SINGAPORE--A prescriptive framework whereby regulators issue security best practices for companies to follow, may not work in Asia-Pacific as most countries in the region are still in their infancy of developing data protection laws and still prefer focusing on general rules instead of details when creating regulations.
That was the view of panelists in a discussion at the Cyber Liability Insights Conference here Tuesday, as they responded to U.S. President Barack Obama's cybersecurity executive order unveiled on February 2013.
In a bid to reduce cyber risks, a section of the executive order was dedicated to the development of a cybersecurity framework in conjunction with those who owned and operated critical infrastructure and those in government sectors, to determine cybersecurity best practices companies should follow.
Asked if such a framework could work among regulators in Asia-Pacific, the panelists disagreed.
Rosemary Lee, counsel at law firm Pinsent Masons, pointed out other than Hong Kong, Australia and New Zealand, many Asia-Pacific countries were still in their "infancy" in developing data protection frameworks. For example, Singapore only introduced its Personal Data Protection Law last year, while China is still in the midst of planning data protection measures, she observed.
As such, these regulators are still focused more on protecting customer data which is the first step in developing data laws, and their priority is not on the next step which is to ensure security measures among businesses, she explained, adding it was "too early" to include security best practices into regulations.
Another panelist, Ben Nicholson, partner at law firm DAC Beachcroft, added regulators in Asia prefer a "principle-based approach". This refers to relying more on broadly stated rules or principles affecting businesses, and a lower reliance on details and prescriptive rules based on concerns given by individuals, he explained.
This approach is used by the European data protection, and conventionally, Asia-Pacific countries take cue from the European Union in developing its data laws, instead of the U.S. which delves into different protection measures for different types of personal data such as financial personal data or healthcare personal data, he pointed out.
"The prescriptive approach may also bring added compliance costs for businesses, so I don't see this coming to Asia anytime soon," Nicholson said.
Lee also added since small and midsized businesses dominated Asia's economy, they will not be able to afford the cost of compliance unlike the larger companies, if an overly prescriptive approach is adopted by Asian regulators.
The third panelist, Andrew Taylor, assistant vice president and Asia-Pacific practice Leader of insurance firm ChubbPro, took a more neutral stand though.
The prescriptive approach may work in Asia, Taylor noted. If countries here take guidance from the U.S. once its prescriptive framework is more mature, or even ISO bodies, Asian regulators could come up with security practices that could lower compliance costs faced by companies, he said.
Compulsory breach notification can drive cyberinsurance uptake
Unlike the U.S., the key regulatory topic in Asia-Pacific remains whether regulators should make companies declare security breaches, Taylor pointed out.
The United States also has the highest rate of cyberinsurance adoption in the world due to its breach notification requirement, so should Asia-Pacific countries start make breach disclosure compulsory, it could drive cyberinsurance uptake by companies in the region, he said.
Once security breach disclosures are made compulsory in regulations, companies' perspectives toward cybersecurity will change, Taylor noted.
They will become more sensitive to potential costs incurred from becoming open about a breach, especially costs from reputational damages since it would mean they have to come clean with the public, he said.
Companies are also becoming more aware of cybersecurity issues and are move from "building castles" around the network to a proactive mindset of assuming a breach is going to take place within their organization so preventive measures must be taken, he explained.