By Dr Amanda Salter

“There ain’t nothing safe in this world,” as Billy Idol growls in the 1982 hit song White Wedding. Most organisations would ruefully agree.

Just recently in October 2024, a malware attack incapacitated India’s hill state of Uttarakhand, bringing the government’s entire IT infrastructure to a standstill, impacting critical services including the state’s Secure Internet Service and the State Wide Area Network. The resulting shutdown of 186 department websites lasted at least days; two weeks later, 32 of those sites were still offline due to outdated systems and expired security software licences.

The attack also revealed crucial gaps in the Uttarakhand government’s business continuity plans, leaving officials scrambling to restore critical citizen services and protect sensitive data. In response, a new cybersecurity task force has been proposed together with regular safety audits, mandatory updates for antivirus, and security software at all government offices. A new Chief Security Officer post has been mooted as well as a disaster recovery centre. No doubt, harsh lessons have been learned.

Critics may tut and shake their heads but there can be no righteous stone-throwing by the rest of us glasshouse dwellers. Cybersecurity attacks are ever increasing in sophistication and frequency and similar disasters lie in wait. To appropriate a well-known data security saying, there are only two types of banks: those that know they’ve been compromised and those that don’t. To survive, regulation and legislation are critical in efforts to future-proof the critical sectors like banking.

The following is a quickfire summary of the most interesting changes in data governance and data security laws across Asia Pacific.

Watershed Legislation

There are some common legislative trends emerging in the area of data security, such as an increased level of scrutiny around operational resilience and enhanced data breach notification obligations. However, there is still a broad spectrum of disparate legislative requirements coming into force across multiple countries, which is likely to inflate compliance costs for banks.

Some factors at play which may impact any realistic roadmap for compliance could include (on a per-jurisdiction level):

  • size of operational footprint;
  • business strategy and size of the opportunity;
  • number of data subjects;
  • amount of personal data held;
  • data processing activities taking place;
  • number of entrusted parties;
  • penalties, enforcement, and consequences of non-compliance; and
  • maturity of data governance laws.

India

+ Digital Personal Data Protection Act (DPDPA)

Status: Passed in August 2023, awaiting implementation via subordinate rules.

  • This long-awaited, cross-sector law on personal data protection:
  • Applies to the processing of all digital personal data within India, and outside India if it is in connection with services offered to individuals within India.
  • Shares some common concepts with Singapore’s Personal Data Protection Act (PDPA) 2012, such as an exemption for personal data that is publicly available, such as on social media or other publicly accessible websites.
  • Places obligations on data fiduciaries – any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data – to protect personal data, with penalties of up to INR250 crore (approximately RM130 million) for failing to implement reasonable preventative measures against personal data breaches. This is less severe than an earlier legislation in 2022 which proposed a fine of up to INR500 crore.
  • Establishes a Data Protection Board, an independent regulator that can set rules, issue penalties, conduct inspections, and impose urgent remedial measures in the event of a personal data breach.
  • Makes data fiduciaries responsible for actions of any data processors they engage.
  • Requires timely responses to a data principal’s – the natural person to whom the personal data relates, including beneficiaries – request for data access, correction, deletion, and objection.
  • Allows data principals to engage registered third party ‘consent managers’ to administer and enforce their rights, managing consents and data on their behalf. This is a unique concept not covered in some other jurisdictions, such as the UK General Data Protection Regulation (GDPR).
  • Requires data principals to be notified of all data breaches, regardless of severity or level of harm caused.

Singapore

+  Amendments to the Cybersecurity Act (CS Act)

Status: Passed by Parliament in May 2024, awaiting effective date.

