SpringerLink
Log in

Cybersecurity Regulation—Types, Principles, and Country Deep Dives in Asia

  • Published:
International Cybersecurity Law Review Aims and scope Submit manuscript

Abstract

Cybersecurity regulation is growing in number, teeth, and enforcement. The ever-increasing reliance on computers and the internet by our societies and the increasing costs of financially motivated and state-sponsored cyberattacks (which have shut down critical services such as power grids, hospitals, banks, seaports, gas pipelines and caused significant financial losses as well as physical harms) have motivated governments around the world to implement greater cybersecurity regulation and increase their enforcement. This is regarded in many countries as an area of regulatory priority and national security. Recent examples of new cybersecurity regulations include the 2023 United States Securities and Exchange Commission’s Cybersecurity Risk Management, Strategy, Governance, Incident Disclosure rules, the upcoming European Union’s Network and Information Security Directive 2.0 that penalizes noncompliance with fines of up to 2% of one’s global revenue, and Japan’s amended Telecommunications Business Act (電気通信事業法) which has expanded in scope significantly beyond traditional telecommunications providers and imposes a range of cybersecurity related obligations.

Cybersecurity regulations can be broadly divided into anti-hacking, protection, and incident reporting laws. This article focuses on protection laws, which oblige and incentivize in-scope entities to strengthen their cybersecurity defences under the penalty of law and which deter cyberattacks by denial. These laws typically prescribe the cybersecurity controls and practices that in-scope entities need to adopt to protect the confidentiality, integrity and availability of their computer systems and the information therein. This article explains the key principles that should guide the formulation of such laws and their enforcement so that they can be a net-positive to societies. Thereafter, this article will take a deep dive into the key cybersecurity regulations and case law in three key Asia-Pacific jurisdictions (Japan, Australia, and Singapore). These jurisdictions have adopted different approaches but share notable similarities (such as reference to established cybersecurity frameworks offered by ISO 27001 and NIST’s Cybersecurity Framework) in their regulation and enforcement. The growing landscape of cybersecurity regulations make clear that the legal liabilities from cybersecurity breaches will continue to grow, and cybersecurity risk management will be a management priority for companies to address as they would with other types of risks such as financial, supply-chain or reputational risks.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Notes

  1. Sharon Klyne & Lynn Doan, “Cyberattack Paralyzes Australia Ports in Threat to Supply Chains” (11 November 2023) Bloomberg <https://www.bloomberg.com/news/articles/2023-11-11/australian-authorities-meet-as-dp-world-shuts-ports-on-cyber-act> (last accessed 11 April 2024).

  2. Council on Foreign Relations, “Compromise of a power grid in eastern Ukraine” (December 2015) <https://www.cfr.org/cyber-operations/compromise-power-grid-eastern-ukraine> (last accessed 11 April 2024).

  3. BBC News, “NHS cyber-attack: GPs and hospitals hit by ransomware” (13 May 2017) <https://www.bbc.com/news/health-39899646> (last accessed 11 April 2024).

  4. Kim Rahn, “NK launched cyber attack on Nonghyup” (May 2011) The Korean Times <https://www.koreatimes.co.kr/www/news/nation/2011/05/117_86369.html> (last accessed 11 April 2024).

  5. Joshua Hammer, “The Billion-Dollar Bank Job” (3 May 2017) New York Times <https://www.nytimes.com/interactive/2018/05/03/magazine/money-issue-bangladesh-billion-dollar-bank-heist.html> (last accessed 11 April 2024).

  6. Second Amended Order Granting Plaintiff’s Motion for Final Approval of Class Action Settlement, In Re: Yahoo! Inc. Customer Data Security Breach Litigation, No. 16-MD-02752-LHK (N.D. Calif. July 22, 2020) <https://www.govinfo.gov/content/pkg/USCOURTS-cand-5_16-md-02752/pdf/USCOURTS-cand-5_16-md-02752-5.pdf>.

  7. William Ralston, “The untold story of a cyberattack, a hospital, and a dying woman” (11 November 2020) Wired <https://www.wired.co.uk/article/ransomware-hospital-death-germany> (last accessed 11 April 2024).

  8. Andy Greenberg, “A hacker tried to poison a Florida City’s water supply, officials say” (8 February 2021) Wired <https://www.wired.com/story/oldsmar-florida-water-utility-hack/> (last accessed 11 April 2024).

