Corporate focus on cybersecurity has deepened over the years in Asia Pacific. In most companies, cybersecurity budgets are set to expand further in 2024, reflecting its sustained place as an essential investment priority for organisations across the region. Asia Pacific’s security spending has steadily grown at a CAGR of 12.8% since 2022, and is expected to top out at US$52bn by 2027 as multiple cyber threats bear down on digitalising companies.
According to the 2024 edition of PwC’s annual Digital Trust Insights (DTI) survey, 84% of Asia Pacific business and tech executives reported increases in their cyber budgets. These insights were gleaned from a survey of 683 business, technology and security executives in Asia Pacific conducted by PwC between May and June 2023. The survey comprised both technology- and business-side perspectives from a wide variety of industries and sectors.
The number of mega breaches experienced by Asia Pacific organisations in the past three years has risen considerably: in 2023, 35% of organisations say they have experienced data breaches costing anywhere from US$1m to US$20m over the last three years.
Asia Pacific organisations are also waking up to the reality of how cyber-attacks can damage reputations, customer confidence and operations, leading to losses of real and potential business opportunities. For more than half (54%) of organisations, the threat of losses of customer, employee and transaction data is their top concern, while 46% and 41% respectively pick their impact on the company brand and revenues.
Though cybersecurity was considered solely a technology area in earlier years, mounting financial and non-financial costs are revealing its immense relevance to the business as a whole. As such, scrutiny on cybersecurity issues is intensifying, as evidenced by 95% of organisations saying they are bringing reporting on cyber risk exposure and mitigation measures to their boards.
That heightened scrutiny is translating into cybersecurity issues rising to the top of boardroom agendas. In PwC’s 2023 Annual Corporate Directors Survey, 64% of organisations report that board meeting time devoted to cybersecurity risk has increased over the past year. Organisations are also emphasising the need for more cyber skills at the board level, with 46% pursuing additional skilling on the topic and 19% adding members with cybersecurity expertise within the last 12 months.1
With these new skills and expertise, board members will be better equipped to request more reporting on cybersecurity issues from management. Greater scrutiny on management’s progress on driving better cybersecurity performance will eventually trickle down to an organisation’s rank-and-file, further embedding these principles at the heart of an organisation’s risk management strategies and actual operations. This will help fuel investments to support post-breach recovery, while also enhancing prevention and resilience.
Board-level scrutiny will likely only increase over time as momentum mounts for cybersecurity legislations and data protection laws in multiple jurisdictions across Asia Pacific. These are expected to inflate compliance costs – as noted by 42% of respondents – while also placing organisations at greater risk of incurring significant fines. In Singapore, for example, cyber incidents can now cost organisations up to SG$1m or 10% of their annual turnover; Indonesia’s regulators have set their rate at 2%.2 A series of high-profile data breaches in Australia in 2022 led to amendments where non-compliant organisations may be liable for significant fines of at least A$50m or more.3
While many organisations are rightly concerned about obtaining sufficient investments to fuel their technology strategies, the true challenge will be figuring out how to prioritise spending for maximum impact. Today’s technology teams and leaders are not just grappling with a more complex and expanding threat landscape, but with budgets also under pressure.
So, how do leaders make their dollars go further?
Respondents who have had data breaches costing $1M or more in the past three years are more likely to acknowledge that they have too many cybersecurity solutions and need to integrate. This suggests that their cyber budget is not being invested in the right areas.
While cyberattacks pose a serious threat to organisations, accelerating digital adoption is also creating a challenging cyber landscape for leaders to navigate.
Today, digital transformation is viewed as non-negotiable for organisations to remain competitive, resilient and relevant to customers who are demanding fast, high quality and seamless experiences. However, it is progressing at a pace and scale that are creating immense potential costs to organisations that go beyond cyber risks.
Digital adoption in Asia Pacific organisations span a wide range of technologies and solutions – where exactly are the majority of these risks arising from? Our report suggests that two segments in particular are focal points.
