australian law firm Corrs Chambers Westgarth, says cybersecurity has now become a top priority for many companies alongside environmental, social and governance issues. “There have been a lot of really significant attacks recently,” he warns. “Preparation is uneven throughout the economy.”
Cyber attacks are also growing in complexity. An annual report by the Australian Cyber Security Centre, a government agency, said inside November that the country was exposed to increasingly sophisticated threats and had received more than 76,000 reports of cybercrimes between June 2021 and July 2022, a 13% increase from the previous year.
Cyber attacks, like what targeted Optus, a Singapore-owned telecommunications company that exposed the personal data of millions of customers in Australia last September, pushed the Australian government to introduce harder measures, such as increasing the maximum penalties for serious violations.
At the same time, public and private organizations are stepping up their responses and turning to law firms to navigate the rapidly changing regulatory landscape.
Corrs Chambers Westgarth Computer Service uses a multidisciplinary team including IT investigators, lawyers and crisis specialists to manage the legal, regulatory and communications fallout of a cyber attack.
North and his colleagues help clients “wargame” their responses to possible cyberattacks using “tabletop exercises,” observing how a realistic scenario might unfold.
“A tabletop exercise might be two to three hours long with a situation designed to represent two to three weeks in the aftermath of an attack,” she says. Participating customers are typically provided with a new set of facts every hour, representing different days after the attack, and must consider issues such as what administrators must do to fulfill their reporting and fiduciary duties, or whether a ransom should be legally paid to any cyber attackers.
North says a large-scale business response to any cyberattack is vital, rather than leaving any response solely to the IT team.
“Where it’s entrusted to the IT team, it may not include broader implications,” he explains. “They might wipe out a compromised server, so you might be dealing with a virus but you might also wipe out all access logs, which indicate what data was extracted and you might need it to meet regulatory goals.”
Concerns about cyber attacks and data breaches are becoming more prevalent in the Asia-Pacific territories. In a report examining the state of incident response to cyberattacks in the region, released by Kroll, the corporate intelligence group, in October 2022, data loss emerged as the top concern for 70% of business executives surveyed.
The report found that businesses in the region “suffering from the impact of cyberattacks, but many have yet to develop adequate response plans or have regular access to relevant IT skills.”
Vietnam is preparing new data protection legislation while, in Thailand, the Personal Data Protection Act was passed in 2019 and went into effect last year, with some in the country expecting regulators to adopt an increasingly hard line against non-compliance.
Thailand’s new legislation requires any service that monitors the behavior of residents to have a local data privacy representative in the country. This provided an opportunity for Southeast Asian law firm Tilleke & Gibbins, which set up a digital solutions service in Thailand to act as a local representative for its existing clients, including Meta Platforms, the owner of Facebook.
Nop Chitranukroh, Thailand-based partner and head of business and commercial at Tilleke & Gibbins, says the service is designed to help existing customers like Meta by saving them from having to set up their own representative in Thailand: “We try to help existing customers that we know are compliant and become their local representative.”
He believes regulators are taking a tougher line as legislation shrinks. “Last year, when the law was implemented, the regulator’s approach was more educational,” he says. “This year, I expect the regulator to start imposing fines. They are starting to enforce more strictly.
GDPR, the European data protection legislation, has been adopted as a global standard by many companies. Chitranukroh says customers with global operations who had already adopted GDPR found it easier to comply with the new regulations: “There were many things [they] needed to go through if they didn’t have [it].”
In India, a new digital personal data protection law is being introduced, six years after a landmark ruling by India’s supreme court in 2017, which upheld privacy as a fundamental right, in a ruling on digital identification system of the government. The latest bill follows earlier drafts that have been criticized for giving government agencies too much space to access personal data without users’ consent.
Once the legislation is passed, public and private sector entities are likely to have a transition period of one to two years to comply with the new rules.
Law firm Khaitan & Co was called to participate in the first consultation held by India’s Ministry of Electronics and Information Technology to provide feedback on the bill.
Supratim Chakraborty, partner at Khaitan & Co, says companies familiar with the GDPR will likely be better prepared for the new legislation. “Many companies interact with Europe and are more aware of data protection. But some players might sit on the fence and see how that plays out,” he says.
However, as regulators and governments across the Asia-Pacific region are stepping up their game, so are cyber attackers.
“Businesses have to do more even if they are sophisticated – it only takes one person in an organization to make a mistake and click a link in an email linked to malware,” says North of Corrs Chambers Westgarth.
—————————————————-
Source link