CIO discusses what ASEAN firms can do to improve cybersecurity

Faisal Yahya is a strong advocate for better cybersecurity practices in Southeast Asia. As Head of IT, Cybersecurity and Insurance Enterprise Architect, for PT IBS Insurance Broking Services and seasoned CIO and CISO, he believes that when it comes to cybersecurity, there is “always room for improvement” even among the “best prepared organisations.”

Speaking to CIO ASEAN, Yahya discussed which measures countries in the region should take to improve cyber resilience, the impact of GDPR in ASEAN, and which specific cybersecurity challenges is the insurance industry facing today.

ASEAN: a hotbed for cyberattacks

Hackers from around the world are using Southeast Asian countries as launchpads for cyberattacks, either as vulnerable hotbeds of unsecured infrastructures where systems can be infected easily for large-scale attacks, or as centres for a single point of attack to gain access to the hubs’ global connections.

Although ASEAN member states are starting to take steps towards a more secure cyberspace and a more resilient digital infrastructure, recent large-scale data breaches indicate that much work still needs to be done.

For Yahya, an important threat comes from the high use of smartphones and other mobile devices. It is estimated that about 90% of people in Southeast Asia are using their smartphones to connect to the internet.

“We can expect mobile attacks to increase in proportion and sophistication in the years ahead,” he said. “For threat actors, the world of mobile devices holds excellent potential as these are easier to hack and they possess even more sensitive information than PCs. The limited storage capacity of these mobile devices is posing a more significant risk as many of their users store some of their apps and files in the public cloud, which may not be controlled by the company.

“These dynamics are causing a constant change in the landscape of cybersecurity, resulting in evolving attack vectors. Without proper strategy, this eventually will become a rat race to step ahead of threat actors.”

However, the Head of IT also points out that it is difficult to find reliable statistics for cybercrime in ASEAN to adequately illustrate the impact of these malicious activities. The cross-border character and complexity of the motives of the attacks also make it difficult to investigate cybercrime in the region.

What measures can ASEAN members take to fight cybercrime?

Yahya thinks that the key to success in combating cybercrime involves harmonising laws against it and cross-border collaboration.

The first international treaty on cybercrime – the Budapest Convention – was signed in Hungary on 23 November 2001. As of March 2019, of the 63 states which have ratified the convention, none of them is from ASEAN.

“It is prominently essential for each [ASEAN] state to define who within each state is responsible for managing and evaluating the cybersecurity strategy, following a multilateral structure, including vesting of sufficient authority to drive across sectoral and government department boundaries, even when centralised and decentralised models exists,” Yahya told CIO ASEAN.

“Furthermore, this appointed national-level agency can start developing the implementation roadmap by identifying the critical information infrastructure and adopt sector-level risk assessment with maturity profiling.”

Once understood the cybersecurity stage by comparing the critical information infrastructure and the sector-level risk assessment, governments can enact or update cybersecurity legislation and develop laws which address cybercrime.

In Yahya’s view, the alignment of national laws of most ASEAN members with the Budapest treaty convention would provide a consistent basis in collaborating for combating cybercrime, and a good start for bilateral agreements.

“The ASEAN Telecommunication and IT Ministers meetings (TELMIN) played a vital role in the formulation of ASEAN’s internet and cybersecurity policy,” he explained. “And to further strengthen the collaboration between ASEAN members and recommendation from AIM2015, at 15th TELMIN the Ministers are adopted the ASEAN ICT Masterplan 2020 (AIM2020) aim with eight ‘Strategic Thrusts’.”

“Nonetheless, this a time-consuming process before it can prove a broader multilateral structure among ASEAN members. Both Budapest and AIM2020 work as a focus and foundation to build cybersecurity collaboration for every ASEAN member country.”

Yahya also emphasised the impact that the European Union’s (EU) General Data Protection Regulation (GDPR) is having on Southeast Asian businesses and organisations. Despite having come into effect thousands of miles away last spring, GDPR affects the data and privacy regulations of many firms in ASEAN which deal with EU citizens’ information. Therefore, GDPR could be used as an opportunity to update data policies, bringing them in line with Europe.

“The GDPR is excellent news for Southeast Asia countries in many ways in terms of data and privacy protection, mainly because the EU is ASEAN’s second largest trading partner and the largest Direct Investments provider,” he said.

“On top of that, it is estimated 7 million EU citizens travel to Southeast Asia countries each year. These are the reasons why many organisations in ASEAN are required to be compliant with the GDPR. In April 2018, both EU and ASEAN were launching two flagship programmes about policy dialogue and €61 million to support ASEAN economic integration processes.”

What are the cybersecurity challenges affecting the insurance industry?

Yahya has spent almost 20 years working at PT IBS Insurance Broking Service, a leading risk management and reinsurance services company in Indonesia.

Unlike other industries, Yahya noted, insurance plays two roles in cybersecurity. On one hand there’s a need to secure the system architecture in force. On the other, it’s essential to leverage customers’ cybersecurity systems and mitigate any potential loss. This dichotomy calls for an integrated approach.

“A holistic and equilibrium-like approach is required to cope with the challenges that come from these roles,” he explained. “From an insurance perspective, any cyberattack occurrence could potentially become a catastrophic loss which may give an impact for any organisation including the insurance company that was providing the cybersecurity insurance.”

Insurance belongs to the financial services industry group, a particularly lucrative target for attackers. It is also an industry which collects huge amounts of sensitive customer information, which in the wrong hands can lead to identity theft or blackmail. Reputation damage can be the worst consequence of any such attacks.

“The cyberattacks on insurance sectors may result in significant and tangible damages (fines, legal fees, and lawsuits), but the more significant impact may be the loss of trust from their customers,” said Yahya. “Since the insurance industry revolves around trust, any cyberattack can have a significant real impact on the insurance’s brand and market value.

“In the last decade, many insurance companies have invested enormous resources in cybersecurity tools and processes which may be providing them a false sense of security. As malicious actors learn to leverage their attack strategy, traditional tools like firewall, antivirus, intrusion detection systems, and intrusion prevention system are getting less effective.”

In September 2017, 5,400 AXA Insurance Singapore customers were affected by a data breach in the company’s online health portal. Yahya predicts that these attacks will become more frequent and more harmful, therefore organisations should start stepping up their defences.

“The financial impact of cyberattacks for the insurance industry can only be mitigated by promoting initiatives within companies and implementing the best standard mitigation strategies for customers,” said Yahya.

“The only way to thrive within this challenging situation is to continuously keep up with emerging technology, learn from customer experience to enrich actuarial data, and implement security best practices within the organisation.”

There is no doubt that openness and transparency in digitalisation processes have also brought important cybersecurity risks, not just for companies but for countries as a whole.

Although there is still room for improvement when it comes to data protection and cybersecurity legislation in ASEAN, initiatives such as AIM2020 and the influence of GDPR can help strengthening the foundations of the cybersecurity landscape in the region in the coming years.