CXOInsights by CXOCIETY

PodChats for FutureCISO: Regulatory Deep Dive: Navigating the New Cyber Security Act & PDPA

CXOCIETY | FutureCIO FutureCFO FutureIoT Season 6

In 2025, Asian CISOs navigate a hardened regulatory landscape where updated Cyber Security Acts and PDPA amendments significantly raise the stakes. With stringent new rules on cross-border data transfers, mandatory breach notifications, and AI governance, compliance is a primary battlefield. Regulators are flexing enhanced audit powers and levying multi-million-dollar fines, making unpreparedness a critical corporate risk.

The challenge lies in harmonizing these diverse, evolving mandates across jurisdictions while countering sophisticated threats like ransomware and cloud account takeovers. However, this pressure also creates strategic opportunities. 

Joining us on this PodChats for FutureCISO is Ananth Nag, APAC VP, Rubrik.

QUESTIONS:

1.       How do the latest amendments to the PDPA and equivalent ASEAN frameworks (e.g., Malaysia’s PDPA, Brunei’s PDPO) redefine consent, DPO obligations, and lawful data processing for 2026?

2.       Under the new Cyber Security Act, what designation criteria classify organisations as critical information infrastructure owners—and what heightened obligations follow?

3.       What mandatory incident reporting timelines, formats, and cross-jurisdictional protocols must be embedded into our response plans for countries like Thailand, Vietnam, and Singapore?

4.       How should CISOs evolve their incident response and breach notification strategies to align with the operational convergence of the Cyber Security Act and PDPA mandates?

5.       Which sovereign cloud providers and data residency architectures satisfy both national regulations and the ASEAN Digital Economy Framework for cross-border flows?

6.       What evidence of “reasonable security arrangements”—including DPIAs (impact assessment), encryption standards, and privacy-by-design—will regulators demand during audits across ASEAN?

7.       How are third-party and supply chain obligations expanding under these acts, and how must vendor contracts and due diligence be updated to mitigate cascading liability?

8.       In what ways are regulators leveraging AI for compliance monitoring—and how can we ethically deploy AI while meeting emerging governance mandates for automated decision-making?

9.       What penalties (fines, imprisonment, operational suspension) should compliance heads budget for, and what cyber resilience benchmarks (e.g., NIST-aligned) must we certify against to avoid them?

10.   How do we future-proof our compliance strategy amid ASEAN regulatory convergence—through board-level cyber governance metrics, strategic regulator partnerships, and anticipatory investment in ransomware/supply-chain resilience? What is your advise for Navigating the New Cyber Security Act & PDPA in 2026?

People on this episode