KUALA LUMPUR (June 11): S&P Global Ratings views the lack of public disclosure requirements in Asia-Pacific as likely to result in an under-reporting of cyber incidents in the region, while vulnerability to cyberattacks is a credit risk.

In a statement on Tuesday in conjunction with the release of a report titled "Asia-Pacific Corporate Cyber Risks: What You Don't Know Can Hurt You”, S&P Global Ratings credit analyst Clifford Kurz said that limited disclosure can create a degree of complacency among investors and corporate managers.

"Cyber risks for Asia-Pacific issuers are likely as high as those for rated issuers in the US or Europe,” he said.

S&P Global said the threat of attacks is rising globally, with occasionally damaging consequences for firms' operations.

The agency said recent examples in the US from September include MGM Resorts International and Clorox Co, which each disclosed unrelated and serious cyberattacks.

S&P Global said Asia-Pacific has its own risk characteristics.

It said a high concentration of rated entities are in manufacturing, which exposes them to attacks on suppliers and key infrastructure.

Moreover, it said more industrial production is moving online to make use of technologies such as artificial intelligence (AI).

Meanwhile, S&P Global Ratings credit analyst Shruti Zatakia said tracking and measuring cyberattacks is difficult in the best of circumstances.

“It's particularly difficult in Asia, with its patchwork of rules and regulators, and generally low disclosure requirements on companies," said Zatakia.

S&P Global said regulators are scrutinising firms that provide critical infrastructure.

It said that recently, Singapore, in the first amendment of its Cybersecurity Act, proposed expanding reporting requirements for critical infrastructure owners to include incidents affecting entities in their supply chain.

However, the agency said most of these new rules do not require public disclosures of cyber incidents. They typically require timely reports of attacks to regulators, or perhaps just set higher standards for cyber security.

Disclosure requirements in Asia-Pacific are often more relaxed than in the US and Europe.

S&P Global Ratings credit analyst Shinichi Endo said that the cyberattacks that Japanese firms disclosed in the past year largely occurred at overseas subsidiaries, or affected overseas users.

“This was likely because offshore regulations required disclosure, whereas Japan did not.

"We assume as such that there were other attacks on Japanese issuers last year that were not disclosed,” said Endo.