As we enter the digital age, one area of key concern is cybersecurity. The internet doesn’t notice regional boundaries or industry sectors, which means any business with an online presence is susceptible to cyber-crime. Across the Asia Pacific region, we’re seeing not only the increased risk of cyber-fraud but also new ways that governments are trying to address these risks, but legislatures just aren’t able to keep up with the pace of technology. That’s why businesses need to take the lead and find other ways to manage their risks legally.
Cyber-crime is on the rise
Countries across the Asia Pacific region are experiencing an increase in cyber-crime. In Australia, cyber-crime increased by over 25 per cent in 2017 alone sparking Australian businesses to increase spending on cyber-defences. Hong Kong also experienced an increase in cyber-crime of 40 per cent in 2018 bringing the number of cases reported to the Hong Kong Police to 8,000. While in Japan, 9,040 people were arrested for cyber-crimes in 2018.
There are a wide range of activities that constitute cyber-crime. These include:
- Theft of information on mobile devices - This often involves fraudulent text messages that are used to steal information from SIM cards that can then be used to verify victims in fraudulent transactions.
- Fraudulent websites - These mimic legitimate websites, e-commerce or government sites to collect information and money from unsuspecting consumers.
- Social engineering scams - Where publicly available information is used to obtain payment through fake invoices.
What is most concerning is how elaborate some of these cyber-crime schemes are and how quickly they evolve. While one form of crime is in favour today, another is already being developed. It’s almost impossible for governments and businesses to keep up the pace.
Cyber-crimes often involve more than just a website or malware and require a high degree of technical or industry expertise. Up to 90 per cent of cyber-crimes start with an email, but fraudsters have become more sophisticated. Some follow up emails with phone calls requesting additional information, ask for information to be uploaded to a seemingly legitimate website or even befriend people over a long period of time on social media or over email. In some cases, hackers may “watch” the organisation for months before doing anything at all. This allows them to get to know what they can get away with before making their move. As a result, many cyber-crimes involve day to day transactions, like paying invoices to legitimate contractors.
The consequences of cyber-crime are just as varied, and can include:
- Financial loss
- Identify theft
- Physical illness or even death. In one reported case in China resulting in a victim having a cardiac arrest and death. While death isn’t directly attributable to the crime, it may possibly have had a causal impact on the individual.
Legislatures are starting to regulate cyber-crime
Some countries have addressed cyber-crime head-on and introduced specific legislation. For example, the Thailand Parliament passed its Cybersecurity Act this year which gives the National Cybersecurity Committee broad powers to seize assets and investigate potential cybersecurity breaches. Taiwan has also introduced cybersecurity and personal information protection laws that set out standards of compliance for financial institutions.
Other countries, like Hong Kong and Japan, rely on a variety of existing legislative codes to address cybersecurity currently. While neither has specific cybersecurity legislation, they each have penal codes that deal with certain elements of cybersecurity, like obtaining property by deception. Japan also has legislation that covers a range of electronic transactions including the transmission of electronic mail and unauthorised computer access.
Australia has found a different solution to cybersecurity. It introduced specific legislation last year to manage national security risks of sabotage, espionage, and coercion by foreign entities. But it also relies on a suite of other legislation like multiple state criminal codes, privacy legislation and regulatory bodies including the Australia Securities and Investments Commission. Some of the criminal codes include specific aspects of cyber-crime like phishing and identity theft, while privacy legislation addresses the security of personal data.
In most jurisdictions, civil claims can also be made to recover losses from fraudulent activity. For example, a Mareva injunction may be used to freeze a fraudster’s bank account before the funds are dissipated. The victim can then seek an order for the bank to transfer the funds directly to them.
While these are all positive steps towards reducing the risk of cyber-crime, businesses can’t rely solely on the legislature to protect them. The pace at which cyber-crime is evolving and the rate at which criminal acts can multiply online mean that organisations need to do more to mitigate their risks now.
Organisations can mitigate risks contractually
One of the most effective ways that organisations can protect themselves is contractually. After all, while organisations can control how they address cyber-crime and protect their business, they have less ability to control contractors and other service providers unless they rely on contractual measures.
In Australia, we’ve already seen clauses that outline specific data requirements to cover privacy issues, for example. Specific clauses that address cybersecurity are an evolution of this. This may have helped large companies like the Commonwealth Bank of Australia, Telstra and Australia Post when one of their service providers, Page Up had a data breach that potentially released personal information of thousands of job seekers.
While in Hong Kong, contracts generally include disclaimers that warrant servers, websites, and other electronic communications are free of any harmful components. Parties also ensure they are not liable for any loss or damage suffered by the other party regarding third party links and websites. Similarly, in Japan organisations may be liable for compensation in damages provided it doesn’t conflict with any mandatory laws or regulations.
Insurance companies in some countries are already taking cybersecurity seriously, both with their own internal processes and offering customers protection. For example, in Japan, there is an increasing number of products covering cyber-risks like attacks from outside parties who gain unauthorised access to internal systems. These policies typically cover damage arising from personal information being leaked, systems failure or other issues. As this is a relatively new area of cover, insurers tend to limit the type of incidents that can be claimed and have restricted claims within Japan.
In contrast, insurance companies in Hong Kong have looked internally to protect their own risks. As insurers handle large volumes of sensitive information, they need to put in place more robust and practical protective measures against cyber-attacks. For instance, some have restricted which staff are authorised to access clients’ personal data on a need-to-know basis. Some insurers have also engaged technical experts to provide dedicated IT support for secured storage and the encrypted transmission of data. In addition, staff are trained to ensure they’re aware and kept up-to-date on the internal protocols regarding handling data and responding to security breaches. These types of controls may have been useful to the Universal Music Group in the UK when a contractor failed to password protect one of their key IT systems.
These are all positive measures that give organisations more control over managing their risks. While there isn’t one specific way to address cybersecurity, there are many legal options organisations can leverage to ensure they don’t fall victim to cyber-crime. The first step in protecting themselves is to speak to their legal advisors to put in place appropriate protections.
Pornprom Karnchanachari, Partner, Legal Advisory Council Limited, Globalaw Member