THE internet has in the past three decades disrupted the traditional business models more than any other technology, creating a wealth of opportunities for both businesses and consumers. Although this has ushered in the age of the digital economy, cyberattacks and data breaches have grown in frequency while cyber-related financial and reputational damage is on the rise.

According to a newly released Kaspersky Lab survey, an average of one in two users in selected Asia-Pacific countries encountered security incidents related to local networks and removable media while nearly one in five users faced web-related threats. In addition, the number of ransomware incidents detected in Asia-Pacific soared 114% in July and August compared with February and March, signalling that the region is becoming a target for ransomware and cryptoware campaigns.

“In the internet age where everything is connected, cross-border fraud has become a big problem as cybercriminals are increasingly looking to exploit the complexities of different laws, languages and business cultures in different jurisdictions,” says Lionel Tan, a partner at Rajah & Tann Singapore LLP, at the Kaspersky Lab APAC Cyber Security Summit held on Oct 7 in Bali, Indonesia.

“Moreover, it is very costly and time-consuming to trace cross-border financial transactions because you need to get a lawyer to file a civil case in different countries and there is no guarantee you will get back your money. Once the fee and estimation of costs is given, more often than not clients will find it prohibitive and give up on recovering their losses — and this is what the cybercriminals are banking on.

“The Bangladesh Bank heist we saw earlier this year is a good example. Hackers tried to steal US$1 billion from Bangladesh’s central bank. Although the US Federal Reserve’s systems halted US$850 million the attackers had tried to transfer, US$81 million was stolen from the bank and wired to hacker-controlled accounts in the Philippines.” Tan says.

“Given the scale and severity of the fraudulent transfers and disproportionate effects on the victims, there is a case for greater government assistance and international coordination. A government agency or regulator could be granted powers to compel information from banks and authorities could coordinate with other foreign regulators for the return or freezing of funds, which is much faster than civil action.

“In the US, the FBI and the Financial Crimes Enforcement Network are two agencies that provide assistance in wire fraud transfer cases. In Singapore, the Cyber Security Agency of Singapore (CSA) was established in April 2015 to provide dedicated and centralised oversight of national cybersecurity functions and to counter the increasing threat of cyberattacks,” he says.

“Since it was set up in 2015, CSA has reported 16 waves of malware and phishing attacks on Singapore. In June, the Singapore government announced an ‘air-gap’ separation by May 2017, in which about 100,000 computers in use by public servants will be restricted from internet access. Looking ahead, a standalone Cybersecurity Bill will be tabled in the Singapore Parliament next year.

“The new Bill will ensure that the operators of Singapore’s critical information infrastructure and emergency services, such as communications infrastructure, banking and finance, public utilities, police, civil defence or health services, take proactive steps to raise their standards, secure their IT infrastructure and report cybersecurity breaches. With Singapore taking the lead, we will likely see other countries in the region developing their own standalone cybersecurity bill to cater to this new type of threat,” Tan says.

“At the corporate level, cybersecurity breaches are no longer just an IT department issue and have become a management problem, especially for senior management. Senior management and the board of directors are now expected to have oversight and take responsibility for the company’s IT and cybersecurity processes and policies. This is what happened to the CEO of the US’ second largest discount retailer Target, who lost his job because of a cyberbreach.”

Tan points out that another emerging trend is increasing shareholder activism and shareholder lawsuits. “This has happened to another large US company, Home Depot, after the listed company suffered a massive cyberbreach. In this case, the shareholders filed suit against the directors and officers of Home Depot claiming that they had ‘not put in place necessary measures to prevent cyberattacks and thus had breached their fiduciary duties’.

“In case a major data breach has occurred, there are some considerations to take note of, such as when and what to disclose to the public. We hear about the Yahoo case, which took two years to report a data breach that happened in 2014. Nowadays, it is advisable for large companies to disclose [any incident] as soon as possible as this will show transparency and candour. However, the description of the incident has to be carefully constructed so that it won’t be used against you in a potential lawsuit,” Tan says.

Direct financial losses and regulatory fines aside, the marketing expenses incurred to repair the damage to the brand reputation and potential legal liabilities are much harder to estimate. However, one thing is certain: the cost of a security breach is always higher than the cost of protection, and investing in adequate IT infrastructure to reduce IT security risks always pays off. 

Save by subscribing to us for your print and/or digital copy.

P/S: The Edge is also available on Apple's AppStore and Androids' Google Play.