Current risk management strategies of Asia Pacific corporates are found to be ineffective though cybersecurity is at the forefront of risk and compliance concerns, according to new research from SWIFT and East & Partners Asia.

The newly released report titled Asia Pacific Corporate Risk and Compliance Index—based on interviews with 915 of Asia Pacific’s Top 1,000 revenue-ranked enterprises across 10 major economies.

Only 15% report no experience of cybersecurity breach

Results indicate that only 15% of corporates can claim with certainty that they have not experienced a cybersecurity breach in the past 12 months. While around 42% responded in the affirmative, more than 40% of corporates in Asia Pacific were “unsure” or unwilling to provide a direct answer.

Ongoing challenge for CFOs and treasurers

“Although risk and compliance concerns will be an on-going challenge for CFOs and treasurers, corporates across Asia Pacific are currently under-equipped to effectively manage it,” Stella Lim, Head of Corporates, APAC, SWIFT said.

“This stems from a lack of understanding and awareness, as well as the low levels of importance placed on the issues by senior management.”

“To mitigate external threats and reduce their impact on operations, corporates need to show more urgency in increasing their responsibility and levels of control for compliance and risk management measures, reducing dependency on banks and financial institutions,” Lim said.

Other key highlights

  • 34.7% said monetary loss is the biggest impact for corporates that experienced a cybersecurity threat. Other outcomes resulting from a breach include loss of client data (17.6%), cyber extortion (9.6%) and identity theft (7%).
  • Malware was found to be the leading cause of cyber-attacks, with nearly 50% of all corporates nominating it as how the breach occurred. Spyware (48.4%), phishing (39%) and ransomware also ranked highly among causes of breaches.
  • Chief Risk Officers (CROs) were not at all prevalent in the region– 58% of corporates said they do not have one in place.
  • The relatively mature market of Hong Kong is more aligned with Asian peers, with just 22.5% employing a CRO. Australian corporates stand out in the market, with 42.4% reporting they have a dedicated CRO.
  • On a scale of 1 (totally achieved) to 5 (not achieved), Asia Pacific corporates rated their own risk management strategies as below average (2.94).
  • More than half of the Asia Pacific corporates interviewed reported not having standardized internal procedures in the management of newly identified risks, with no plans to implement one. This figure jumped to between 80-90% for corporates in Taiwan and Indonesia.

Corporates don’t want to take responsibility internally

The issues in effectiveness of risk and compliance governance are also being exacerbated by corporates’ lack of willingness to take responsibility internally. Across the region, nearly half of all firms (46.1%) reported banks should be primarily responsible for compliance. That jumps to nearly two-thirds (64.8%) among Taiwan based corporates.

According to the corporates interviewed, the primary motivation for observing compliance regulation was to avoid fines and penalties (78.9%), followed by protecting the firm’s reputation (71.6%) and improving data and information security (69.9%).

The results demonstrated significant variance by market however, illustrated by Australia (70.7%) and Hong Kong (79.6%) nominating reputational risk most prominently, while Indonesia based corporates ranked it fourth, giving higher importance to quality of information and data security.

Just 6%of Asia Pacific corporates have sourced risk management advice from banks, compared to between 25% to 35% giving preference to legal advisors, technology vendors or specialist consultants.