Across the globe and within Asia Pacific, cyber attacks are increasing in frequency and sophistication

In the modern digital economy cyber attacks and data breaches are inevitable, and without proper regulatory and supervisory capabilities, some regulators in Asia-Pacific believe the next financial crisis might be triggered by a cyber attack.

According to Deloitte's Cyber regulation in Asia Pacific report, across the globe and within Asia Pacific, cyber attacks are increasing in frequency and sophistication. It is estimated that the cost of cybercrime can be up to US$575 billion per year , and the financial services sector is a key target.

Kevin Nixon, Global & Asia-Pacific Leader, Centre for Regulatory Strategy, Deloitte, said: "The financial system relies on confidentiality of data, protection of deposits, and provision of critical services, and all of this has come under threat in recent years as the frequency of cyber attacks has increased. Cyber risks are only set to increase as financial institutions become more data-driven digital businesses, and as more financial services are delivered online.

"If cyber risks and responses are not well managed, it could even threaten the stability of the financial system. Only those financial institutions who have robust cyber security and cyber risk management will be able to retain customers, maintain trust and enhance their competitive edge."

In response to these risks, regulators are considering appropriate standards and supervisory tools, and are actively urging firms to enhance capabilities so as to address these emerging threats. However, the Deloitte Cyber regulation in Asia Pacific report outlines a number of existing challenges Asia Pacific faces in relation to cyber security and examines how regulators across the region are seeking to tackle these.

Varied regulatory approaches
Although cyber threats cut across borders, regulatory approaches to cyber risk in Asia Pacific are varied and localised, with no significant steps taken yet toward harmonised standards across the region. Financial institutions struggle to understand the regulatory differences at a country level, to be aware of emerging threats and to design cyber risk programs that are coherent and robust across jurisdictions.

Despite that, there is a general consistency with regulatory approaches going beyond just security to focus on governance, vigilance and response.  

Outsourcing of work
The need to defend against outsourcing risk is an emerging and growing area of concern, in particular for those economies where IT services are widely contracted out to jurisdictions with weaker cyber security regimes.

Lack of human resources capabilities
Another challenge for financial institutions operating in Asia Pacific is that organisations have a shortage of dedicated IT security specialists and cyber professionals, meaning they may have difficulty staying up to date with the pace of change in the cyber landscape. Many financial institutions lack management recognition or understanding of the importance of cyber security and fail to adopt a coordinated approach across functions.

Deloitte's report provides a framework for overcoming these challenges and for strengthening cyber resilience.

James Nunn-Price, Asia-Pacific Cyber Risk Leader, Deloitte, added: "Cyber attacks are inevitable, and once regulators and organisations accept this, they can focus on building holistic, dynamic, enterprise wide cyber risk programs that are continually tested and updated to allow for agility and swift recovery. Strategies that enhance security, stay vigilant for emerging threats, ensure a flow of insights through to the cyber ecosystem and have senior support and oversight will be the ones that best position financial institutions to stay ahead of regulatory expectations."

Beyond this, industry and regulators should work together to further the development of cyber skills and expertise, to foster common standards and approaches, to support information sharing and to facilitate coordinated responses to incidents and attacks.