25 Feb 2025
Insight
Rising cyber threats but lagging preparations - Bridging the gap between concern and action.
We recently surveyed a number of our Asia Pacific and global clients across a range of sectors, seeking their perspective on their organisation’s approach to cyber risk.
The respondents shared a sense of increased cyber threat, with most believing cyber risk has increased compared to 12 months ago. However, our data shows that many are still not undertaking crucial preparatory work – perhaps one of the most jarring findings from our survey was that 69% of respondents said it would take an actual cyber attack to motivate their organisation to meaningfully improve their data risk management.
The traditional view of cyber risk and resilience is becoming harder to sustain. As companies continue to transform their digital capabilities, handle ever-greater data volumes, and transact with a complex array of third parties, their supply chains are subject to growing cyber vulnerability. Their attack surface has increased (and become less visible) and many are faced with the real prospect of regulatory intervention, consumer action and long-term reputational damage.
Complexity from an evolving regulatory landscape
Adding further complexity is the patchwork of regulations and laws governing data privacy and cyber security across Asia Pacific.
While some jurisdictions have established frameworks with sector-specific requirements, others are still in the process of developing or implementing legislation. This evolving regulatory landscape continues to shift, as regulators enhance legislation and step up enforcement against organisations.
The results also highlighted a need among survey participants for:
The crucial role of legal teams
We also observe that legal teams in Asia Pacific are perhaps unaware of the crucial role they play in a cyber crisis, with less than half of respondents saying they think legal is a key member of the incident response team in a cyber crisis. This is a notable difference to what in-house legal teams have told us in other regions of the world, where lawyers are becoming increasingly front and centre and playing the role of “breach coach”.
In the immediate aftermath of an incident, legal expertise is essential in assessing the impact of an attack, ensuring regulatory compliance, navigating communications, managing notifications and helping the business engage with stakeholders. Lawyers in Asia Pacific may be underprepared to support their organisations in this way, given they are underinvesting in their own preparedness: 52% of respondents have never participated in a cyber simulation exercise and most organisations do not have a legal cyber incident response plan.
Are Boards prepared?
Boards also play a significant role. Key decisions, including those relating to disclosure, threat actor engagement and extortion payments often reside with the board. Despite this, almost half of our respondents say their boards have not been through a cyber simulation and 35% have not yet decided whether they were open to paying an extortion demand. Clearly there is a lot more to do.
This report tracks the evolving perspectives of in-house legal teams in Asia Pacific amid a rapidly changing cyber landscape. Our research reveals that while organisations in Asia Pacific are becoming increasingly concerned with cyber risk, their preparations are not yet proportionate to the severity and complexity of the threat.
Cameron Whittfield
Partner – APAC Cyber Security Head
Download key findings
Key contacts
Legal Notice
The contents of this publication are for reference purposes only and may not be current as at the date of accessing this publication. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
© Herbert Smith Freehills 2025
Stay in the know
We’ll send you the latest insights and briefings tailored to your needs