Cybersecurity regulation is growing in number, teeth, and enforcement. The ever-increasing reliance on computers and the internet by our societies and the increasing costs of financially motivated and state-sponsored cyberattacks (which have shut down critical services such as power grids, hospitals, banks, seaports, gas pipelines and caused significant financial losses as well as physical harms) have motivated governments around the world to implement greater cybersecurity regulation and increase their enforcement. This is regarded in many countries as an area of regulatory priority and national security. Recent examples of new cybersecurity regulations include the 2023 United States Securities and Exchange Commission’s Cybersecurity Risk Management, Strategy, Governance, Incident Disclosure rules, the upcoming European Union’s Network and Information Security Directive 2.0 that penalizes noncompliance with fines of up to 2% of one’s global revenue, and Japan’s amended Telecommunications Business Act (電気通信事業法) which has expanded in scope significantly beyond traditional telecommunications providers and imposes a range of cybersecurity related obligations.

Cybersecurity regulations can be broadly divided into anti-hacking, protection, and incident reporting laws. This article focuses on protection laws, which oblige and incentivize in-scope entities to strengthen their cybersecurity defences under the penalty of law and which deter cyberattacks by denial. These laws typically prescribe the cybersecurity controls and practices that in-scope entities need to adopt to protect the confidentiality, integrity and availability of their computer systems and the information therein. This article explains the key principles that should guide the formulation of such laws and their enforcement so that they can be a net-positive to societies. Thereafter, this article will take a deep dive into the key cybersecurity regulations and case law in three key Asia-Pacific jurisdictions (Japan, Australia, and Singapore). These jurisdictions have adopted different approaches but share notable similarities (such as reference to established cybersecurity frameworks offered by ISO 27001 and NIST’s Cybersecurity Framework) in their regulation and enforcement. The growing landscape of cybersecurity regulations make clear that the legal liabilities from cybersecurity breaches will continue to grow, and cybersecurity risk management will be a management priority for companies to address as they would with other types of risks such as financial, supply-chain or reputational risks.