The Association of Southeast Asian Nations (ASEAN) announced last week that it will create a rules-based framework for its 10 member states to cooperate on cybersecurity matters.

The 10 ASEAN members are Singapore (which is the chair for ASEAN this year), Malaysia, Indonesia, the Philippines, Thailand, Vietnam, Brunei, Myanmar, Laos and Cambodia.

Singapore is expected to take the lead in drawing up a mechanism that facilitates cross-country collaboration on cyber policy development, capacity building and operational issues. ASEAN recognized that such a system would need to be flexible and take into account the economic considerations of the different member states.

Although the framework is still in an early phase of development, greater cross-border cooperation will likely take place among regulatory authorities in the various ASEAN members, as well as the introduction of more cybersecurity laws at a national level.

Just last month, Singapore’s Cybersecurity Act (save for the provisions on cybersecurity service providers) came into effect. Owners of designated critical information infrastructure (CII) are now subject to cybersecurity audits and need to comply with specified incident reporting requirements.

CII that has been designated to date includes, but is not limited to:

Services relating to energy:

  • Electricity generation, electricity transmission or electricity distribution services
  • Services for the supply or transmission of natural gas for electricity generation

Services relating to health care:

  • Acute hospital care services
  • Services relating to disease surveillance and response

Services relating to banking and finance:

  • Banking services, including cash withdrawal and deposits, corporate lending, treasury management and payment services
  • Payments clearing and settlement services
  • Securities trading, clearing, settlement and depository services
  • Derivatives trading, clearing and settlement services
  • Services relating to maintaining monetary and financial stability
  • Currency issuance
  • Services relating to cash management and payments for government

Services relating to maritime:

  • Monitoring and management of shipping traffic
  • Container terminal operations
  • General and bulk cargo terminal operations
  • Cruise and ferry passenger terminal operations
  • Pilotage, towage and water supply
  • Bunker supply
  • Salvage operations
  • Passenger ferry operations

Malaysia, Laos, the Philippines, Thailand and Vietnam already have in place standalone cybersecurity legislation. Cambodia has a draft cybercrime law that has not come into effect yet, and Myanmar and Indonesia have each adopted laws on electronic transactions that contain provisions on cybercrime.

What these developments could mean for your business:

  • ASEAN is diverse, and Asia even more so. Given the varying stages of development in cybersecurity policy and laws across the region, businesses will need to track closely any laws that may be introduced or amended within each jurisdiction in which they operate.
  • Businesses should consider conducting cybersecurity tabletop exercises with key personnel across relevant departments to ensure that these stakeholders are well prepared and know how to respond in the event of a data incident, with a view to minimizing any resultant losses that may be suffered by the business.
  • External counsel should also be retained to give advice on any legal implications, for instance, regarding the provision of information to the regulator during the course of an investigation, preserving confidentiality over commercially sensitive information or claiming privilege over relevant documents.


Reed Smith LLP is licensed to operate as a foreign law practice in Singapore under the name and style, Reed Smith Pte Ltd (hereafter collectively, “Reed Smith”). Where advice on Singapore law is required, we will refer the matter to and work with Reed Smith’s Formal Law Alliance partner in Singapore, Resource Law LLC, where necessary.