  • Extends the meaning of ‘computer system’ to include ‘virtual computer systems’.
  • Clarifies that the owner of such virtual computer systems are the persons who have exclusive control over operations and security.
  • Introduces new categories of regulated entities and computer systems to include foundational digital infrastructure (FDI), entities of special cybersecurity interest (ESCI), and systems of temporary cybersecurity concern (STCC). This broadens the earlier coverage of critical information infrastructure (CII) only.
  • Increases scope to cover third-party-owned computer systems, not just self-owned.
  • Extends coverage to include systems located outside of Singapore.
  • Increases regulatory powers of the Cyber Security Agency (CSA) to conduct inspections and require documentation from providers to ensure compliance.
  • Requires ESCIs, FDIs, and STCCs to report cybersecurity incidents that lead to a breach of availability, confidentiality, or integrity of the entity’s data or that has a significant impact on business operations.

South Korea

+ Amended Enforcement Decree of the Personal Information Protection Act (PIPA)

Status: Came into effect March 2024.

  • Obliges companies that are processing large amounts of personal data to appoint a Chief Privacy Officer with at least four years of experience in personal information protection.
  • Requires data controllers and data processors with annual sales of over KRW1 billion (RM3 million) and more than 10,000 data subjects to have insurance coverage for damages suffered by data subjects as a result of a violation of the PIPA.
  • Requires companies to disclose the legal basis for overseas transfers of personal data in privacy policies.

China

+ Provisions on Regulating and Promoting Cross-border Data Transfers (CBDT Regulations)

Status: Enacted March 2024 with immediate effect.

  • Provides significant exemptions from the compliance burden of cross-border data transfers under three scenarios, irrespective of data volume:
    • outbound data transfers necessary for contract signing or performance, such as account opening;
    • outbound transfers of personal data necessary to safeguard a life, health, or property in the event of an emergency; and
    • outbound transfers of employee data that are necessary for cross-border human resource management.
  • Provides further exemptions based on the volume of individuals affected:
    • outbound transfers of non-sensitive personal data for less than 100,000 individuals;
    • outbound transfers of personal data for between 100,000 and one million individuals or sensitive personal data for fewer than 10,000 individuals are only subject to the China Standard Contractual Clauses filing or certification, rather than a Cyberspace Administration of China (CAC) security assessment; and
    • outbound transfers of important data and personal data exceeding one million individuals, or sensitive personal information exceeding 10,000 individuals, requires a CAC security assessment.

China

+ Regulations on Network Data Security Management

Status: Passed by the State Council in August 2024, comes into effect January 2025.

  • Covers not only personal data, but also business, industry, and financial data.
  • Expands permissible cross-border data transfer mechanisms to include security certification by qualified third parties and transfers necessary for performing mandatory duties. This goes beyond the relaxation of the CBDT Regulations.
  • Introduces requirements and best practices for privacy policies, consent forms, and third-party contractual arrangements for data sharing.
  • Provides practical details on implementing data portability. Defines prerequisite conditions such as the verified identity of the data subject and technical feasibility of the proposed request.
  • Sets penalties for violation of up to RMB50 million (RM30 million) or 5% of last year’s turnover, whichever is higher.

Upcoming Bills

There are also four upcoming bills that are of particular relevance to Asia-Pacific banks. The following summaries represent the state of play as at October 2024 and banks will want to stay on top of future developments as the relevant bills progress through the legislative process.

Malaysia

+ Amendments to the PDPA

Status: Passed by Dewan Negara in July 2024, awaiting royal assent.

  • Aligns the PDPA with international standards, equalising with its Asia-Pacific peers.
  • Expands the definition of ‘sensitive personal data’ to include biometric data.
  • Excludes deceased individuals from the definition of ‘data subject’.
  • Requires data controllers and data processors to appoint a Data Protection Officer.
  • Introduces the right of data portability for data subjects, subject to technical feasibility and data compatibility.
  • Obliges data processors to comply by taking practical steps to protect personal data. Data processors face new penalties of up to RM1,000,000 and/or up to three years’ imprisonment for a violation.
  • Increases penalties for breaching the Personal Data Protection Principles to a fine of up to RM1,000,000 and/or up to three years’ imprisonment.
  • Requires data controllers to notify regulators of personal data breaches and to notify affected data subjects if the breach is likely to cause significant harm. Failure to comply may result in a fine of up to RM250,000 and/or up to two years’ imprisonment.
  • Revises cross-border data transfer rules to allow outbound transfers to any place that has similar laws to the PDPA or an equivalent level of protection as the PDPA.

