I got hacked! So?5 tips for managing (and preparing for) cybersecurity breaches across Asia

Your data has been stolen. A ransom was demanded. People affected across borders. What should organizations do when the unthinkable of a cyber breach occurs? How is it managed as the drama unfolds? What could have been done in advance to minimize risk and potential damage?

King & Wood Mallesons partners Cheng Lim, Su Chang, Nicola Charlston and Amanda Lees discussed a hypothetical, but very real, cybersecurity breach as part of our Sprint to the Finish series. Responding to this scenario in “virtual” real-time, they investigated reactions and impacts across Australia, China and Southeast Asia.

Their discussion can be seen below lots here. In this post, we will share key points on dealing with the ever-present threat posed by cybersecurity breaches. This complexity is further increased when a complex legal and regulatory landscape needs to be navigated across various jurisdictions.

In today's digital age, the threat of cyber breaches looms large for businesses around the world. As businesses become increasingly interconnected across borders, the implications can be complex and far-reaching. The need for effective controls has never been more important, not only in managing breaches, but also in proactive preparation and risk minimization.

If you would like to learn more about the rapidly evolving field of cyber security, please visit: Website.

Case studies – and immediate actions

The fictitious ASX-listed company OneMed Healthcare owns private hospitals in Australia, China and South East Asia. After discovering unusual behavior on internet-facing servers used for remote access, OneMed immediately activated a retainer with its incident response provider. After investigation, it was determined that the server had been compromised by someone. Approximately 1.5 terabytes of data was leaked from major systems worldwide.

1. Timely disclosure to the market: an important first step for listed companies

“A key question is when do companies become aware of this price-sensitive information? Legal obligations exist to allow the market to assess its impact and to prevent misleading information, including omissions. But beyond that test, there is a range of acceptable disclosure details that depends on the company's communication philosophy.'' – Nicola. charleston

It is of paramount importance for publicly traded companies to understand their continuous disclosure obligations. In Australia, listed companies have the following legal obligations: Disclose immediately Information that may have a significant impact on stock prices. However, the timing of disclosure will depend on the company's awareness and assessment of the market sensitivity of the incident.

If a company becomes aware of information that a reasonable person would expect to have a material effect on the price or value of its shares, it has a duty to immediately communicate that information to the ASX, unless an exception applies. .

chip

• must have sufficient information To assess market sensitivity prior to disclosure.
• Carefully craft your disclosures and avoid misleading Investors and regulators, including omissions.
• A trading halt may be helpful if a company lacks sufficient information to make meaningful disclosures. However, they cannot be used by companies to indefinitely delay disclosure or avoid disclosure responsibilities.

2. Who else needs to be notified? Consistent stakeholder communications and regulatory notifications

“There is currently no legal obligation in Australia to notify employees of a breach of employee data. However, in practice everyone does so. At the same time, notify key stakeholders such as government, regulators and customers. ” – Chen Lim

Providing information quickly to key stakeholders, such as government agencies, regulators, and affected parties, is critical to maintaining transparency and mitigating reputational risk. A comprehensive stakeholder management plan is essential.

Breaches that span multiple jurisdictions are even more complex to respond to, as each country has different data protection and breach notification laws. for example:

in AustraliaAustralian Information Commissioner's Office (OAIC) You must notify us of any data breach that could cause significant harm.

in Southeast Asia, requirements vary by country. In the Philippines, the National Privacy Commission must be notified. In contrast, Malaysia currently does not require anyone to be notified (although this is subject to change).

in China, the obligation to notify the regulator depends on the specific circumstances of the violation and therefore requires a case-by-case analysis. Regular training and actionable plans are essential to effectively deal with cyber breach scenarios in China. Due to the sensitivity of the data involved, it is also recommended to communicate informally with the authorities regarding this incident.

Customer care is paramount, and businesses must provide support to affected customers and manage the aftermath of incidents. In Australia, organizations frequently contact ID Care to provide support for this purpose.

chip

• Establish a comprehensive system stakeholder management plan.
• Please use one “The only source of truth” As the basis document for all communications – if you are an ASX-listed company, use the Stock Exchange Notice.
• Identify the nature of the compromised information Forensic Cyber ​​Investigation.
• Related notice stakeholders – Starting with regulators – quickly and consistently.
• Prioritize timely notifications affected individuals – including steps you can take to protect yourself.
• how to strategize notify customer – Direct mail, email, or other methods? – and provide customer care.
• Consider the potential impact on your organization reputation.

3. Coordination and considerations across multiple jurisdictions

“Different jurisdictions have different notification requirements. Tailor your response accordingly.” – Sue Chan

Cyber ​​incidents require separate responses across different jurisdictions due to different regulatory landscapes. Working with local counsel and adhering to jurisdiction-specific notification requirements is paramount to compliance and effective crisis management.

