Faisal Yahya is a strong advocate for better cybersecurity practices in Southeast Asia. As Head of IT, Cybersecurity and Insurance Enterprise Architect, for PT IBS Insurance Broking Services and seasoned CIO and CISO, he believes that when it comes to cybersecurity, there is \u201calways room for improvement\u201d even among the \u201cbest prepared organisations.\u201d\nSpeaking to CIO ASEAN, Yahya discussed which measures countries in the region should take to improve cyber resilience, the impact of GDPR in ASEAN, and which specific cybersecurity challenges is the insurance industry facing today.\nASEAN: a hotbed for cyberattacks\nHackers from around the world are using Southeast Asian countries as launchpads for cyberattacks, either as vulnerable hotbeds of unsecured infrastructures where systems can be infected easily for large-scale attacks, or as centres for a single point of attack to gain access to the hubs\u2019 global connections.\nAlthough ASEAN member states are starting to take steps towards a more secure cyberspace and a more resilient digital infrastructure, recent large-scale data breaches indicate that much work still needs to be done.\nFor Yahya, an important threat comes from the high use of smartphones and other mobile devices. It is estimated that about 90% of people in Southeast Asia are using their smartphones to connect to the internet.\n\u201cWe can expect mobile attacks to increase in proportion and sophistication in the years ahead,\u201d he said. \u201cFor threat actors, the world of mobile devices holds excellent potential as these are easier to hack and they possess even more sensitive information than PCs. The limited storage capacity of these mobile devices is posing a more significant risk as many of their users store some of their apps and files in the public cloud, which may not be controlled by the company.\n\u201cThese dynamics are causing a constant change in the landscape of cybersecurity, resulting in evolving attack vectors. Without proper strategy, this eventually will become a rat race to step ahead of threat actors.\u201d\nHowever, the Head of IT also points out that it is difficult to find reliable statistics for cybercrime in ASEAN to adequately illustrate the impact of these malicious activities. The cross-border character and complexity of the motives of the attacks also make it difficult to investigate cybercrime in the region.\nWhat measures can ASEAN members take to fight cybercrime?\nYahya thinks that the key to success in combating cybercrime involves harmonising laws against it and cross-border collaboration.\nThe first international treaty on cybercrime - the Budapest Convention - was signed in Hungary on 23 November 2001. As of March 2019, of the 63 states which have ratified the convention, none of them is from ASEAN.\n\u201cIt is prominently essential for each [ASEAN] state to define who within each state is responsible for managing and evaluating the cybersecurity strategy, following a multilateral structure, including vesting of sufficient authority to drive across sectoral and government department boundaries, even when centralised and decentralised models exists,\u201d Yahya told CIO ASEAN.\n\u201cFurthermore, this appointed national-level agency can start developing the implementation roadmap by identifying the critical information infrastructure and adopt sector-level risk assessment with maturity profiling.\u201d\nOnce understood the cybersecurity stage by comparing the critical information infrastructure and the sector-level risk assessment, governments can enact or update cybersecurity legislation and develop laws which address cybercrime.\nIn Yahya\u2019s view, the alignment of national laws of most ASEAN members with the Budapest treaty convention would provide a consistent basis in collaborating for combating cybercrime, and a good start for bilateral agreements.\n\u201cThe ASEAN Telecommunication and IT Ministers meetings (TELMIN) played a vital role in the formulation of ASEAN\u2019s internet and cybersecurity policy,\u201d he explained. \u201cAnd to further strengthen the collaboration between ASEAN members and recommendation from AIM2015, at 15th TELMIN the Ministers are adopted the ASEAN ICT Masterplan 2020 (AIM2020) aim with eight \u2018Strategic Thrusts\u2019.\u201d\n\u201cNonetheless, this a time-consuming process before it can prove a broader multilateral structure among ASEAN members. Both Budapest and AIM2020 work as a focus and foundation to build cybersecurity collaboration for every ASEAN member country.\u201d\nYahya also emphasised the impact that the European Union\u2019s (EU) General Data Protection Regulation (GDPR) is having on Southeast Asian businesses and organisations. Despite having come into effect thousands of miles away last spring, GDPR affects the data and privacy regulations of many firms in ASEAN which deal with EU citizens\u2019 information. Therefore, GDPR could be used as an opportunity to update data policies, bringing them in line with Europe.\n\u201cThe GDPR is excellent news for Southeast Asia countries in many ways in terms of data and privacy protection, mainly because the EU is ASEAN\u2019s second largest trading partner and the largest Direct Investments provider,\u201d he said.\n\u201cOn top of that, it is estimated 7 million EU citizens travel to Southeast Asia countries each year. These are the reasons why many organisations in ASEAN are required to be compliant with the GDPR. In April 2018, both EU and ASEAN were launching two flagship programmes about policy dialogue and \u20ac61 million to support ASEAN economic integration processes.\u201d\nWhat are the cybersecurity challenges affecting the insurance industry?\nYahya has spent almost 20 years working at PT IBS Insurance Broking Service, a leading risk management and reinsurance services company in Indonesia.\nUnlike other industries, Yahya noted, insurance plays two roles in cybersecurity. On one hand there\u2019s a need to secure the system architecture in force. On the other, it\u2019s essential to leverage customers' cybersecurity systems and mitigate any potential loss. This dichotomy calls for an integrated approach.\n\u201cA holistic and equilibrium-like approach is required to cope with the challenges that come from these roles,\u201d he explained. \u201cFrom an insurance perspective, any cyberattack occurrence could potentially become a catastrophic loss which may give an impact for any organisation including the insurance company that was providing the cybersecurity insurance.\u201d\nInsurance belongs to the financial services industry group, a particularly lucrative target for attackers. It is also an industry which collects huge amounts of sensitive customer information, which in the wrong hands can lead to identity theft or blackmail. Reputation damage can be the worst consequence of any such attacks.\n\u201cThe cyberattacks on insurance sectors may result in significant and tangible damages (fines, legal fees, and lawsuits), but the more significant impact may be the loss of trust from their customers,\u201d said Yahya. \u201cSince the insurance industry revolves around trust, any cyberattack can have a significant real impact on the insurance\u2019s brand and market value.\n\u201cIn the last decade, many insurance companies have invested enormous resources in cybersecurity tools and processes which may be providing them a false sense of security. As malicious actors learn to leverage their attack strategy, traditional tools like firewall, antivirus, intrusion detection systems, and intrusion prevention system are getting less effective.\u201d\nIn September 2017, 5,400 AXA Insurance Singapore customers were affected by a data breach in the company\u2019s online health portal. Yahya predicts that these attacks will become more frequent and more harmful, therefore organisations should start stepping up their defences.\n\u201cThe financial impact of cyberattacks for the insurance industry can only be mitigated by promoting initiatives within companies and implementing the best standard mitigation strategies for customers,\u201d said Yahya.\n\u201cThe only way to thrive within this challenging situation is to continuously keep up with emerging technology, learn from customer experience to enrich actuarial data, and implement security best practices within the organisation.\u201d\nThere is no doubt that openness and transparency in digitalisation processes have also brought important cybersecurity risks, not just for companies but for countries as a whole.\nAlthough there is still room for improvement when it comes to data protection and cybersecurity legislation in ASEAN, initiatives such as AIM2020 and the influence of GDPR can help strengthening the foundations of the cybersecurity landscape in the region in the coming years.