- Lack of sector-specific governance and policies is a region-wide issue
- Cyber-attacks, could expose region’s firms to US$750 billion erosion in current market cap
A RECENT report by global consulting firm A.T. Kearney has found that Singapore and Malaysia are leading the Asean region with advanced cyber-security policies and plans already in place.
The research report, titled Cybersecurity in Asean: An Urgent Call To Action, was commissioned by Cisco and pointed out that national cyber-security strategies have been laid out by Singapore, Malaysia, Thailand and the Philippines.
A few countries have set up national agencies to consolidate and coordinate cyber-security agendas, the report highlighted.
“These include Singapore (Cyber Security Agency of Singapore), Malaysia (CyberSecurity Malaysia), and the Philippines (Department of Information and Communications Technology). Indonesia has established a national cyber and encryption agency, Badan Siber dan Sandi Negara (the Cyber Body and National Encryption Agency), and Thailand has proposed a national cyber-security committee,” the report said.
Key concerns remain
Despite the progress made to date, the lack of sector-specific governance and policies is a region-wide issue, resulting in limited transparency and a lack of sharing of threat intelligence.
“One exception is the Monetary Authority of Singapore and the global Financial Services Information Sharing and Analysis Centre, which have announced plans to set up the Asia Pacific Regional Intelligence and Analysis Centre.
“This platform aims to provide deeper capabilities in cyber intelligence gathering and analysis for enhanced in-region support, specifically for financial services.”
Although Singapore, Malaysia, Thailand, and Vietnam drafted cyber-security bills in 2017, limited progress has been made across the rest of Asean, the report said.
Where Malaysia stands
According to partner at A.T. Kearney and lead author of the report Nikolai Dobberstein (pic, right), their research suggests that Malaysia has made great strides in terms of cyber-security readiness.
“It has defined its national cybersecurity strategy, has a dedicated agency (CyberSecurity Malaysia) driving the cyber-security agenda and is in the process of updating the country’s cyber-security legislation.”
“CyberSecurity Malaysia has developed a certification process for vendors and cyber-security products which potentially could help greater vendor mobility across the region. Significant efforts have been made in addressing capability gaps through a focused approach at the youth, university and industry level.”
He says there is still much to be done, as with the rest of Asean, but Malaysia is one of the few Asean countries that has placed cyber-security at the top of its digital agenda.
Cyber-security spending levels
Cyber-security spending levels are still relatively low in Malaysia (when benchmarked against best in class countries), albeit higher than the regional average.
“In terms of cyber-security spend as percent of gross domestic product (GDP), Singapore is the only country in the region that exceeds the global average,” Dobberstein says.
According to the report, Asean countries in general are underspending on cyber-security. The region currently spends an average of 0.07% of its GDP on cyber-security annually. It would need to increase this to between 0.35% and 0.61% of GDP between 2017 and 2025, to be in line with the best in class benchmark, which is based on spend levels as percentage of GDP for Israel.
A.T.Kearney’s research estimates that this amounts to US$171 billion (RM671.34 billion) in collective spending needed across Asean countries during this period. (US$1 = RM3.93)
Perhaps the most disturbing consequence of underinvestment in tackling cyber-security threats is that companies in the Asean region face a growing risk of cyber-attacks, which could expose the region’s top listed firms to a US$750 billion erosion in current market capitalisation, the report found.
Dobberstein explains this in greater detail. “To assess the full financial impact of cyber-attacks, we considered the scenario where companies are hit with a mega breach, where hundreds of millions of records are lost. In those cases, companies not only face increased operational costs to fix the issue but also see significant post-breach impact due to potential customer churn.
“This is reflected in their erosion in market capitalisation a few months after the breach is made known as shareholders become wary of the impact this would have on future business.
“We then looked at companies who have faced mega breaches, such as Target, Yahoo!, and Equifax, and how it affected their market capitalisation. In these cases, the number of records breached ranged from 41 million to three billion and erosion in market capitalisation ranged from 10% to 35%.
“Applying the extreme market capitalisation loss scenario to Asean’s top 1,000 listed corporations places the exposure at US$750 billion at current market capitalisation,” he explains.
The cyber-security threat landscape is evolving
According to the A.T.Kearney report, the cyber-security threat landscape is evolving due to some key factors:
- The emergence of new technologies such as the Internet of Things (IoT), where the end points in an IoT network often tend of be less sophisticated devices such as household gadgets, making easier for hackers to hack the network and such IoT attacks are already prevalent in Asia.
- A global shortage of skilled and qualified cyber-security professionals, which is mirrored across Asean. Specific skill sets such as behavioural analytics and digital forensics are in acute short supply. There is also inadequate expertise in cyber-security support areas such as cyber-insurance.
“As our technological landscape changes and new threats emerge, it’s never been more important for countries, governments and the public and private sectors to come together and collaborate to share best practices.
“Cyber-security is something that impacts us all, and particularly in Asean, where countries have strong ties to one another. We can only be as strong as our weakest link,” Dobberstein says.
The A.T.Kearney report saw close to 30 interviews conducted with a diverse range of stakeholders both globally and in the region. These included:
- National agencies driving the cybersecurity agenda in their respective countries (e.g. CSA Singapore)
- International agencies active in dealing with Cybercrime (e.g. Interpol)
- Sector regulators (e.g. Bank Indonesia, Land Transport Authority Singapore)
- Intermediaries (e.g. Industrial automation companies, Cyber re-insurance companies, etc.)
- Industry experts
- CIOs/CISOs of large conglomerates across Critical Information Infrastructure sectors (Telecoms, Oil and Gas, Manufacturing, Banking, Payment Platforms)
The interviewees were drawn largely across the key Asean markets (Malaysia, Indonesia, Singapore, Thailand and Vietnam).