Zurich Asia CEO calls for greater focus on cyber risk

Complacency still prevalent among companies in Asia despite the region being at greater risk of cyber attack than other parts of the world

Keith Thomas
Keith Thomas, Zurich: Asia financial firms at greater risk of cyber attack

Asia is more vulnerable to cyber threats being home to high-growth companies and half of the world's internet users yet the lack of an overarching framework to deal with cyber risk is leaving financial firms unduly exposed, according to the Asia CEO for Zurich Insurance.

The frequency of cyber attacks is increasing globally but in Asia, market participants say that many events go unreported in part due to an absence of clear rules on what needs to be disclosed and when.

"We need overarching governance in this area either through existing structures like the G20, or regional bodies like Asean [Association of Southeast Asian Nations], to create the rules of the road as there are different issues around disclosure of cyber events and information sharing," says Hong Kong-based Keith Thomas, chief executive for Asia at Zurich Insurance.

Thomas says that while in the US disclosure is strict at 48 hours before a firm must go public if its database has been compromised, in Asia there are no rules in place so breaches are kept quiet in many cases.

"Businesses need to know when and how long they have to disclose breaches in different countries. It's not a question of if: it will happen at some point to most companies. Asean could lead a joint framework so that companies know how to secure their data including fines and remediation policies. If you have to do that for 12 million customers it can get expensive."

Asia is behind on this from a proactive standpoint. It's hard to build a wall high enough to keep the threats out

An April global cyber governance report commissioned by Zurich Insurance and Esade Geo centre for global economy and geopolitics highlights that the systemic nature of the financial system and increasing interconnectivity of finance make the risk of a cyber attack even greater. It elaborates that by firms underestimating cyber risk a "Lehman moment" could arise from knock-on effects of a widespread cyber attack on the financial sector.

In particular it points to the increasing prevalence of cloud service providers for financial firms and China's alternative to Swift's payments messaging system as examples of further cyber connectivity. The China international payments system is due to be launched in October.

In a separate DTCC survey of financial institutions published in May, 46% of respondents cited cyber risk as their paramount concern while 80% cited it as a top five risk.

Thomas says there is also a concentration risk in finance when it comes to third-party providers – something that has been more adequately addressed in other sectors such as the global supply chain for goods.

"In finance there is a huge reliance on a handful of service providers. In the US, Nasdaq [the exchange for technology companies] has run war games in this area but financial firms and trading firms haven't typically looked two providers out."

The dependence by financial firms on Bloomberg terminals underscored this risk after an outage across Bloomberg screens in April caused disruption to traders and led to a UK Treasury auction being postponed.

The Zurich report also calls for the establishment of a body equivalent to the World Health Organisation to alert companies about cyber threats.

Within Asia, at a June Asean and China meeting of senior officials both sides agreed to enhance co-operation on cyber crime. Singapore, though, is furthest ahead with its establishment of a cyber security agency which shares information with foreign counterparts and issues best practice guidelines to its companies.

While some progress is being made at a governmental level, Thomas says this doesn't mean the business community can be passive when it comes to cyber threats.

"In Asia there is some complacency especially as growth is high. Everyone is focused on getting resources in place but someone also needs to have a sense check of what the risks are. Asia is behind on this from a proactive standpoint. It's hard to build a wall high enough to keep the threats out so you have to make your business more resilient."

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe

You are currently unable to copy this content. Please contact info@risk.net to find out more.

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here