Southeast Asia has seen significant increases in cybersecurity compliance and regulation over the past year, as countries mobilise against cyberattacks which continue to grow in frequency, sophistication, and severity.
Moving on from the pandemic has not been a walk in the park for businesses here, with 75% reporting to have fallen victim to at least one successful email attack in the last 12 months, often facing average costs of more than USD$1 million to recover from their most expensive attack.
As countries across the region update their legislation around cybersecurity and how companies handle and process personal data, it is essential to make sure you are ticking all the boxes when it comes to keeping your network and data tight under wraps.
To help, we’ve compiled a list of the key developments in cybersecurity compliance and regulation in Southeast Asia worth knowing about:
Singapore
Singapore is one of the leading countries in Southeast Asia when it comes to cybersecurity regulation. In 2020, the Singapore government launched the Safer Cyberspace Master Plan to strengthen the country's cybersecurity capabilities and create a safer digital environment for all.
The plan includes initiatives such as the Cybersecurity Act, which provides a legal framework for the country's cybersecurity industry, and the Personal Data Protection Act (PDPA), which regulates the collection, use and disclosure of personal data.
In October 2022, enhanced fines under the PDPA came into effect in Singapore, meaning that the Personal Data Protection Commission (PDPC) can now impose fines of up to SGD$1 million or 10% of a Singapore company's annual turnover for breaches of the law.
Online retailer RedMart found this out the hard way in December last year when it was fined S$72,000 by the Singapore Data Protection Authority for failing to take adequate security measures to protect the personal data it held.
Thailand
Thailand's first personal data protection law, the Personal Data Protection Act (PDPA), came into force in June 2022 outlining the obligations of companies when collecting and processing personal data. Much like the rest of Southeast Asia, Thailand has been affected by an increasing number of malicious cyberattacks in recent years.
A 2022 report by Thailand's National Cyber Security Committee (NCSC) shows that ransomware and phishing attacks are among the most common attacks on businesses in the country.
The introduction of the PDPA is intended to curb the success rates of these attacks, highlighting the need for businesses to do their part to protect customer data - or risk being held civilly liable, paying fines or even facing criminal charges.
Malaysia
In 2020, Malaysia's National Cyber Security Agency (NACSA) was established to oversee cybersecurity efforts in the country. Additionally, the Malaysian government introduced the Personal Data Protection Act and the Digital Signature Act to regulate data protection and digital signatures.
Last year Malaysia suffered a spate of high-profile data breaches, including a data leak affecting 13 million account holders from Malaysia’s largest bank Maybank, its Election Commission, and Satellite broadcaster Astro.
Following this, the government announced plans to amend Malaysia’s Personal Data Protection Act 2010 (Malaysia PDPA). Under the Act, companies are obligated to appoint a data protection officer and report breaches.
Originally tabled for October 2022, Malaysia has since seen a change in government which will now see the proposed changes being addressed in Parliament by the end of this year.
In the meantime, the attacks rage on, with the data of millions of Malaysian citizens for sale on the dark web according to recent reports. Luckily, the Malaysian government just announced dedicating RM10 million to its National Scam Response Centre (NSRC), to address the rising rate of cybercrime as part of its 2023 budget, which can only be a good thing.
Indonesia
Much like other countries in Southeast Asia, Indonesia has suffered a spate of high-profile data breaches over the past year, including a breach by a hacker known as Bjorka, which included 1.3 billion registered mobile numbers, details of 105 million voters, along with a log of the President’s correspondences being leaked online.
After years of deliberating, the rise in high-profile cyberattacks affecting Indonesia finally pushed the government to enact the Personal Data Protection Law (PDP) in September last year.
The new PDP Bill is modelled on the European Union’s General Data Protection Regulation (GDPR) and regulates all forms of data processing and how Indonesian customer data is handled by individuals, corporations, and institutions at home and abroad. Breaching the new law could see companies facing fines of up to 2% of their annual revenue, or up to six years of jail time.
Looking to the future
As we march on into the Year of the Rabbit, we are reminded that cybercrime remains an unavoidable fact of life for businesses across the region that cannot be overlooked or ignored. Knowing the compliance issues and regulations of the markets relevant to your business is a good starting point but knowing what needs to be done to comply is the next step.
To ensure you’re covering all your bases when it comes to compliance, we recommend the following:
- Protect your email & train up your team
While research finds that 91% of attacks start with a phishing email, deploying comprehensive email protection with AI capabilities and training your teams will provide you with a solid first line of defence against phishing and other email threats.
- Adopt a zero-trust approach
With attacks on businesses in Southeast Asia becoming more sophisticated, implementing a zero-trust solution to protect your endpoints with multifactor authentication (MFA) across all your applications and systems can help you control access and permissions to your network and data to minimise the chance of a breach.
- Protect your apps & backup
Making sure you are protecting your web applications by implementing a Web Application Firewall (WAF) while ensuring that your data and critical systems are backed up can help you avoid unnecessary business disruption if you're hit by an attack.
- Monitor, detect & respond
Deploying a high-quality security solution with Endpoint Detection and Response (EDR) and a dedicated Security Operations Centre (SOC) can give you complete visibility across your entire IT infrastructure and the ability to monitor, detect and respond to cyberthreats in real time while knowing that you are doing everything in your power to keep your data safe and secure in compliance with prevailing cybersecurity legislation.
