The C-suite has long left data resilience and cybersecurity in the hands of security and IT teams. It's been a case of 'leave it to the experts', and for a long time, that made sense. However, as organisations have become increasingly dependent on technology and breaches have become a case of 'when' rather than 'if,' cybersecurity has become a part of everyone's day-to-day.
Cybersecurity regulations in the US and Europe (such as CIRCIA, NIS2, and DORA) reflect corporate accountability in their requirements. In the event of a breach, not just the CISO but the entire C-suite can be held responsible. They are directly accountable for management and training on cybersecurity measures and will also face penalties for non-compliance. These directives are now filtering through to Asia's regulators, too.
In the event of a breach, not just the CISO but the entire C-suite can be held responsible. Rick Vanover
C-suite leaders in Asia are now waking up to the fact that just assuming their security teams and third-party providers have everything covered is now a real risk. If gaps exist or they're not supporting the process enough, their reputation is on the line. So, it's time for them to step up and engage with the processes themselves.
Asia's cyber-regulation upsurge
For businesses in Asia, data regulations are becoming more complex and, in many cases, more stringent. The region is following in the footsteps of Europe, with GDPR and the recent NIS2 cybersecurity regulations shaping many new directives that are mandating an up-levelling of security requirements covering critical infrastructure and core business services. Singapore is refining its data protection framework for physical and virtual critical information infrastructure systems and enhancing regulations to address emerging technologies such as AI. Malaysia is also making significant updates to its Data Protection Act to strengthen data governance and enforcement mechanisms. Australia is pushing major privacy reforms by modernising its Privacy Act.
Even Hong Kong, which has largely operated with a lighter regulatory regime, plans to introduce the "Protection of Critical Infrastructure (Computer System) Bill" by mid-2026. The goal is to align with global trends and operate on a similar footing to other key markets in the region, particularly as the city vies with others to be an international information and technology hub for the region.
Shifting spotlight on the C-suite
Naturally, expecting most executives to be cyber security and resilience experts is unreasonable. For many, this could be the first time they genuinely interrogate their data resilience and incident response plans.
Under cybersecurity regulations, NIS2 in particular, the C-suite has gained a new laundry list of responsibilities. For the first time, they must actively and directly manage cybersecurity risks and their organisation's security strategy. They'll also be responsible for organisational risk management, mitigation, and incident reporting measures. In addition, senior leaders who fail to comply face personal liability and the potential for fines of up to US$ 9 million or 1.4% of global annual turnover for important entities, whichever is higher.
So, the pressure's on. C-levels will need to integrate their organisation's resilience and incident response preparedness. This will mean investing in security and training but also holding internal stakeholders to account. And that's the operative word here: accountability. Regulation like NIS2 includes senior leadership in the accountability bubble not because it should all come down to them but because they are the people with the weight to ensure everyone who should be responsible is.
This starts from within but often doesn't end there. C-suites will be keen to extend this accountability externally to key partners and suppliers. From supply chain partners to IT and security vendors, including backup-as-a-service (BaaS) providers, crucial data resilience and recovery chain links can't be ignored.
Third-party providers in the hot seat
According to EY's Global Third-Party Risk Management Survey, 44% of organisations expect to increase their work with third parties over the next 5 years. As this trend continues, expect executives to scrutinise their third-party partners more closely, examining every aspect of their data resilience and incident response measures. Previously, an agreement or certification may have given the C-suite adequate confidence. However, with corporate accountability now a factor, there will be a stronger demand for greater accountability from third parties.
This could manifest in several ways, from renegotiating service level agreements (SLAs) to more in-depth investigations as executive leaders look to secure the chain of custody for their data resilience and investigate every step of the process. While it's impossible to outsource the risk and accountability to third parties, senior leaders need transparency from their third-party providers. So, when a breach occurs, the failure point can be identified and acted upon promptly to avoid penalties.
Diving into the deep end
You can't learn to swim by reading a book. The only way to learn is to try. Rick Vanover
These measures will undoubtedly boost overall data resilience, but it's impossible to eliminate the risk of a breach. You can have all of the SLA agreements, processes, and technology worldwide, but certifying them without testing is impossible. This is the single most important step in addressing and improving resilience. By all means, the C-suite should do all of the investigating necessary to build confidence in their data chain through suppliers, but they need to put this confidence to the test. Consistent, comprehensive testing that pushes your measures to the edge, and not just in perfect conditions. A breach can come at any time, so test at the worst time, when security teams are occupied, or specific stakeholders are on leave.
Fundamentally, it's about going beyond plans on paper. You can't learn to swim by reading a book. The only way to learn is to try. Sure, you might swim through it with no problems. But you might also sink. And it's better to sink when you've got some armbands on hand rather than during the real thing.
