The Outsourcing industry in the Philippines is the fastest growing sector in the country, and it continues to grow with an average annual expansion rate of 20%. Outsourcing is projected to become the country’s biggest source of foreign exchange income in 2017, and the World Bank estimates that the industry could top $50 billion in revenue by 2020.
Notwithstanding these impressive statistics and projections for future growth, the outsourcing industry faces an existential threat. Therefore, it is imperative that companies, which outsource to the Philippines, and companies with outsourcing operations in the Philippines take concrete steps now to mitigate cyber risks.
The Outsourcing industry in the Philippines is projected to top $25 billion in revenues in 2017. The industry is the fastest growing sector in the country, and it continues to grow with an average annual expansion rate of 20%. Outsourcing is projected to become the country’s biggest source of foreign exchange income in 2017, and the World Bank estimates that the industry could top $50 billion in revenue by 2020.
Notwithstanding these impressive statistics and projections for future growth, the outsourcing industry faces an existential threat. Outsourcing is based on client trust: trust that the sensitive client information given to an outsourcing company will be handled responsibly and securely. As a result, outsourcing is particularly vulnerable to cyber risk – and cyber attacks are on the rise around the world.
Therefore, it is imperative that companies, which outsource to the Philippines, and companies with outsourcing operations in the Philippines take concrete steps now to:
1. Schedule an independent assessment of their cyber risk to identify information security gaps and develop plans to remediate those risks, and
2. Establish an actionable and up-to-date incident response plan that complies with the laws and regulations of:
i. the Philippines,
ii. the “home” country and state of the company outsourcing the work,
iii. the regulatory agency, if any, overseeing the company outsourcing the work, and
iv. the country and state where the ultimate owners of the client information reside.
The Year of the Hack
2016 might just be remembered as the year of the hack. Aside from the ongoing hacking allegations associated with the US presidential elections, Yahoo announced one of the largest hacks in history only to be outdone by its subsequent announcement of an even larger hack involving more than one billion user accounts. In October, in what is now regarded as the biggest denial-of-service attack to date, vast numbers of internet users in Europe and North America were unable to connect to hundreds of websites, including Twitter, Amazon, and Netflix.
Cyber risk knows no boundaries, and the Philippines are by no means immune from cyber incidents. In April 2016 – one month before the Philippine presidential elections – the Philippine Commission on Elections was hacked and voter registration information was made available online. The incident was the biggest government-related data breach in history, and included “the fingerprints of 15.8 million individuals, and passport numbers and expiry dates of 1.3 million overseas voters.” As a result of this hack, CNN reported that “every registered voter in the Philippines is now vulnerable to fraud and other risks based on its investigation.”
Taking Action to Mitigate Increasing Risks
Unfortunately, 2016 is not expected to be an anomaly. Indeed, the frequency and severity of cyber incidents are only projected to increase in 2017. Not surprisingly, given the potential for business disruption, the considerable out-of-pocket costs associated with responding to a cyber incident, and the loss of client trust, the private sector is taking action. Fueled by the slate of corporate and government hackings, corporate America has made cyber insurance the fastest-growing insurance product in the US. The Plaintiffs’ Bar has also taken notice of cyber incidents by filing a growing number of lawsuits and exploring new theories of recovery and standing.
Governments across the globe have raised the stakes by enacting increasingly stringent laws and regulations to ensure that companies that handle nonpublic information are doing so in a secure manner that will deter hackers from accessing, obtaining, and misusing the information. New cyber laws and regulations have been proposed or are slated for implementation in the US, China, the EU, and the Philippines. Moreover, the cyber law in the Philippines, unlike its counterparts in other jurisdictions, contains criminal penalties that include imprisonment for up to seven (7) years. These criminal penalties are more than a theoretical concept. On December 28, 2016, the Philippine National Privacy Commission recommended that the Philippine Department of Justice file criminal charges against the chairman of the Commission on Elections due to the hack in April 2016, referenced above.
All told, the cyber landscape has shifted dramatically: cyber risks have increased, compliance with overlapping and evolving national and state laws and regulations has become more complex, and the pace of change is likely to increase. As a result, the overall risk to the outsourcing industry may never have been higher.
Hickey Smith is uniquely qualified to advise the outsourcing industry in this critical area. Our firm takes a holistic approach to advising outsourcing clients concerning cyber issues while maintaining the confidentiality protections afforded by the attorney-client privilege and work product doctrine. Hickey Smith has a California bar-admitted partner resident in the Philippines to better service its clients on a real-time basis.
A leader in cybersecurity, Hickey Smith is one of only a handful of law firms certified under ISO 27001:2013 for information security, with managing partner David M. Hickey being named a Cybersecurity & Data Privacy Trailblazer by the National Law Journal in 2015. Hickey Smith is fully compliant with New York Department of Financial Services revised cybersecurity regulations issued on December 28, 2016.
For more information, please contact one of our cybersecurity team leaders.
David Hickey at firstname.lastname@example.org or 626-737-9505
Rene Kahn at email@example.com or 626-737-6236
Jason Balogh at firstname.lastname@example.org or 415-813-4455