  9. For a detailed analysis of cybersecurity incident reporting laws and the principles that should guide their formulation, see Nicholas Seng, Cybersecurity Incident Reporting Laws in the Asia-Pacific, International Cybersecurity Law Review Vol 4, pp 325–346 (2 June 2023) <https://springer.longhoe.net/article/10.1365/s43439-023-00088-9> (last accessed 11 April 2024).

  10. Cybersecurity Agency of Singapore, Public Consultation on the Proposed Cybersecurity (Amendment) Bill (15 December 2023) <https://www.csa.gov.sg/News-Events/Press-Releases/2023/public-consultation-on-the-proposed-cybersecurity-(amendment)-bill> (last accessed 11 April 2024).

  11. National Institute of Standards and Technology, “NIST Retires SHA‑1 Cryptographic Algorithm” (15 December 2022) <https://www.nist.gov/news-events/news/2022/12/nist-retires-sha-1-cryptographic-algorithm> (last accessed 11 April 2024).

  12. This is defined in Article 16 APPI as essentially any person which uses a personal information database for business, and expressly excludes government agencies.

  13. Article 23 APPI provides: “安全管理措置) “個人情報取扱事業者は、その取り扱う個人データの漏えい、滅失又は毀損の防止その他の個人データの安全管理のために必要かつ適切な措置を講じなければならない.”.

  14. Article 24 APPI provides: “従業者の監督)” 個人情報取扱事業者は、その従業者に個人データを取り扱わせるに当たっては、当該個人データの安全管理が図られるよう、当該従業者に対する必要かつ適切な監督を行わなければならない”.

  15. Section 3-4‑2 of the Japan Personal Information Protection Commission, “Guidelines for Act on the Protection of Personal Information (General Rules)” (個人情報の保護に関する法律についてのガイドライン(通則編)) (Revised December 2021) (“JPPC Guidelines”).

  16. These are: (i) the potential harm to individuals in the event of a security breach; (ii) the size and nature of the business; (iii) nature and volume of personal information handled by the business; and (iv) the media on which the personal data is recorded.

  17. Appendix 10 of the JPPC Guidelines.

  18. This category of control is vaguely described in the JPPC Guidelines. This appears to require a business to understand the legal system of the jurisdictions where it processes personal data obtained from Japan outside of Japan, and the powers of the authorities in those jurisdictions to compel access or obtain access to such personal data.

  19. ISO/IEC 27001, “Information security, cybersecurity and privacy protection—Information security management systems—Requirements” (3rd Edition, 2022) (“ISO/IEC 27001:2022”).

  20. Approximates to controls referenced in ISO/IEC 27001:2022, Annex A at [5.15].

  21. Approximates to controls referenced in ISO/IEC 27001:2022, Annex A at [5.16], [5.17], [5.18].

  22. Approximates to controls referenced in ISO/IEC 27001:2022, Annex A at [8.7], [8.16], [8.20].

  23. Approximates to controls referenced in ISO/IEC 27001:2022, Annex A at [8.8], [8.24].

  24. Per Article 148(3) APPI.

  25. Per Article 148(4) APPI.

  26. Per Article 178 read with Article 184(1) APPI. Before such a fine can be imposed, a criminal indictment will have to be filed, and a court must find that the breach of the corrective order had occurred.

  27. Article 709 of the Civil Code provides that: “person who has intentionally or negligently infringed any right of others, or legally protected interest of others, shall be liable to compensate any damages resulting in consequence”.

  28. Ponazecki & Horikawa, “Japanese Court Orders Payment of 6,000 Yen to Each Plaintiff in Connection with Yahoo! BB Personal Data Leak” (1 August 2006) IAPP <https://iapp.org/news/a/2006-08-japanese-court-orders-payment-for-yahoo-bb-personal-data-leak/> (last accessed 11 April 2024).

