On 10 May, Access Partnership and JurisAsia co-hosted a workshop on cybersecurity in the retail and consumer goods industry. Legal and policy experts from the Cybersecurity Agency of Singapore (CSA), Lazada, JurisAsia and Access Partnership provided an insight into how regulators and businesses can deal with cybersecurity challenges. They also debated the potential risks and measures for cybersecurity in retail in the APAC region and above.
From the role of technology to the need for harmonised regulation, check out the top five takeaways from the event:
-
A balance between innovation and cybersecurity must be struck
Technology has changed the way retail businesses work from top to bottom. Mobile applications, social media platforms, loyalty programmes and data analytics have made it easier for retailers to reach customers and improve operational and marketing performance. However, the retail sector’s digital transformation has made retailers and customers more vulnerable to cyberattacks. It is imperative that a balance between innovation and security be struck. For retail businesses, this is a balance between ease of registration that translates to growth and security requirements. For government this is a balance between economic development, innovation and cybersecurity.
-
Retail and e-commerce businesses have a role to play in implementing technology fixes that support safe commerce
Retailers still focusing IT resources on performance need to shift their attention to cybersecurity. Technologies such as device recognition and machine learning can help safely identify legitimate customers. Solutions for retail will need to be tailored to accommodate retailers’ unique characteristics, such as high staff turnover rate, large transaction volumes, and distributed operations.
-
There remains a big gap for both business and government in educating the public
Policy development is a multi-stakeholder process. There is a need for information sharing in a collaborative and secure way, including technical information, between government and industry. Government should create safe spaces where business can share information on cyber threats, without the fear from legal measures and fines. The lack of agreement and collaboration between stakeholders in responding to cybersecurity incidents impacts trust in the use of technology. Moreover, capacity building is necessary in order to gain the skills needed to defend key systems. Finally, there is a need for policy engagement – building an enabling environment regionally and promoting harmonisation that enables economies of scale.
-
You are as strong as your weakest link
The term “you are only as strong as your weakest link” applies very well here. With thousands of employees spread across various locations, it is important that a culture of “security-first” is instilled in every employee. Creating an IT governance policy is one way to inform stakeholders – including vendors and customers – of processes and broad principles for information security. If they have not already done so, senior executives need to be involved in cybersecurity. It should be considered a business risk management issue among C-suite decision-makers.
-
A collaborative and harmonised approach is key
Many Asian regulators are developing their own approaches to cybersecurity. The extent of cybersecurity law varies from Singapore’s light-touch cybersecurity framework to more stringent approaches like Vietnam’s draft cybersecurity law, which will require that all Vietnamese user data is stored locally. While each of these frameworks have good intentions, the many different approaches in the region make it harder for retailers to establish themselves or collaborate across countries. Developing a solution that complies with all the requirements will need an ongoing conversation with regulators aimed at harmonising their regulatory postures. Without this coordination, it will be harder for start-up retailers to grow across the region’s markets.