Asia Pacific corporates could be underreporting cyber incidents 

Cyber risk is potentially higher in Asia Pac than other regions but a lack of disclosure requirements makes this difficult to monitor, says S&P Global Ratings


Asia pacific corporates could be underreporting cyber incidents
Asia pacific corporates could be underreporting cyber incidents
Get people moves , key regional updates , growth opportunities , emerging risks , data journalism , in-depth analysis , exclusive features , APAC insurance Delivered to your inbox
Get your free daily brief

Modal Title

Asia pacific corporates could be underreporting cyber incidents

Key APAC insurance developments – delivered free each weekday.

(Re)in Summary

• Data from Guidewire suggests that cyber risks are higher in Asia Pac than Europe and North America.
• Asia Pac regulators have been slower than their global peers in imposing disclosure requirements, said a recent S&P Global Ratings’ report.
• The large concentration of manufacturing firms in Asia Pac gives the region specific risk characteristics ,said S&P.
• China’s recent move to expand AI’s use across multiple industries could further heighten cyber risk in the region .

A lack of public disclosure requirements in Asia Pacific means that corporates in the region are likely to be under reporting cyber incidents, according to a report by S&P Global Ratings.

S&P’s recent: ‘Asia-Pacific corporate cyber risks: what you don’t know can hurt you’ report, said that cyber risks are growing in the region even as they are being under-reported. 

The ratings agency cited data provider Guidewire, which said that cyber risks in Asia-Pac are just as high, if not higher, than in the US or Europe. 

“Stakeholders seem to be taking an out-of-sight, out-of-mind attitude toward cyberattacks in Asia. A lack of public disclosure requirements is likely to result in an under-reporting of cyber incidents in the region. 

We believe further that limited disclosure can create a degree of complacency among investors and corporate managers,” said S&P.

“Stakeholders seem to be taking an out-of-sight, out-of-mind attitude toward cyberattacks in Asia.”

S&P Global Ratings

Asia specific cyber risk

The ratings agency said that Asia Pac had specific risk characteristics as a result of the high concentration of manufacturing firms in the region which left them exposed to attacks on suppliers and key infrastructure. 

To make this worse, Guidewire data showed that on average the industrial control systems – software used to manage key manufacturing functions – of Asia Pac firms were more detectable online compared to their global peers. 

“If such systems are detectable online, they are vulnerable to an attack by hackers,” said S&P.

These risks could rise further. Swiss Re recently warned of the ‘silent’ risk that general insurers faced from the expansion of AI into sectors such as health and pharma, IT services, energy and utilities, that could result in unseen risks building up in carriers’ portfolios. 

S&P said that recent moves by Chinese policy makers with regard to AI could further rachet-up Asia-specific cyber risk.

“Moreover, more industrial production is moving online, to make use of technologies such as artificial intelligence (AI). For example, at a recent policy-setting event in China known as the Two Sessions, officials vowed to integrate much more AI into manufacturing,” S&P said.

Weak disclosure rules

S&P said that tracking and measuring cyberattacks was particularly difficult in Asia due to each country taking varying approaches to disclosing cyber breaches and what it termed, ‘generally low disclosure requirements on companies’. 

S&P said this is starting to change and pointed to a number of countries in the region including: China, South Korea, Japan, India, Singapore, and Australia, which have all strengthened their cyber incident disclosure rules. 

“Regulators are scrutinising firms that provide critical infrastructure. Recently, Singapore, in the first amendment of its Cybersecurity Act, proposed expanding the reporting requirements for critical infrastructure owners to include incidents affecting entities in their supply chain. 

However, most of these new rules do not require public disclosures of cyber incidents. They typically require timely reports of attacks to regulators, or perhaps just set higher standards for cybersecurity”, said S&P.  

The ratings agency said that most Asian jurisdictions do not require public notification of data breaches, and some regulators seek transparency on cyberattacks using stock-exchange rules requiring disclosure of ‘material’ events. 

Tough US stance

“Yet, materiality is an imprecise and ambiguous measure, particularly for cyber incidents. For example, do leaks of customer data meet the materiality threshold if the immediate cost of the breach is small or difficult to measure? 

Moreover, most exchanges and regulators in the region don’t have strict requirements that firms report their incidents. Companies may delay or even omit such disclosures. Finally, such rules would only apply to listed entities,” said the report.

S&P contrasted this with the increasingly tough stance taken by US regulators on reporting cyber disclosures.

The US Securities and Exchange Commission has set standards for public disclosure of cyberattacks on registered companies which include reporting breaches within four days after the determination of their materiality. 

Likewise, in 2023 the EU strengthened Article 11 of the EU’s Cyber Resilience Act, obliging software publishers to report any unaddressed security vulnerabilities to the EU Agency for Cybersecurity (ENISA) within 24 hours of their discovery. 

“Disclosure requirements in Asia-Pacific are often more relaxed than in the US and Europe. Tellingly, the cyberattacks that our rated Japanese firms disclosed in the past year largely occurred at overseas subsidiaries, or affected overseas users,” said S&P.

The ratings agency said that the most likely explanation for this discrepancy is that offshore regulations required disclosure, whereas Japan did not, and that it assumed other attacks on Japanese firms it rates haven’t been disclosed.

“We believe this breeds under-preparedness among issuers, and an inability for investors to assess the full risk of such breaches,” said S&P.  

Read next

Share this article