Asia-Pacific Strives to Keep Pace with Cyber Threats

The Asia-Pacific (APAC) region witnessed a rapid digital transformation in 2024, powered by its connectivity and technological innovations. However, these advancements have introduced new vulnerabilities into the region’s digital ecosystem, which more sophisticated and nuanced cyber threats are already exploiting. In Q2 2024 alone, the APAC region experienced an average of 2,510 weekly cyberattacks per organization, marking a 23 percent increase compared to the same period in 2023.

To keep pace with this evolving threat landscape, several APAC countries, including Australia, Hong Kong, Japan, and Singapore implemented new or updated cyber policies. The most popular areas of regulatory action this year included: critical infrastructure (CI); artificial intelligence (AI); operational technology (OT); and Internet of Things (IoT).

Moving into 2025, these legislative developments will serve as models for other APAC countries as they consider their own measures to reduce cyber risk. Companies operating in or servicing the APAC region should actively monitor these developments and engage early and often. Doing so will help ensure that policymakers have the benefit of the private sector’s experience—and that companies thoroughly understand the nuances of their regulatory obligations.

Critical Infrastructure

Securing CI emerged as a top priority for APAC countries in 2024, particularly in response to headline-making incidents such as cyber espionage attacks against India’s government and energy sectors and a cyber-attack on Indonesia’s National Data Centre that disrupted hundreds of public services.

The Singapore Parliament enacted the Cybersecurity  (Amendment) Bill No. 15/2024, introducing key changes to its Cyber Security Act 2018. The amendments extend the Act’s coverage to both physical and virtual critical information infrastructure (CII) systems, such as those hosted on cloud platforms and located overseas. The bill also expands the scope of reportable cybersecurity incidents to encompass systems controlled by Critical Information Infrastructure (CII) owners and their external suppliers. Additionally, it regulates newly defined Systems of Temporary Cybersecurity Concern (STCC), Entities of Special Cybersecurity Interest (ESCI), and providers of Foundational Digital Infrastructure Services (FDIS).

Partly formulated in response to a series of high-profile data breaches, the bill imposes statutory obligations on CI operators (CIOs) to strengthen their critical computer systems (CCSs). It expands the scope of cybersecurity regulation to include both physical and virtual CIs, establishes a new commissioner’s office for implementation, and introduces mandatory measures for CIOs to prevent, respond to, and recover from cyberattacks. The SAR Government plans to introduce the proposed Bill into the Legislative Council by the end of 2024, with the aim of setting up the Commissioner’s Office within one year following the passage of the bill and bringing the legislation into force within six months thereafter.

Artificial Intelligence

The growing use of AI technologies in the APAC region is a double-edged sword. While AI enhances threat detection, automates responses, and predicts potential vulnerabilities, the technology comes with its own unique security risks. Consequently, there is a heightened focus on developing robust AI security through stringent regulations, mandatory security assessments, and secure AI development practices. Key trends in AI security regulation include adopting sector-specific approaches, focusing on continuous system testing and monitoring, and implementing risk-based regulatory frameworks, inspired by the U.S. National Institute of Science and Technology’s (NIST) AI Risk Management Framework and the European Union’s AI Act.

The documents aim to ensure that AI systems are secure-by-design and secure- by-default, thereby helping system owners manage security risks from the outset and building user confidence in AI systems. The guidelines outline a lifecycle approach to AI security, covering five stages: planning and design, development, deployment, operations and maintenance, and end-of-life. Key recommendations include conducting security risk assessments, securing the AI supply chain, implementing secure development environments, and establishing incident management procedures tailored to AI systems. Additionally, the guidelines also advocate for continuous monitoring of AI system inputs and outputs, secure- by-design updates, and a vulnerability disclosure process.

Operational Technology

Securing OT has become a focal point for industries across the APAC region, particularly those reliant on industrial sectors like transportation and manufacturing. Unlike traditional IT systems, OT environments often involve legacy systems that were not originally designed with cybersecurity in mind, making them particularly vulnerable to cyberattacks.

The Masterplan addresses nuanced cyber threats, aiming to enhance the security and resilience of both critical and non-critical OT systems. It outlines four key objectives:

1. improving OT cybersecurity professional competency,
2. enhancing information sharing and reporting,
3. uplifting OT cybersecurity resilience beyond CII, and
4. establishing an OT Cybersecurity Centre of Excellence while promoting secure-by-deployment principles throughout the OT system lifecycle.

Internet of Things

IoT cybersecurity has become crucial as the proliferation of IoT devices revolutionizes various sectors from smart homes and healthcare to industrial automation and urban infrastructure. However, the rapid expansion of IoT devices also introduce myriad cybersecurity challenges, as IoT devices often lack robust security measures, making them prime targets for cyberattacks.

The bill mandates that manufacturers and suppliers of IoT devices comply with security standards specified by the Australian Government, which will be detailed in upcoming rules and updated as new standards emerge. Manufacturers and suppliers must also provide and retain a statement of compliance. Non-compliance can result in enforcement actions such as compliance notices, stop notices, and recall notices.

Additionally, Japan’s Ministry of Economy, Trade and Industry (METI) developed a voluntary scheme that establishes baseline and category-specific security requirements for IoT products. Labels will be granted based on self-declarations or third-party evaluations, with the aim of aligning with international standards to reduce conformity assessment costs for vendors. The scheme is set to begin accepting self-declarations and granting labels by March 2025.

Meanwhile, Singapore’s CSA has signed MRAs with three international cybersecurity agencies in Finland, Germany and South Korea to mutually recognize cybersecurity labels for smart consumer products. The agreements, with Germany and South Korea came into effect on January 1, 2025. The MRAs will streamline the certification process, reduce costs, and enhance market access for manufacturers by acknowledging each other’s cybersecurity labels for devices such as smart home assistants and health trackers. The MRAs also aim to facilitate the global trade of secure smart devices. Whether similar MRAs will be established with other IoT labelling regimes, such as those in Australia, Japan, and the United States, remains to be seen. The United States and EU are also working to align their respective IoT cybersecurity labeling systems.