Cybersecurity and data protection regulations in Asia

In this episode, we speak with Wilson Ang, a dispute resolution lawyer at Norton Rose Fulbright Singapore and head of the Asia regulatory compliance and investigations practice, as well as Jeremy Lua, a dispute resolution lawyer at Norton Rose Fulbright Singapore focusing on regulatory investigations and compliance.

Wilson focuses on strategic governance issues, including conducting internal investigations on business ethics and anti-corruption matters, often involving the US Foreign Corrupt Practices Act, the UK Bribery Act, and the Singapore Prevention of Corruption Act. Wilson has extensive experience designing and implementing compliance programs, conducting integrity due diligence reviews and handling complex and sensitive issues involving bribery, fraud, sanctions, money laundering/terrorist financing, cyber-security attacks, data breach incidents, competition law and financial services regulatory violations in Asia and beyond. Wilson’s practice also involves ESG issues like modern slavery and business human rights due diligence, health and safety matters, environmental regulatory disclosures and corporate governance.

Jeremy is experienced in a broad range of complex regulatory investigations and compliance matters, focusing on data protection, cybersecurity and technology matters, often assisting clients in navigating crisis situations, such as responding to data breach and cybersecurity incidents. He has also represented and advised clients on investigations initiated by the Personal Data Protection Commission of Singapore (PDPC). Jeremy’s practice includes matters involving anti-bribery and corruption, anti-money laundering, sanctions, export controls and financial fraud, as well as ESG issues like modern slavery and business human rights due diligence. Before joining Norton Rose Fulbright, Jeremy was a Deputy Public Prosecutor at the Attorney-General’s Chambers of Singapore, with a focus on technology crime.

In this podcast, Wilson and Jeremy share the latest updates in cybersecurity and data protection regulations across the Asia region, and the legal considerations that organisations need to keep in mind when developing cybersecurity and data protection measures.

The ongoing digital transformation has increased the available surface areas for threat actors to exploit, including human processes. Wilson shares an example of how Norton Rose Fulbright advised an international bank in its efforts to recover almost half a million dollars from a sophisticated attack by a threat actor, which conducted a lot of reconnaissance work to succeed with its attack.

The ongoing Razer vs Capgemini case has also put a spotlight on third-party risk in the data privacy context. Wilson provides a broad perspective on third-party IT supplier risk management, noting that “digital supply chains can be a point of weakness for the organisation. The chain reaction from a single attack on one supplier can compromise the whole network of organisations downstream”. He cautions that, however, “trying to obtain recourse is not straightforward.”

Jeremy expands on this issue, providing an overview of the breach notification obligations, including expected timeframes and considerations around the risk of harm. He advises organisations not to “jump the gun”, and instead focus on securing a reasonable level of confidence in the facts of the matter, before taking the next step.

On the prevalent threat of ransomware and the rise of the ransomware-as-a-service model, they urge organisations to take note of sanctions requirements surrounding ransomware payments—especially for those operating in multi-markets—to avoid triggering further legal issues.

Wilson and Jeremy wrap up the podcast by sharing some of the emerging cybersecurity and data protection regulations that they are tracking in the region. These include the Chinese Personal Information Protection Law and Thailand’s Personal Data Protection Act, which came into force on 1st June 2022. Wilson also shared that, when it comes to personal data breach incidents, there is increasing recognition of emotional distress as a form of actionable “loss or damage”.

Jane Lo, SINgapore Correspondent speaks with Wilson Ang, Partner, Head of Asia Regulatory Compliance and Investigations practice, Norton Rose Fulbright Singapore and Jeremy Lua, Dispute Resolution Lawyer, Norton Rose Fulbright Singapore.