While cybersecurity is at the forefront of risk and compliance concerns for corporates in Asia Pacific, current risk management strategies are found to be ineffective, new research has found.
Many uncertain of whether they have been breached
The newly released report Asia Pacific Corporate Risk and Compliance Index from SWIFT, the provider of financial messaging services and research firm East & Partners Asia, interviewed 915 of Asia Pacific’s Top 1,000 revenue ranked enterprises across 10 major economies. It found that only 15% of corporates can claim with certainty that they have not experienced a cybersecurity breach in the past 12 months. While around 42% responded in the affirmative, more than 40% of corporates in Asia Pacific were “unsure” or unwilling to provide a direct answer.
The report found that more than one third (34.7%) of corporates said monetary loss posed as the biggest impact for corporates who experienced a cybersecurity threat. Other outcomes resulting from a breach include loss of client data (17.6%), cyber extortion (9.6%) and identity theft (7%).
Malware was found to be the leading cause of cyber-attacks, with nearly 50% of all corporates nominating it as how the breach occurred. Spyware (48.4%), phishing (39%) and ransomware also ranked highly among causes of breaches.
Lack of risk and compliance personnel
Despite the high instances of cyber-security breaches and low awareness of associated risks, Asia Pacific corporates lack risk and compliance personnel, especially at the management level. The report found that Chief Risk Officers (CROs) were not at all prevalent in the region, highlighted by 58% of corporates saying they do not have one in place.
Australian corporates outperformed the market, with 42.4% reporting they have a dedicated CRO. In contrast, the relatively mature market of Hong Kong is more aligned with Asian peers, with just 22.5% employing a CRO. Additionally, the presence of a senior risk officer increased corporates’ average total risk and compliance FTE headcount (23) by nearly four times as those without.
Poor perception of own risk management strategies
Regionally, corporates rated their current risk management strategies as relatively poor. On a scale of 1 (totally achieved) to 5 (not achieved), Asia Pacific corporates rated themselves as below average (2.94). Although Australian corporates bettered the regional average at 2.89, those in developing markets such as Indonesia report some of the lowest levels of risk management effectiveness (4.02).
Alarmingly, for Asia Pacific corporates, over half reported not having standardised internal procedures in the management of newly identified risks, with no plans to implement one. This figure jumped to between 80-90% for corporates in Taiwan and Indonesia, indicating severe gaps in risk and compliance governance
The issues in effectiveness of risk and compliance governance are also being exacerbated by corporates’ lack of willingness to take responsibility internally. Across the region, nearly half of all firms (46.1%) reported banks should be primarily responsible for compliance. That jumps to nearly two-thirds (64.8%) among Taiwan based corporates.
Compliance driven by penalty avoidance
According to the corporates interviewed, the primary motivation for observing compliance regulation was to avoid fines and penalties (78.9%), followed by protecting the firm’s reputation (71.6%) and improving data and information security (69.9%). The results demonstrated significant variance by market however, illustrated by Australia (70.7%) and Hong Kong (79.6%) nominating reputational risk most prominently, while Indonesia based corporates ranked it fourth, giving higher importance to quality of information and data security.
Meanwhile just 6% of Asia Pacific corporates have sourced risk management advice from banks, compared to between 25% to 35% giving preference to legal advisors, technology vendors or specialist consultants.
Corporates should exercise more responsibility
“Although risk and compliance concerns will be an on-going challenge for CFOs and treasurers, corporates across Asia Pacific are currently under-equipped to effectively manage it,” Ms Stella Lim, Head of Corporates, APAC, SWIFT said.
“This stems from a lack of understanding and awareness, as well as the low levels of importance placed on the issues by senior management.”
“To mitigate external threats and reduce their impact on operations, corporates need to show more urgency in increasing their responsibility and levels of control for compliance and risk management measures, reducing dependency on banks and financial institutions,” Lim said.
The survey was based on direct interviews with 915 corporates surveyed evenly across the 10 major economies in the Asia Pacific region, comprising Australia, China, Hong Kong, India, Indonesia, Japan, the Philippines, Singapore, South Korea and Taiwan. The target population was segmented against the Top 100 revenue ranked corporates in each country.