  29. Per Article 2(iii) TBA.

  30. Article 164(1) TBA.

  31. Article 27(5) TBA.

  32. Article 27(5) TBA read with Article 22.2.21 of the TBA Enforcement Regulations.

  33. Article 27(6) TBA read with Article 22-2-22 of the TBA Enforcement Regulations.

  34. Article 27-6(1)(i) TBA read with Article 22-2-22(I) TBA Enforcement Regulations.

  35. Article 27-6(1)(ii) TBA.

  36. Article 22-2-22(II) TBA Enforcement Regulations.

  37. Article 27-6(1)(iii) TBA read with Article 22-22-2(I)(e) TBA Enforcement Regulations.

  38. Article 27-10 TBA.

  39. Article 27-10 TBA.

  40. Articles 22-2-25 & 22-2-26 TBA Enforcement Regulations.

  41. Article 27-9(1) TBA read with Article 22-2-24 TBA Enforcement Regulations.

  42. Article 167‑2 TBA.

  43. Article 188(i) TBA.

  44. Article 186(iv) TBA.

  45. Section 8D SOCI.

  46. Section 15 PA.

  47. Section 6 PA.

  48. “Personal information” is defined in Section 6 PA as “information or an opinion about an identified individual, or an individual who is reasonable identifiable: (a) whether the information or opinion is true or not; (b) whether the information or opinion is recorded in a material form or not”.

  49. Clause 11 of Schedule 1 PA.

  50. The Office of the Australian Information Commissioner (“OAIC”) indicated it is in the process of updating this guide.

  51. OAIC, Guide to Securing Personal Information (June 2018).

  52. OAIC, Australian Privacy Principles Guidelines (December 2022) at [B.111].

  53. OAIC, Guide to Securing Personal Information (June 2018) at pp 12–16.

  54. The PA terms this as “sensitive information” and defines it in Section 6 of the PA.

  55. OAIC, Guide to Securing Personal Information (June 2018) at pp 16–42.

  56. One criticism of the OAIC Security Guide is that the organizing principle of the OAIC Security Guide categories of security measures is unclear. In contrast, the National Institute of Standards and Technology’s Cybersecurity Framework 2.0 (February 26, 2024) which organizes security measures according to function (i.e. Govern, Identify, Protect, Detect, Respond, Recover) to protect the confidentiality, integrity, and availability of one’s information systems offers a much clearer and organized manner of setting out the security measures to be considered.

  57. See for example, Sony Playstation Network: OAIC’s Own Motion Investigation Report (29 September 2011); Dell Australia and Epsilon: OAIC’s Own Motion Investigation Report (1 June 2012); Adobe Systems Software Ireland Ltd: OAIC’s Own Motion Investigation Report (June 1, 2015).

  58. For example, a pathology service company, called the Australian Clinical Labs Limited (“ACL”), suffered a cybersecurity breach, which allegedly led to the exfiltration of over 86 gigabytes of data which included health information and financial information such as credit card details. The OAIC commenced court proceedings in November 2023 against the company for amongst other things, failing to take reasonable steps to protect the personal information it held in contravention of the PA. As part of its case against ACL, the OAIC set out ACL’s security measures at the material time, and identified the security measures it should reasonably have taken but failed to. See: OAIC v ACL, Concise Statement (NSD 1287/2023), dated 24 November 2023 at [10], [12], [14] and [32] <https://www.oaic.gov.au/__data/assets/pdf_file/0017/112526/AIC-v-Australian-Clinical-Labs-Limited-concise-statement.pdf> (last accessed 11 April 2024).

  59. Vodafone Hutchinson Australia: OAIC Own Motion Investigation Report (16 February 2011).

  60. Multicard Pty Ltd: OAIC Own Motion Investigation Report (1 May, 2014).

  61. AAPT and Melbourne IT: OAIC Own Motion Investigation Report (15 October 2013).

  62. First State Super Trustee Corporation: OAIC Own Motion Investigation Report (1 June 2012). Interestingly, the breach was caused by a self-described white hat conducting an unsolicited penetration test on the entity’s systems and then marketing his services to the entity.

  63. Ashley Madison Joint Investigation: OAIC (24 August 2016).

  64. Ashley Madison Joint Investigation: OAIC (24 August 2016).

  65. Adobe Systems Software Ltd: OAIC Own Motion Investigation Report (1 June 2015).

  66. DonateBlood.com.au (Australian Red Cross Blood Service): OAIC Own Motion Investigation Report (7 August 2017).

  67. Section 13(1) PA.

  68. Section 13G PA. These were introduced in November 20222.

  69. Section 80U(2) PA.

  70. Section 13G(3) PA.

  71. Section 80V PA read with Sections 114, 115 of the Regulatory Powers Act.

  72. OAIC, Privacy Regulatory Action Policy (December 2022) at [4.17]. <https://www.oaic.gov.au/__data/assets/pdf_file/0009/25002/Privacy-Regulatory-Action-Policy-December-2022.pdf> (last accessed 11 April 2024).

