PodChats for FutureCISO: Regulatory Deep Dive: Navigating the New Cyber Security Act & PDPA

The year 2025 has cemented a profound shift in Asia's cyber-regulatory landscape. For CISOs, auditors, and compliance officers, the game is no longer just about building higher walls.

Updated Cyber Security Acts and sweeping PDPA amendments have transformed compliance into a primary battlefield, where multi-million-dollar fines and operational suspensions are the new stakes for unpreparedness.

The challenge is harmonising a mosaic of evolving mandates across ASEAN while fending off relentless threats.

As Ananth Nag, vice president for Rubrik APAC, observes, the core philosophy has fundamentally changed: "Regulators now recognise and accept the asymmetry of prevention. You must be right 100% of the time, while the threat actor only has to be right once."

This acknowledgement is reshaping everything from data protection officer (DPO) obligations to incident response planning.

The new imperative: From prevention to assured resilience

The latest amendments to frameworks like Malaysia's PDPA and Brunei's PDPO are built on a stark reality: breaches are inevitable. Consequently, the focus has pivoted from prevention alone to a dual mandate of proactive protection and proven resilience.

DPOs are now tasked not only with safeguarding data but also with ensuring timely breach reporting—often within a 2-hour to 5-day window—and managing the fallout from any sensitive data leakage.

This "assume breach" mindset, as Nag calls it, is now non-negotiable. "Every board, every CIO, and every CISO understands that the asymmetry in cyber threats is unwinnable... Which means they must be prepared to respond. It's not about if; it's about when."

The strategic opportunity lies in using this regulatory pressure to build a more resilient, responsive organisation.

Critical infrastructure: A higher bar for core services

For organisations in utilities, transportation, and banking, designation as Critical Information Infrastructure (CII) brings heightened obligations. The resilience of these entities is now synonymous with national security and daily economic life.

Regulators are driving them to achieve a state where cyber recovery is as integral as operational continuity.

The path to this resilience, Nag explains, is built on visibility and prioritisation.

"The first thing they need as an enterprise is visibility into where their data resides. Second, they must know which critical applications deliver end-to-end services." Ananth Nag

This involves defining tier-zero applications—those essential to core services—and establishing clear Recovery Time Objectives (RTOs) to ensure that, for instance, a bank's payment systems are restored before its lending applications.

Mastering the incident response timeline

The regulatory clock starts ticking the moment an incident is detected. Across ASEAN nations like Singapore, Thailand, and Vietnam, mandatory reporting timelines are compressing, demanding embedded response protocols.

The format is clear: organisations must immediately inform regulators of the impact, assess the blast radius, and determine if sensitive data has been exfiltrated.

When a breach occurs, Nag states that leadership must have immediate answers to three critical questions:

1. How quickly can we return to operations by prioritising tier-zero applications?
2. What is the blast radius—which systems are affected?
3. Has sensitive data been leaked, and to what scale?

This requires meticulous pre-planning, including tabletop exercises to define cyber-RTOs and map critical data flows, ensuring essential services can be recovered within the mandated regulatory timelines.

The expanding web of third-party and supply chain risk

Geopolitical shifts are intensifying scrutiny on third-party risk. Vendor accountability is paramount, and contracts must be updated to mitigate cascading liability. Organisations are increasingly expecting their technology partners to provide tangible assurances.

"In the cybersecurity space, supply chain and vendors are critical to ensuring organisations remain sustainable," notes Nag.

He points to offerings like Rubrik's ransomware warranty—which includes a financial commitment of up to $10 million if a clean data recovery cannot be achieved—as the kind of transparent safeguard that will become a baseline expectation for customers and regulators alike, helping de-risk the supply chain.

The double-edged sword of AI governance

As enterprises rush to adopt AI for productivity, they simultaneously expose themselves to new forms of "AI disasters." Nag highlights two key risks: rogue agentic workflows and the explosion of non-human identities.

"We believe for every human identity, there could be 40–50 or even 100 non-human identities," he says. If compromised, these identity systems—now considered tier-zero assets—can bring an entire operation to a standstill. The ethical deployment of AI must therefore include robust recovery plans, such as the ability to 'rewind' an AI agent to a last known clean state, ensuring that the very tools used for efficiency do not become the source of existential disruption.

Future-proofing your compliance strategy

So, how does an organisation future-proof itself amid ASEAN's regulatory convergence?

The answer lies in moving beyond a checkbox mentality toward an integrated cyber governance strategy.

Board-level metrics must shift from purely preventive measures to resilience benchmarks, such as cyber RTOs and blast radius quantification. Strategic partnerships with regulators, built on transparency, are crucial.

Finally, anticipatory investment in ransomware and supply-chain resilience is no longer optional—it is a core component of corporate risk management. The dramatic growth of enterprise cyber insurance — from 3-4% pre-COVID to 30-40% today — is a clear market indicator of this new priority.

In this hardened landscape, the most successful organisations will be those that see regulation not as a burden, but as a catalyst.

By embedding resilience into their architecture and response into their culture, they can transform compliance from a battlefield into a foundation for enduring trust and operational continuity.

Click on the PodChats player and listen to Nag elaborate on navigating the new Cyber Security Act & PDPA.

1. How do the latest amendments to the PDPA and equivalent ASEAN frameworks (e.g., Malaysia's PDPA, Brunei's PDPO) redefine consent, DPO obligations, and lawful data processing for 2026?
2. Under the new Cyber Security Act, what designation criteria classify organisations as critical information infrastructure owners, and what heightened obligations follow?
3. What mandatory incident reporting timelines, formats, and cross-jurisdictional protocols must be embedded into our response plans for countries like Thailand, Vietnam, and Singapore?
4. How should CISOs evolve their incident response and breach notification strategies to align with the operational convergence of the Cyber Security Act and PDPA mandates?
5. Which sovereign cloud providers and data residency architectures satisfy both national regulations and the ASEAN Digital Economy Framework for cross-border flows?
6. What evidence of "reasonable security arrangements"—including DPIAs (impact assessment), encryption standards, and privacy-by-design—will regulators demand during audits across ASEAN?
7. How are third-party and supply chain obligations expanding under these acts, and how must vendor contracts and due diligence be updated to mitigate cascading liability?
8. In what ways are regulators leveraging AI for compliance monitoring—and how can we ethically deploy AI while meeting emerging governance mandates for automated decision-making?
9. What penalties (fines, imprisonment, operational suspension) should compliance heads budget for, and what cyber resilience benchmarks (e.g., NIST-aligned) must we certify against to avoid them?
10. How do we future-proof our compliance strategy amid ASEAN regulatory convergence—through board-level cyber governance metrics, strategic regulator partnerships, and anticipatory investment in ransomware/supply-chain resilience? What is your advice for navigating the New Cyber Security Act & PDPA in 2026?