Different jurisdictions have different requirements and time frames for data breach notification. for example, AustraliaASX, Australian Cyber ​​Security Center and other key stakeholders (ACSC), Cyber ​​Infrastructure Security Center (CISC) and the Australian Information Commissioner's Office (OAIC).

in China, the local government (in this example, Shenzhen City) must be notified immediately upon learning that an incident has occurred. Relevant authorities in China will request a detailed report.

inside Philippinesthe National Privacy Commission and affected data subjects must be notified within 72 hours.

chip

• Understand reporting requirements respective jurisdiction. Have a playbook that explains all this.
• strictly follow Report timeline Determined by local regulations.
• coordination with local lawyer and regulatory authorities.
• consistently connect Engage with key stakeholders such as employees, customers and business partners across all jurisdictions.

4. The ransom payment dilemma: To pay or not to pay?

“The decision to pay a ransom is complex and depends on the details of the case. You need to think about what is in the best interest of your organization. ” – Chen Lim

in AustraliaAlthough it is not illegal to pay a ransom, there are checks that must be passed, particularly in relation to sanctions and criminal measures laws. The Government has published a consultation paper proposing the introduction of ransomware payment reporting, which would require notification of a ransom demand and separate notification if the ransom has been paid.

look beyond Southeast Asia…into Philippines Although there are no specific prohibitions against paying ransom, organizations should carefully consider whether the payment would amount to financing terrorism or aiding or abetting the commission of cybercrime or money laundering crimes. need to do it.

in Malaysia This is a similar analysis, as in Malaysia, if you know someone is about to commit a crime, the Penal Code requires you to report it to the police, and ransomware incidents are criminal offenses under the Computer Crimes Act. , additional considerations have been added.

Many cryptocurrency exchanges are based in Singaporehas strict rules regarding reporting crimes and potential crimes, so reporting may be required if the ransom is paid to a Singapore exchange.

in China The same goes for analysis. There are no Chinese laws prohibiting ransom payments in this scenario, but regulators may request a report on how the issue is resolved.

tips

• Consider establishing a ransom decision-making framework that takes into account your organization's policies, culture, and risk appetite.
• Assessing and responding to ransom demands should form part of your cyber breach management plan.
• While it is necessary to keep the market updated on cyber breaches, carefully consider the need to disclose ransom demands.

5. New developments – the use of injunctions against cyber criminals

“Injunctions against unidentified persons can be an effective tool to stop the spread of stolen information. I think we will see more use of them.” – Amanda Leeds

Courts have shown a willingness to grant injunctions to stop bad actors, even if they cannot be identified by name. If data is stolen, further dissemination can be stopped through injunctions against publication by newspapers and online platforms. The court is willing to grant the injunction, given the breach of confidentiality where the information is threatened to be stolen and misused. An injunction has also been obtained to prevent the bad actors from paying the ransom.

If an organization can identify certain types of people and describe them with enough specificity, courts can issue injunctions against these unknown people.

Courts in the United Kingdom, Australia, Singapore, Malaysia and other jurisdictions have granted injunctions against unidentified persons. Other jurisdictions, such as Hong Kong, have granted injunctions against certain persons in relation to virtual currencies and data.

chip

• consider different approaches That could result in benefits such as an injunction to prevent the release of stolen information.
• Even if the hacker's name is unknown.
• There is a need define a class of people Specifically, it is expressed by reference to what they did, such as “a person working for company X who hacked into a system and extracted data from system X on day X.”
• At that time, the order is provided Hackers use the same means they used to communicate with victim organizations.
• Please consider acquiring Instructions to third parties Prevent websites from publishing or transmitting data to anyone who owns the data or who may have access to it.

The last word?prepare, prepare, prepare

“It is very important to have a workable plan to deal with the scenario and conduct regular training to ensure the effectiveness of the plan.” – Sue Chan

Regulators tend to focus not only on the outcome of an incident, but also on the causes of the incident and what protective and preventive measures were in place.

chip

• establish crisis management team.
• be involved with incident response provider.
• understand the risks Then prioritize according to likelihood and severity.
• establish Cyber ​​breach management plan.
• identify trigger That puts the plan into action.
• Carry out regularly Drill.

When faced with a cybersecurity crisis, preparation and quick action are key. Dealing with cybersecurity incidents requires a proactive and coordinated approach, especially in multi-jurisdictional environments. By understanding disclosure obligations, using trading suspensions wisely, prioritizing stakeholder communications, and adapting to diverse regulatory frameworks, companies can reduce the impact of cyber threats and protect their operations and reputations. I can.