This excerpt was taken from a roundtable discussion looking at how to successfully accomplish outsourcing or in-sourcing in an organisation.

You can read the full article in the research report Fund Technology, Data and Operations, APAC 2018 here.

Fund Operator: Are there varying levels of response across the AsiaPacific region markets, both in terms of regulatory requirements as well as industry best practice?

Puneet: The Asian markets have laws that are still developing both from a privacy and response perspective.

China’s privacy laws are just coming in and Indonesia is not far behind. India has just started to look at what internet governance and privacy mean. Australia is quite advanced when it comes to privacy, with breach disclosure notification legislated earlier this year and so leads the way.

The Japanese, Hong Kong and Singaporean legislation talks a lot about what a response looks like, but the notion of privacy and data that is linked to private citizens is still being formed.

"India has just started to look at what internet governance and privacy mean"

A breach is still a breach. And so the question is still around how organisations respond to it. If we look at how the Bangladesh National Bank responded to its breach last year for instance, it was quite clear that it didn’t have either secure or vigilance controls, and their resilience was quite as poor as well.

The degree of maturity is quite varied because the Asian markets still see cyber security as a technology issue and something that can be resolved with the implementation of tools. They need to mature to see it as a whole of business issue, where technology will only play a small part.

Fund Operator: Given the varying levels of legislation across the different markets, does it make it complicated if you are an Asia-Pacific fund manager to comply with each of the jurisdictions?

Puneet: Yes it does. But that is if the Asia Pacific fund manager is operating in 20 different locations. In that case they will need to understand the standard policies and consider the lowest or highest common denominator.

In addition they will need to know what lens they are putting on. With a data lens, they will need to understand the avenues of data transfer and how the resilience of their data assets is being managed.

The Regulators are still catching up, but the controls and investments that are required continue to increase.

"Getting cyber security right will depend on the risk appetite of the organisation and be contingent on the legislative frameworks"

It is important to have a single reference point to ensure that all of your policies are mapped to a core minimum to security. So if Monetary Authority of Singapore is the most stringent when it comes to cyber security controls then an organization that is operating across the region should align to that.

In addition, if your clients across asset holders and fund managers are dealing with European Union private citizens, then some aspects of General Data Privacy Regime (GDPR) will come in.

There is not one simple straight answer. Getting cyber security right will depend on the risk appetite of the organisation and be contingent on the legislative frameworks.

This excerpt was taken from a roundtable discussion looking at how to successfully accomplish outsourcing or in-sourcing in an organisation.

You can read the full article in the research report Fund Technology, Data and Operations, APAC 2018 here.

 

Please Sign In or Register to leave a Comment.