Singapore

+ Digital Infrastructure Act (DIA)

Status: Announced March 2024, in draft.

  • Covers digital infrastructure that would have a systemic impact on Singapore’s economy and society if disrupted, for example data centres and cloud services that support widely-used digital services such as banking and payments.
  • Addresses a broader set of resilience risks than the CS Act, from technical system misconfiguration to cooling system failures.

United Kingdom

+ Digital Information and Smart Data Bill (DISD)

Status: Announced July 2024, currently in Parliament.

  • Replaces the earlier Data Protection and Digital Information (DPDI) Bill, which was a casualty of the 2024 UK general election.
  • Establishes ‘smart data schemes’, defined as the secure sharing of a customer’s data upon their request with third party providers, for example via open banking. This goes beyond the GDPR’s data portability rights.
  • Establishes digital verification services through secure and trusted digital identity products to support everyday processes such as moving house, purchasing age-restricted goods, and pre-employment checks.
  • Proposes a change in the governance model of the Information Commissioner’s Office (ICO), the UK’s regulatory body for data protection. The ICO is to be given a modern structure with a Chair, Board, and CEO with ‘stronger powers’.

United Kingdom

+ Cyber Security and Resilience Bill

Status: To be introduced to Parliament in 2025.

  • Intended to update the outdated Network and Information Systems Regulations 2018 and align with the EU Network and Information Security Directive and the upcoming EU Cyber Resilience Act.
  • Proposes greater powers for regulators to ensure essential cyber safety measures are implemented and to proactively investigate potential vulnerabilities. This work is to be funded through new cost recovery mechanisms, such as fees collected from regulated organisations.
  • Imposes stricter requirements for prompt incident reporting on cyberattacks or ransom demands, to enable identification of attack patterns and effective responses.

Hong Kong

+ Protection of Critical Infrastructure (Computer System) Bill

Status: Proposed in June 2024, to be introduced to the Legislative Council by end 2024.

  • The jurisdiction’s first ever cybersecurity law.
  • Applies to designated critical infrastructure operators (CIOs), which includes infrastructure for delivering banking and financial services.
  • Applies to critical computer systems (CCSs) that provide essential services or core functions of critical infrastructure.
  • Establishes a Commissioner’s Office to designate CIOs and CCSs, monitor security threats, assist CIOs in incident response, and investigate non-compliance of CIOs.
  • Mandates CIOs to fulfil three types of obligations:
    • organisation obligations, including setting up a computer system security management unit and informing the Commissioner’s Office of material changes to CCSs;
    • preventative obligations, including conducting security risk assessments and submitting security management plans to the Commissioner’s Office; and
    • incident reporting and response obligations, including participating in security drills, submitting emergency response plans to the Commissioner’s Office, and notifying the Commissioner’s Office of security incidents impacting CCSs in a timely manner.
  • Proposes fines of up to HKD5 million (RM3 million) with additional daily fines for non-compliance.

Moving Forward

Despite these legislative leaps, banks must remain cognisant that the perennial data security challenge for the sector remains unchanged: to achieve a sweet balance between risk mitigation, innovation, and trust.

Multinational banks will want to take a calculated risk-based approach to assess effort and costs for each market, and create a plan for the optimum sequence of compliance with new legislations and rules.

Dr Amanda Salter is a consultant at Akasaa, a publishing and strategic consulting firm. She has delivered award-winning customer experience strategies for the Fortune 500. Dr Salter holds a PhD in Human Centred Web Design; BSc (Hons) Computing Science, First Class; and is a certified member of the UK Market Research Society and Association for Qualitative Research.