How companies can ramp up cybersecurity protections

Financial institutions, e-commerce platforms, telecom networks, and tech firms have borne the brunt of these digital onslaughts, endured not just operational hiccups but also grappled with the loss of customer trust and potential legal quandaries if found lacking in cyber hygiene. Indeed, for individuals, the stakes are no less dire: compromised banking details and personal data misused for nefarious ends.

In Vietnam, the fabric of data protection laws is being stretched and tested. Decree No.13/2023/ND-CP effective July 2023 on the protection of personal data articulates a two-fold defence: managerial and technical. Yet, it stops short of prescribing specific safeguards, leaving entities to patch together a defence from a mosaic of industry-specific regulations and network security mandates.

The decree’s call for violations to be reported within 72 hours of detection sounds less like a preventive strategy and more like a race against the clock.

There’s talk of a new decree, poised to introduce administrative penalties for data breaches - picture financial penalties converting to the tune of $400-3,000 for general noncompliance, and ranging $3,000-7,000 for dragging feet in the face of security incidents. But will fines alone weave a tighter net of cyber-resilience?

The 2015 Network Information Security law sketches the outlines of Vietnam’s cyber defence strategy, detailing everything from creating security policies to forming specialised teams and securing human resources. On a technical level, secure network zones, remote management, access controls, intrusion prevention, and defences against malware are demanded.

In 2015, Vietnam enacted a comprehensive law on network information security to safeguard against cyber threats. In this legislation, the principles of securing information systems within the country, including networks and servers, are outlined. For information systems that support online services or government functions, a 2016 decree on the security of information systems by classification and a 2022 circular provide detailed security standards and practices.

Let’s not forget the sector-specific regulations that throw down the gauntlet for industries handling our most sensitive transactions. Securities firms must operate like digital fortresses, ensuring seamless and secure online trades, while banking institutions have been directed to catalogue and shield their IT assets with everything from encryption to data loss prevention strategies.

Yet, the existential question lingers: Are these measures enough? Or are we merely plugging holes in a dam, unaware of the deluge potential? Legal representatives are thrust into the frontline, expected to be the bulwark against breaches, a tall order for those who might not speak the cryptic language of cybersecurity.

Vietnam’s legislative efforts against cyber threats embody a duality: recognition of the menace and a reactive stance that must evolve. They underscore an understanding that in our interconnected world, reactive postures give way to persistent vulnerabilities. The true fortress lies not in the fines or the fragmented regulations, but in a culture that pre-empts cyber threats, transforming cybersecurity from a technical afterthought into a strategic cornerstone.

Although Decree 13 does not provide specific mandates on the actions companies must take for personal data protection and cyberattack prevention, the legal framework comprising the aforementioned legislation will continue to ensure compliance with information security practices among companies managing information systems.

As a result, in order to reduce the company’s legal risk in the event of a data breach, it is essential that the company adhere to established technical standards for network information security, along with fulfilling its obligations under the Network Information Security Law and regulations applicable to its industry.

This is the juncture where professional consultancies like KPMG prove their expertise. Together with our IT advisory experts, we offer a one-stop solution to help businesses navigate the ever-changing legal landscape.

Only 6 per cent of organisations in Vietnam have the ‘Mature’ level of readiness needed to be resilient against modern cybersecurity risks, according to Cisco’s 2024 Cybersecurity Readiness Index released on March 28.

2023 witnessed nearly 43 million local threats targeting organisations in Southeast Asia, of which Vietnam saw the highest number of threats at 17.1 million incidences, according to the latest data released by global cybersecurity company Kaspersky on April 5.