Cloud computing implementation is surging all across Asia Pacific , with 95% of respondents reporting adoption in their organisation. By and large, given their relative age, most Asia Pacific organisations leapfrogged legacy, on-premise systems and went straight to more scalable, third-party cloud platforms which provided easier pathways to digital transformation.
Cloud computing enables organisations to collaborate more effectively, and also facilitates the rapid access to wider networks of information that is key to leveraging data analytics. By 2026, Asia Pacific’s public cloud market could be worth US$153.6bn, with this value spread across businesses offering infrastructure, platform and software solutions.
That said, even as organisations increasingly consider cloud adoption the key to competitive advantage and operational agility, the technology also makes it challenging for them to transform safely. Greater cloud adoption is not only exposing organisations to more cyber risk, but also introducing complexity into its operations and making them more reliant on third-party service providers.
According to our survey, cloud-related threats are among the top three cyber concerns for 51% of Asia Pacific organisations over the next 12 months. That’s followed closely by attacks on connected devices (45%), which also depend on cloud computing.
There are immense rewards to be gleaned from cloud adoption, as well as significant risks. Are organisations confident in their preparedness to withstand the threats posed by this key tool? Have leaders started implementing the strategies that are essential to embed resilience into their technology strategies? If not, what steps are needed to secure their organisations and transform safely?
These risks may also stem from organisations’ relationship with their cloud service providers. Organisation should consider overall strategy to manage these external partners,... too many questions.. Where do these external partners fit into the company’s overall strategy? What is kept on the cloud and what governance frameworks are needed to protect the organisation? What shared responsibilities will the company have to navigate with their cloud service providers? How can these partners inject additional expertise that will enable the company to sustainably manage these technologies?
Similar dynamics are occurring with emergent technologies like Generative AI (GenAI). Since OpenAI’s ChatGPT 3.0 burst onto the scene in late 2022, adoption of GenAI tools has grown considerably as businesses see its potential to improve process efficiency, automation and decision-making. Core to GenAI’s appeal is its combination of ease of use and ability to generate high-quality, human-like content.
According to our survey, Asia Pacific organisations say that GenAI will help create new business within the next three years and increase employees’ productivity levels. GenAI technology is likely to soon automate significant portions of employees’ everyday tasks such as writing emails, ideation, and so on. GenAI tools are also being implemented by 77% of organisations to bolster cyber defence over the coming year.
GenAI has the potential to be immensely impactful in the cybersecurity space by accelerating the pace at which security teams can identify risks and threats, thus levelling the playing field against intensifying attacks from bad actors. Machine learning algorithms embedded in GenAI tools are capable of quickly analysing large amounts of data to detect unusual activity and even potentially pinpoint system vulnerabilities before an attack even occurs. For organisations, this poses an opportunity to take a more forward-looking attitude towards their cyber risks that prioritises resilience over reactivity.
That being said, there are causes for concern when it comes to GenAI.
In its current form, GenAI could become a source of disinformation as the technology does not always validate its sources, leading to biased or inaccurate content that have a misleading sheen of authenticity. 60% of Asia Pacific respondents think GenAI could pave the way for devastating cyber-attacks within the next year. GenAI could also fuel disinformation, which 17% of Asia Pacific respondents consider a top-three cyber threat.
Given that the technology is still in its very early stages, organisations are undoubtedly still figuring out their first steps, but getting it right on AI from the beginning will be critical to long-term success and protecting their customers’ trust. Establishing human oversight is key.
Are leaders thinking about what ethical and responsible use of GenAI in their organisation looks like? Have they started exploring initiatives to train employees on the right way to use these tools? Are they implementing the critical data security measures and compliance frameworks to safeguard their customers’ data and maintain trust?
While technology modernisation remains a major priority for organisations’ business teams, they must remain mindful of the need to safely manage the risks arising from widespread and rapid digital adoption. These are not just cyber risks, but also include digital and technology risks such as greater operational complexity and disinformation that could disrupt organisations’ ability to continuously deliver high-quality services without interruption.
