Mon, Oct 31, 2022

State of Incident Response: APAC

Download the Report

The State of Incident Response report sets out how the Asia Pacific (APAC) market has been impacted by vulnerabilities, highlights incident patterns for the region and proposes actionable priorities for the future.

Our research finds that businesses in APAC are feeling the impact of cyberattacks, but many are yet to build out appropriate response plans or have regular access to relevant cyber expertise.



Cyber Incidents are Numerous and Preparation is Lacking

Over half of all organizations interviewed in APAC (59%) have experienced a cyber incident, of which a third (32%) have suffered multiple incidents. This compares to 93% of organizations which had suffered a compromise of data in the U.S. during a 12-month period, according to a previous survey commissioned by Kroll.

It is worth noting, however, that the regulatory landscape and data protection in APAC is generally less established than in developed markets such as the U.S. and thus this may understate the number of cyber incidents being reported.

Despite the volume of cyber incidents, more than a third (36%) of organizations do not have a response plan if an incident were to occur, which leaves companies at the risk of being unable to handle an incident effectively and of being vulnerable to further attacks.


Regional Breakdown of Businesses that Have Experienced a Cyber Incident

Regional Breakdown of Businesses that Have Experienced a Cyber Incident

Measures implemented to respond to a cyber incident







Measures Implemented to Respond to an Incident 

There is some measure of relevant representation of cyber expertise at senior levels across the companies surveyed, with 62% companies reported appointing a data protection officer and a similar percentage had cyber security specialists on a retainer. This, however, still leaves more than a third of companies in APAC (38%) without cyber security specialists to call in the event of an incident.

The need for security expertise at senior levels within an organization is increasingly being recognized, with many chief information security officers (CISOs) now presenting cyber agenda directly to the board.

Recently, the Securities and Exchange Commission (SEC) in the U.S. proposed mandatory cyber representation on boards subject to their regulation. While the regulatory landscape in APAC may be less developed than the U.S., organizations would definitely benefit from having access to this expertise, whether it is in-house, on retainer.

Common Causes: The most cited cause of a cyber incident across APAC was malware, which includes ransomware, spyware, viruses, etc. The top three causes, which include phishing and password attacks, account for over half of all incidents reported.


State of Incident Response: Asia Pacific


Cause of Reported Cyber Incidents

 State of Incident Response: Asia Pacific

Cyber Security Concerns Are Aligned With the Impact of Actual Incidents


Focus is on Operational Impact: Data Loss and Business Interruption

Data loss (51%) and business interruption (49%) were the two most cited impacts of a cyber incident and, predictably, they are also the top cause of businesses’ concern, with data loss being the primary worry (70%), followed by business interruption (58%). Out of the types of impact reported from cyber incidents, these were arguably the most operational in nature.

There are signs, however, that organizations are starting to understand the longer-term consequences of cyber incidents. Reputational damage, for example, is cited as a less common impact of an incident (31%), but half of the leaders who were surveyed (50%) are concerned about it.


Cyber Security Efforts in APAC

To minimize the threat of a cyber incident, organizations are not only taking advantage of hardware and software security tools (70%) and monitoring the endpoints, network, systems and applications (69%) but also conducting regular training (67%) for the business to stay aware of potential threats.

In addition, nearly two-thirds (64%) of organizations interviewed are increasing their budgets or spending to address cyber security threats. Overall, more than half of the companies in this region are willing to invest resources to prevent operational disruption from cyber incidents.


Measures Implemented to Address Cyber Security Threats

Measures Implemented to Address Cyber Security Threats


Future Investment Priorities 

Cyber security professionals in multinational organizations said that they expect to prioritize incident management in the coming two years, with a growth in investment priority increasing from 26% to 39%. By comparison, the largest growth area for Pan-Asian companies is mobile working policy, increasing from 20% two years ago to 34% in two years’ time.

As this survey was conducted in March and April 2022, during a period when many Asian countries were still experiencing strict COVID-19 measures. The difference in investment focus could perhaps indicate a broader trend where Pan-Asian companies are still recovering from the operational impact of the pandemic, such as a material shift to remote working. Conversely, multinational organizations were possibly more able to adapt to a new paradigm in working conditions—and the security requirements needed to support it—and thus could prioritize incident response management.


There has been a shift in attitude in recent years relating to incident response as observed. More than ever before, organizations with a more developed perspective on cyber risk are preparing for when an attack might happen, rather than whether it might happen. This could be the reason for an increasing interest in incident response retainers and managed detection and response (MDR). MDR adds another level of assurance by having experts monitor your entire fleet of computers and respond to any incident on a 24x7 basis.

Pan-Asian companies may still be getting to grips with a distributed infrastructure brought about by working conditions imposed by the pandemic, but there is a clear appetite to be better prepared.


