Concern is growing among regulators in the Asia-Pacific region that financial services are increasingly at risk of a systemic cyber event. As such events will pose a major threat to the financial system, regulators across the region are moving rapidly to strengthen their regulatory and supervisory capabilities.
According to Deloitte’s Cyber Regulation in Asia-Pacific report, cyber-attacks globally and within Asia-Pacific are increasing in frequency and sophistication. The cost of cybercrime is estimated to reach up to $US575 billion a year, with financial services organisations a key target.
Kevin Nixon, Global & Asia-Pacific Leader, Centre for Regulatory Strategy, Deloitte, said “The financial system relies on confidentiality of data, protection of deposits, and provision of critical services. All of this has come under threat given the increase recently in the frequency of cyber-attacks.”
According to Nixon, as financial institutions become data-driven digital businesses and more financial services are delivered online, cyber risks increase. If these cyber risks and responses are not well managed, they could threaten the stability of the financial system.
“We believe that this means only those financial institutions with robust cyber security and cyber risk management will be able to maintain trust and enhance their competitive edge to retain customers.”
In response to these risks, regulators are considering appropriate standards and supervisory tools, and are actively urging firms to enhance capabilities to address these emerging threats. The Deloitte Cyber Regulation in Asia-Pacific report outlines a number of existing challenges Asia-Pacific organisations face in relation to cyber security and examines how regulators across the region are seeking to tackle them.
Varied regulatory approaches
Although cyber threats cut across borders, regulatory approaches to cyber risk in Asia-Pacific are varied and localised.
“There are no significant steps yet taken towards harmonised standards across the region,” said Nixon.
“Financial institutions struggle to understand the regulatory differences at a country level, or be aware of emerging threats so as to design cyber risk programs that are coherent and robust across jurisdictions. However fortunately there is a general consistency with regulatory approaches going beyond just security to focus on governance, vigilance and response.”
The need to defend against outsourcing risk is an emerging and growing area of concern, in particular for those economies where IT services are widely contracted out to jurisdictions with weaker cyber security regimes.
Lack of human resources capabilities
The fact that financial institutions operating in Asia-Pacific are short on dedicated IT security specialists and cyber professionals means there is difficulty in staying up to date with the pace of change in the cyber landscape.
Another challenge is that many financial institutions lack management recognition or understanding of the importance of cyber security and so can fail to adopt a coordinated approach across functions.
The Deloitte report provides insights into developing a framework for overcoming these challenges and for strengthening cyber resilience.
James Nunn-Price, Asia-Pacific Cyber Risk Leader, Deloitte, said “Cyber-attacks are inevitable, and once regulators and organisations accept this, they can focus on building holistic, dynamic, enterprise-wide cyber risk programs that are continually tested and updated to allow for agility and swift recovery.”
According to Nunn-Price, strategies that enhance security will enable organisations to stay vigilant for emerging threats, and ensure a flow of insights through to the cyber ecosystem and attract senior support and oversight, and will best position financial institutions to stay ahead of regulatory expectations.
Beyond this, industry and regulators should work together to further the development of cyber skills and expertise, to foster common standards and approaches, to support information sharing and to facilitate coordinated responses to incidents and attacks.