This is emphasised by findings in our survey that in Asia Pacific organisations, digital and technology risks and cyber risks are top priorities for mitigation.
Given the pace of technological adoption, today’s threat landscape is also evolving quickly with increased uncertainty and exposure driving the need for a more robust resilience plan. These resilience strategies are not just about shoring up organisations’ ability to quickly recover from a disruption, but also fortifying itself with the resources to prevent and withstand an attack or adverse event.
For many organisations, obtaining the resources and skills it needs to digitally transform and build up its technological capabilities often requires them to rely on third-party providers. These third parties can provide access to crucial, new skills, while also helping organisations balance costs, improve service speed and expand global reach.
However, increasing dependence on a third-party ecosystem is itself a problem as this essentially creates points of vulnerability within the organisation that can be accessed by external actors.
Consider how Asia Pacific organisations engage with cloud service providers, for example. Depending on the type of cloud (platform, software or infrastructure) or vendor (public or private), there could be varying levels of shared responsibilities between organisations and their third-parties. Aligning those responsibilities are key to an effective operational resilience strategy and risk mitigation.
The threat landscape is expanding in focus – it’s not just about malicious actors and hackers who are creating problems, but also a wide network of potentially compromised providers sitting outside organisations’ control with access to internal systems and data.
The survey reflects this: among the top cyber threats selected by Asia Pacific respondents, a majority are directly correlated with third-party ecosystems, including cloud platforms, connected devices and software supply chains. For 26% of Asia Pacific respondents, software supply chains are among the top third-party related cyber threats, followed by third-party breaches (25%) and exploits of zero-day vulnerabilities (14%).
Organisations are aware of the problems of over-relying on third-parties: 63% of organisations acknowledge the need to rebalance between in-house capabilities and outsourced or managed services.
However, they cannot address these third-party risks without considering that these issues also emerge out of other organisational challenges such as skills shortages and rapid technology adoption. Leaders are aware of this, as reflected by an emphasis in Asia Pacific on upskilling (70%) and retaining or identifying key talent (51%) as pathways to bringing their tech needs under their control and purview, which could reduce their overall need to hire external vendors. There may also be a need for reskilling as organisations prepare the workforces to manage the new roles and responsibilities emerging from greater digitalisation.
In an increasingly complex business environment, organisations are constantly juggling between competing—and complementary—priorities, but as trends and contexts collide, this old approach is no longer sufficient.
To address today’s complex and interconnected risks, modern business must expand its vision and break the barriers between functions, strategies and goals. True resilience is not just about their ability to recover from an incident, but to pre-empt possible danger and put in place the resources to withstand any adverse event.
How can organisations build resilience through integrated risk management?
Organisations need to start considering how they can establish an integrated risk management framework that brings together a multifaceted and nuanced picture of the company’s risks as they relate to technology and digital adoption, third-party engagement and operational structures.
We are already seeing how some enterprises are actively moving towards an integrated approach to not just resilience building, but also risk management. Most Asia Pacific respondents (97%) have either already integrated or are planning to/ in the process of integrating cyber initiatives into their resilience strategies and initiatives.
As they start to build the resources to take an integrated risk management approach, leaders can begin by focusing on several key strategies:
Read the full report to discover cyber investment drivers, cloud risks, and GenAI adoption impacts across the region. Learn how you can optimise spending, navigate challenges, and build resilience.
GenAI for cyber defence is on the rise.
Our approach to bringing generative AI to businesses is rooted in building trust and delivering outcomes. They serve as the core to our lab-based innovations, the real-world generative AI solutions that we deliver to clients and our active participation in the forums that are helping shape the future of responsible AI.
As Southeast Asian businesses build newer technologies, cybersecurity threats become more concerning. Explore how the region is responding to this challenge.
This 2022 Global Digital Trust Insights Survey offers the C-suite a guide to simplifying cyber with intention.
PwC excels in a range of strategic and technical competencies, leading with culture.