  73. Section 115(2) Regulatory Powers Act.

  74. Marriott International Enforceable Undertaking (7 February 2023).

  75. There are additional obligations relating to incident response planning, cybersecurity exercises, vulnerability assessments, and information provision for responsible entities for “systems of national significance”. Such systems are designated in writing by the Minister of the Department of Home Affairs: Section 52B SOCI.

  76. Section 9(2B) SOCI.

  77. Section 5 SOCI.

  78. Section 12F read with Section 5 SOCI.

  79. Section 30AC, 30AD, 30 AE, 30AF SOCI.

  80. It is described in Section 30AH SOCI and further described in the SOCI (Critical Infrastructure Risk Management Program) Rules (LIN 23/006) 2023 in a less than straightforward or clear manner.

  81. SOCI (Critical Infrastructure Risk Management Program) Rules (LIN 23/006) 2023 (31 January 2023) (“SOCI CIRMP Rules”).

  82. Section 30AH(1)(c) SOCI read with Rule 8(4) of the SOCI CIRMP Rules.

  83. Rule 8(4) of the SOCI CIRMP Rules states vaguely that: “a responsible entity must establish and maintain a process or system in the CIRMP to: (a) comply with a framework contained in a document mentioned in the following table as in force from time to time; and (b) meet any conditions mentioned in the table for the document”. The rule sets out 5 information security standards or frameworks or models, which includes the NIST Cybersecurity Framework, and AS ISO/IEC 27001.

  84. Section 30AH(1)(c) SOCI read with Rule 8(4) of the SOCI CIRMP Rules.

  85. Australian Signals Directorate, Essential Eight Maturity Model (27 November 2023) <https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model> (last accessed 11 April 2024).

  86. Section 30AC, 30AD and 49(1) SOCI read with S4AA of the Crimes Act 1914.

  87. Section 49(1) SOCI.

  88. Australian Securities and Investment Commission v RI Advice Group Pty [2022] FCA 496 at [66].

  89. Australian Securities and Investment Commission v RI Advice Group Pty [2022] FCA 496 at [86].

  90. As per Section 2(1) PDPA.

  91. PDPC, Advisory Guidelines on Key Concepts in the PDPA (Revised 16 May 2022) at [6.3].

  92. PDPC, Advisory Guidelines on Key Concepts in the PDPA (Revised 16 May 2022) at [17.2].

  93. It has been often joked that the only truly secure system is one that is powered off, cast in a block of concrete, and sealed in a lead-lined room with armed guards. Kee** data in such a system would be practicable useless, and there is an inevitable tension between security and useability, and it is about finding the right balance.

  94. Additionally, the Code of Practice also specifies that five key cybersecurity principles should be adopted by CII owners in relation to its people, processes, and technologies- defence in depth, principle of least privilege, principle of segregation of duties, defence by diversity principle, and zero-trust principle: Para 3.5.1–3.5.2 of the Code of Practice.

  95. Para 5.7.2 of the Code of Practice.

  96. Section 7(1) of the Cybersecurity Act. The Commissioner will also specify in writing the computer or computer system that is designated as a CII: Section 7(2)(a) of the Cybersecurity Act.

  97. There are 46 prescribed services listed in the First Schedule of the Cybersecurity Act that are regarded as essential services.

  98. Section 7(1) of the Cybersecurity Act.

  99. For example, under the TRM notice issued to banks, MAS Notice 644 (Issued 21 June 2013) at [9], it states: “A bank shall implement IT controls to protect customer information from unauthorized access or disclosure”. “Customer information is defined in MAS’s Frequently Asked Questions: Notice on TRM at p 2 as: “refers to information held by the [financial institution] that relates to its customers and these include customers’ accounts, particulars, transaction details and dealings with the [financial institution].” A significant subset of customer information would be personal data as defined by s 2(1) of the PDPA where it is about an individual who can be identified from that data (e.g., name and transaction details) or from that data and other information to which an organization has or is likely to have access to.

  100. As of time of submission of this article.

References

  1. Andy Greenberg, “A hacker tried to poison a Florida City’s water supply, officials say” (8 February 2021) Wired 〈https://www.wired.com/story/oldsmar-florida-water-utility-hack/〉 (last accessed 11 April 2024).

  2. Australian Signals Directorate, Essential Eight Maturity Model (27 November 2023) 〈https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model〉 (last accessed 11 April 2024).

  3. BBC News, “NHS cyber-attack: GPs and hospitals hit by ransomware” (13 May 2017) 〈https://www.bbc.com/news/health-39899646〉 (last accessed 11 April 2024).

