Welcome to another edition of LegalBytes! On 1 June 2017, China's much anticipated Cybersecurity Law came into effect. This is the latest legislative development continuing the trend for increased cybersecurity regulation globally and, in particular, in the Asia Pacific Region. Different approaches to cybersecurity regulation There is no "one size fits all" approach to cybersecurity regulation. While some countries like China and Singapore (with its proposed Cybersecurity Act that is due to be tabled in Parliament this year) have opted to enact specific national cybersecurity laws, other jurisdictions have chosen to put in place sectorspecific regulations or bolster-up existing privacy laws, or a combination of the above. Common themes in cybersecurity regulation Regardless of which approach is taken, there are a number of common themes in the development of cybersecurity regulation across jurisdictions: Critical information infrastructure (CII). Frequently, the focus of national cybersecurity laws is on the protection of CII. Whilst the definition of CII varies from jurisdiction to jurisdiction, the key element of CII is that if it is disrupted or destroyed there would be a serious impact on the health, safety, security or economic wellbeing of citizens or on the effective functioning of government or the economy. It follows that greater obligations are placed on operators of CII (such as providers of major public services and utilities) under cybersecurity regulation. For example in Singapore, it has been indicated that the Cybersecurity Act may include mandatory participation of CII operators in cybersecurity exercises. Data localisation. A major element of cybersecurity regulation is a requirement to store data / keep a copy of data within a country where such regulation applies. China and Russia are prominent examples of data localisation requirements. Additional requirements can also apply such as a requirement to carry out a security assessment in case of cross border data transfers. This will be the case under China's Cybersecurity law after the expiry of a grace period on 31 December 2018. Other jurisdictions in APAC have implemented data localisation requirements for certain operators (eg, Indonesia). Data localisation requirements are a challenge for global businesses in particular where companies want to utilise cloud services. In response to this, we are seeing an increase in geo-fencing: cloud vendors offering companies the ability to choose where to hold data by region to meet increasing regulatory requirements. Mandatory data breach notification. In case of a cyberattack or data loss generally, businesses need to know their reporting obligations to affected individuals and/or the regulator. Traditionally, many jurisdictions only had in place a voluntary breach notification regime or specific requirements in heavily regulated sectors (such as banking). However, in recent months we have seen an increase in mandatory data breach notification laws globally. For example, in February this year, Australia passed a mandatory data breach notification regime which will come into effect in February 2018. Similarly, under the GDPR, a pan-European data breach notification requirement will start to apply as of 25 May 2018 .For further information on data breach notification requirements, we invite you to access our 2016 Global Data Breach 2 Notification Guide. Please note we are currently in the process of updating this guide and will launch a new version later this year. Data Security: A common data privacy law requirement is that companies must ensure that adequate security measures are in place to protect personal data. It is left to the company to assess and decide what the appropriate level should be depending on the type and sensitivity of data. However, we are now seeing a trend towards specific security requirements being mandated by legislation or accompanying guidance: for example by referencing ISO standards, or requiring two factor authentication or encryption. Target industries. Many regulators tend to impose increased cybersecurity requirements on certain industries that are particularly prone to cyberattacks such as the banking and finance industry. By way of example, the Hong Kong Securities and Futures Commission (SFC) has recently launched a consultation on measures to enhance cybersecurity after announcing that licensed corporations have suffered significant losses at the hands of hackers. What does the future hold? Cyberattacks are on the rise. Hackers are becoming more sophisticated. Businesses are collecting and storing more and more data. Individuals are increasingly expecting businesses to adequately secure their personal data. Data losses get a lot of negative media attention and can be very harmful to businesses' reputation. Legislators around the world are introducing new or tightening existing cybersecurity requirements (including more specific data security requirements, data localisation and mandatory data breach notification provisions). Cybersecurity is plainly on the regulators' radars. As so often, prevention is better than cure. Our advice to businesses would be to turn their mind to cybersecurity sooner rather than later and devise a strategy to both comply with applicable legal and regulatory requirements and prevent becoming the victim of cyberattacks. Do let us know if you would like to speak to our cybersecurity experts. Finally, we invite you to download our 2015 Asia-Pacific Cybersecurity Counter Offensive Guide which provides guidance on what to do when confronted with a suspected data breach and outlines some common issues that arise in a data breach scenario.