Every day, Internet users around the Globe create an estimated 2.5 quintillion bytes of data. Such a level of interconnectedness brings greater opportunities, but it also heightens the risk of cyber-attacks. The level of attention that this topic has been receiving at the highest levels of government has been recently highlighted by the European Union’s new regulation—the EU General Data Protection Regulation (EU GDPR)—and complimentary directive on the matter.
Giovanni Pisacane from GWA Asia looks at the growing risk of cyber-attacks and makes a comparison between how it is being dealt with in Europe and China.
Cyber-attacks: a growing concern
Today, all companies are reliant on IT to some degree, which necessitates making cybersecurity a top priority. While data can be lost or stolen through employees, the biggest attacks in the last five years have been as a result of hacking. But even with the well-documented adverse effects of hacking, many companies do not have sufficient policies in place to protect against this threat.
Egress Software Technologies carried out a survey during Infosecurity Europe 2016 and found that two thirds of respondents admitted they could do more to protect data, while 61 per cent disclosed that they had suffered a security breach within the past year. Companies are clearly not prioritising data security, and this is costly for several reasons.
A data breach can lead to customers and clients severing their connections with a company out of fear that their interaction can impact other areas of their lives. Moreover, Semafone, a UK-based fraud prevention company, found that businesses are less likely to trade or conduct deals with businesses that have been breached, particularly if the breach included sensitive data. Thus the breach can translate into a financial loss for the enterprise.
Global standards of cybersecurity: the role of the law
The law performs two vital roles: enhancing cyber security preparedness and protecting consumers.
By having a common, minimum and mandatory standard of security, companies within the same jurisdictions can present a unified defence against attacks. This helps facilitate trust and business relationships since companies understand that partners and other stakeholders that they deal with are also protecting their data.
Additionally, an international legal standard is useful in breaking down the barriers between nations and facilitating a united front.
The law can enforce protection by requiring firms to report breaches, enabling the relevant government authorities to take action to strengthen security and empower individuals to mitigate harm, as well as encouraging organisations to adopt effective security measures and protect internal systems.
Europe: looking to the future
The EU is moving to bolster user protection by introducing mandatory minimums and increasing accountability and responsibility.
The EU GDPR creates new obligations in areas such as data anonymisation, compulsory breach notifications and the appointment of data protection officers, requiring organisations handling EU citizens’ data to make major changes to the way they operate. Enterprises are required to notify authorities of a security breach within 72 hours of awareness: non-compliance with the regulation would cost four per cent of a company’s annual turnover or EUR 20 million, whichever is higher.
On 17th May, 2016, the EU Council officially adopted the first EU-wide legislation on cybersecurity – the Network Information Security Directive (Directive). The Directive complements the EU GDPR by imposing obligations on businesses that act as “operators of essential services” in high-risk sectors such as energy and finance, requiring them to take measures to minimise their cyber risk, and to report certain cyber incidents.
Preparing a company for compliance with the new regulation must start by ensuring that all employees are aware of the implications of a cyber security attack.
The regulation highlights a risk-based approach, making it imperative that companies implement secure procedures for data storage and transfer, as well as controls to protect sensitive information. Breaches that affect compliance will incur hefty penalties.
China and cybersecurity
It is estimated that more than 700 million Chinese people have access to the Internet and that around 400 million of these consumers are conducting the majority of their payments using smartphones. The country’s IT market is worth in excess of USD 300 billion. Despite this vast and impressive online infrastructure, the Booz Allen Cyber Power Index 2014 placed China in thirteenth place in terms of their 2015 global cyber power ranking. Unlike its western counterparts, who focus on risk-based and consumer protective approaches, China’s goal in using the law as a cyber regulatory tool is attached to its motive to use the Internet as a means to build up a domestic information economy and secure network infrastructure that directly benefits national economic development and political stability. For China, protecting domestic structures is at the heart of cyber law reform. We can see such a move in the PRC Cyber Security Law (2016).
The new law will require, domestic and international, software companies, network-equipment manufacturers and other technology suppliers to disclose their proprietary source code—the core component and intellectual property running their software—in order to prove that their products cannot be compromised by hackers. The government wants firms which operate in ‘critical’ areas to store any personal information or important data that they gather in China, within China’s borders. The definition of ‘critical’ is vague, but what is clear is that it would apply to areas such as information and communication technology (ICT) services, energy and finance. These requirements can be seen to be rather demanding on smaller companies. The longer the company operates the more data that it will collect from within China, thus more storage space will be required, further necessitating expense.
The initial reception of these regulations proved negative, especially from multinational corporations, which typically rely on cross-border flows of business data. This is compounded by the worry that the law will not only require additional expense with regard to new investments, but also increase the risk of data theft. Further, companies will be required to obtain security certifications for important network equipment and software. Foreign firms expressed a fear that this might be used to pressure them into turning over security keys and other patented software, which would then be disseminated to state-owned rivals.
China appears to have adopted a shelter mentality, concerned more with domestic protectionism than actively reassuring cyber defences and rooting out cyber criminals, a position that lends itself poorly to cross-border cooperative security operations and efforts.
Companies appear unaware of the growing trend in both the scale and sophistication of cyber security threats, and this is worrying. With newer legislation, priorities may begin to shift, particularly in light of the non-compliance penalties. The law is a powerful tool to assist with setting a high standard in data protection. Cyber-attacks will only increase as the world becomes increasingly connected, thus it is up to the leaders of businesses and organisations to be ahead of the curve in the fight against cyber-crime.
GWA Greatway Advisory is an international consulting firm operating in Asia since 2004, with offices in Shanghai, Beijing, Hong Kong and Italy. GWA, with its team of experts lawyers and certified public accountants, assists its clients in a wide range of cross-border and domestic transactions and offers a strong network of reliable alliances and partnerships around Asia and Europe.