  4. Council on Foreign Relations, “Compromise of a power grid in eastern Ukraine” (December 2015) 〈https://www.cfr.org/cyber-operations/compromise-power-grid-eastern-ukraine〉 (last accessed 11 April 2024).

  5. Cybersecurity Agency of Singapore, Public Consultation on the Proposed Cybersecurity (Amendment) Bill (15 December 2023) 〈https://www.csa.gov.sg/News-Events/Press-Releases/2023/public-consultation-on-the-proposed-cybersecurity-(amendment)-bill〉 (last accessed 11 April 2024).

  6. ISO/IEC 27001, “Information security, cybersecurity and privacy protection—Information security management systems—Requirements” (3rd Edition, 2022)

  7. Japan Personal Information Protection Commission, Guidelines for Act on the Protection of Personal Information (General Rules) (Revised December 2021)

  8. Joshua Hammer, “The Billion-Dollar Bank Job” (3 May 2017) New York Times 〈https://www.nytimes.com/interactive/2018/05/03/magazine/money-issue-bangladesh-billion-dollar-bank-heist.html〉 (last accessed 11 April 2024).

  9. Kim Rahn, “NK launched cyber attack on Nonghyup” (May 2011) The Korean Times 〈https://www.koreatimes.co.kr/www/news/nation/2011/05/117_86369.html〉 (last accessed 11 April 2024).

  10. National Institute of Standards and Technology, “NIST Retires SHA‑1 Cryptographic Algorithm” (15 December 2022) 〈https://www.nist.gov/news-events/news/2022/12/nist-retires-sha-1-cryptographic-algorithm〉 (last accessed 11 April 2024).

  11. National Institute of Standards and Technology’s Cybersecurity Framework 2.0 (February 26, 2024)

  12. Nicholas Seng, Cybersecurity Incident Reporting Laws in the Asia-Pacific, International Cybersecurity Law Review Vol 4, pp 325–346 (2 June 2023) 〈https://springer.longhoe.net/article/10.1365/s43439-023-00088-9〉 (last accessed 11 April 2024).

  13. Office of the Australian Information Commissioner, Australian Privacy Principles Guidelines (December 2022) at [B.111]

  14. Office of the Australian Information Commissioner, Guide to Securing Personal Information (June 2018)

  15. (2022) Office of the Australian Information Commissioner, Privacy Regulatory Action. Policy

  16. Ponazecki & Horikawa, “Japanese Court Orders Payment of 6,000 Yen to Each Plaintiff in Connection with Yahoo! BB Personal Data Leak” (1 August 2006) IAPP 〈https://iapp.org/news/a/2006-08-japanese-court-orders-payment-for-yahoo-bb-personal-data-leak/〉 (last accessed 11 April 2024).

  17. Second Amended Order Granting Plaintiff’s Motion for Final Approval of Class Action Settlement, In Re: Yahoo! Inc. Customer Data Security Breach Litigation, No. 16-MD-02752-LHK (N.D. Calif. July 22, 2020) 〈https://www.govinfo.gov/content/pkg/USCOURTS-cand-5_16-md-02752/pdf/USCOURTS-cand-5_16-md-02752-5.pdf〉.

  18. Sharon Klyne & Lynn Doan, “Cyberattack Paralyzes Australia Ports in Threat to Supply Chains” (11 November 2023) Bloomberg 〈https://www.bloomberg.com/news/articles/2023-11-11/australian-authorities-meet-as-dp-world-shuts-ports-on-cyber-act〉 (last accessed 11 April 2024).

  19. William Ralston, “The untold story of a cyberattack, a hospital, and a dying woman” (11 November 2020) Wired 〈https://www.wired.co.uk/article/ransomware-hospital-death-germany〉 (last accessed 11 April 2024).

Download references

Author information

Authors and Affiliations

  1. Meta Platforms, Inc, Menlo Park, United States

    Nicholas Seng

  2. School of Law, Singapore Management University, Singapore, Singapore

    Nicholas Seng

Authors
  1. Nicholas Seng
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nicholas Seng.

Ethics declarations

Conflict of interest

N. Seng declares that he has no competing interests.

Additional information

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Seng, N. Cybersecurity Regulation—Types, Principles, and Country Deep Dives in Asia. Int. Cybersecur. Law Rev. (2024). https://doi.org/10.1365/s43439-024-00127-z

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1365/s43439-024-00127-z

Keywords

Search

Navigation