Incident Management as a Priority (Four-year Evolution)

 How prioritizing incident management is changing over time, by business type

How Prioritizing Incident Management is Changing Over Time, by Business Type



Mobile Working Policy (Four-year Evolution)

  How prioritizing a mobile working policy is changing over time, by business type

How Prioritizing a Mobile Working Policy is Changing Over Time, by Business Type


Sixty-five Percent of Organizations Moving to the Cloud to Address Security Threats

Companies around the world have been moving to the cloud for some time now. The ability to manage a more effective remote workforce thanks to the collaboration advantages, while reducing costs—for example, around storage—has become an attractive proposition for many. The proportion of those transitioning to a cloud environment is fairly consistent, two years ago (41%), compared to now (44%) and what is projected for two years’ time (40%).

There are also security benefits of moving to the cloud, from access control to data visibility. It’s worth noting, however, that although 65% of survey respondents had moved to the cloud to address cyber security threats, achieving security in the cloud is often not that simple. 

Transitioning to a cloud environment does not come without complexity; many organizations require specialist skills to migrate to a cloud environment effectively and securely. 


Failing to do this can have quite the opposite effect, whereby gaps can be introduced due to a poor deployment. In an incident response scenario, a cloud environment can also become obfuscating as companies struggle to gain access to their cloud logs that could provide insight into how and what has been targeted in a cyber incident.

To overcome this, organizations should look to experts to guide, test and assess their cloud environments for gaps in security controls. They should also have detailed incident response plans, which are regularly simulated, to build confidence that the cloud infrastructure enables response rather than hinders it.


APAC Threat Landscape – By Market Regional Threat Landscape

Across the board, countries and cities across APAC could be more resilient to cyberattacks if they had more robust incident response plans in place and had more readily available access to experts. This would help them address immediate cyber requirements, such as a breach incident, as well as consider cyber security for transitions over a longer-term basis, such as moving to a cloud-based infrastructure

As we analyze each market, however, there are some similarities and differences that should be recognized. 


  • Australia was the least likely to have an incident response plan in place, and Hong Kong was the most likely. 
  • Malaysia and the Philippines suffered the most incidents, while Hong Kong suffered the least.
  • Data loss was a concern across the board, but those in Indonesia were also more worried than others about the reputational damage of an incident. Singaporean businesses were primarily worried about business interruption.   

For specific findings and detailed overviews of the threat landscape for seven markets surveyed, please refer to the charts below. 

Key Recommendations for Enhancing Cyber Resilience

Adopting a proactive approach to cyber security can seem daunting, however, a pragmatic and structured roadmap with clearly defined steps can not only enhance security but also deliver peace of mind. Please refer to Kroll’s 10 Essential Cyber Security Controls, which includes:

Leverage MDR

Strengthen organizations’ cyber security posture via managed detection and response (MDR) service. It monitors and responds to threats on a 7x24x365 basis to minimize impact.

Conduct Pentesting

Regular penetration testing (pentest) and assessments allow businesses to identify and address undiscovered or under-prioritized security vulnerabilities and mitigate before exploited.

Implement IR Planning

Establish an incident response (IR) playbook with clear and specific steps to follow for incidents. It serves as a guide for effective and timely action and reduces delays in the response process.

Embed Key Controls

Organizations should embed cyber security within business practices and processes to strengthen their security and reduce the likelihood of cyberattacks.

Undertake TTX

Tabletop exercise (TTX) helps organizations understand their security vulnerabilities and adversaries through customized scenarios, which helps improve and evolve its security program.

Appoint a vCISO

vCISOs can help a company create/accelerate data security initiatives, inform management and validate existing programs for the board with unique perspectives on regulatory, technology and operational cyber impacts.



Global business continues to feel the impact of an onslaught of cyberattacks, and APAC is no exception, with 59% of organizations reporting an attack and 32% reporting multiple attacks. There is a further risk that this number will increase as the regulatory landscape continues to evolve and more incidents are reported.

Incident response plans, policies and recovery plans are invaluable when it comes to surviving a cyberattack, as is having access to experienced personnel. Currently, only two-thirds (64%) of organizations surveyed have plans in place, and a fraction less than that have access to cyber security specialists (62%), leaving around a third of businesses without sufficient plans or expertise to navigate an attack. 

Businesses have unsurprisingly focused on continuity and operational stability during the pandemic, but Kroll now urges businesses in these regions to consider scaling up response plans and investment in cyber expertise. It will enable them to remain resilient and recover quickly if an attack does occur, paying dividends in the long run. 


Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Kroll Responder MDR

Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.

Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Incident Response Tabletop Exercises

Kroll’s field-proven incident response tabletop exercise scenarios are customized to test all aspects of your response plan and mature your program.

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Penetration Testing Services

Validate your cyber defenses against real-world threats. Kroll’s world-class penetration testing services bring together front-line threat intelligence, thousands of hours of cyber security assessments completed each year and a team of certified cyber experts — the foundation for our sophisticated and scalable approach.

Virtual CISO (vCISO) Advisory Services

Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.

Incident Response and Litigation Support

Kroll’s elite security leaders deliver rapid responses for over 3,000 incidents per year and have the resources and expertise to support the entire incident lifecycle.