Asia is playing an increasingly significant role in driving timelines for where and how companies disclose global cyber incidents.
This is according to Sunitha Chalam, a partner at the Singapore office of global strategic communications and advisory firm Brunswick Group.
ITWeb Security Summit 2026 Cape Town – 26 May
As the cyber threat landscape becomes increasingly complex, it's critical that cyber security leaders, their teams and the organisations they protect stay ahead. To unpack the latest developments, the methods that attackers are using and best strategies to protect your digital assets, make sure you’re at the 2026 edition of the ITWeb Security Summit, the annual gathering of cyber security professionals, experts and thought leaders.
For more information, click here.
She says this trend has flipped the status quo, as typically the handling of global breaches, with affected datasets in many territories, tends to be command-and-control.
They have also historically been driven from mature Western markets, such as the US or UK. The reason this is changing, she says, is due to stricter regulations about breach reporting in Asian markets.
Compared to other markets, she notes, regulators in China and South Korea tend to have tight timeframes from the discovery of a breach to the reporting of it.
“Regulators [in Asia] are asking quite a bit of companies. The disclosures tend to start out of Asia, which means the entire timeline is starting in Asia and then moving around the world – it typically moves to the Middle East, Europe and then concludes in the US.”
While this phenomenon recently started emerging, Chalam doesn’t believe it will necessarily stay this way permanently, and Africa may well begin to see its own place in this flow become more prominent.
“It's Korea currently [that leads the time from breach to report], but it could well become somewhere else if a regulator says it’s going to shorten the timeframe for notification. If an African regulator, for example, decided it wanted to be a lot stricter and more stringent in the way a breach is reported, it could well start there. And the minute it starts somewhere, that's where the news cycle begins.
“Rules are changing constantly…as regulators change, as expectations change, as the public becomes more mature and attuned to these types of issues, they care more about data.
“As regulations change, and as they [regulators] come to terms with how they're going to deal with some of these issues, you're going to find that a lot of different markets are driving activity in new ways. That will be interesting for Africa.”
Chalam will be speaking in greater depth on this trend at the 2026 ITWeb Security Summit, to be held at the Century City Conference Centre in Cape Town on 26 May 2026. She will also touch on other communications issues around the field of cyber security, such as the importance of making incident planning and response a wider practice than simply a tech function responsibility.
“Cyber security has been typically viewed as an IT issue and not a business issue. But a cyber incident is not an IT problem; it's a business continuity problem, it's a reputational problem, it's a regulatory and governance problem. It's important to focus on the operational and the technical aspects, but it's also important not to forget the reputational concerns and the amount of scrutiny you’re going to get,” she says.
Share