New obligations on owners of "Critical Information Infrastructure" which includes computer systems critical to the economy, will take effect in 2018, alongside increased regulatory scrutiny.
In Singapore, a new Cybersecurity Act (the Act) is due to come into force in mid-2018, having been passed into law by Parliament on 05 February 2018. The new Act aims to strengthen the protections of computer systems and create a new regulatory framework for preventing, responding to and reporting on cyber security threats.
Requirements under the Cybersecurity Act
The Cybersecurity Act imposes various statutory obligations in relation to Critical Information Infrastructure (CII), including for CII owners to:
- report certain cybersecurity incidents and data breaches to the Cyber Security Agency of Singapore (CSA)
- comply with codes of practice and performance standards
- conduct cybersecurity audits and risk assessments, and
- participate in cybersecurity exercises.
The Act also covers general investigative powers of the CSA including over computer systems (whether CII or not) in relation to cybersecurity threats and incidents, and the licensing of certain cybersecurity service providers excluding “in-house” services eg providing penetration testing service.
Non-compliance could see offenders hit with a fine of up to S$100,000 and/or two years in prison.
How do I know if I am a CII owner?
Any entity (whether local or foreign) may be the owners of CII essentially if it has computers or computer systems (located wholly or partly in Singapore) that are necessary for the continuous delivery of “essential services” relating to the running of the country (i.e. national security, defence, the economy, foreign relations, public health, public safety, and public order). There are currently 7 essential services relating to banking and finance listed in the First Schedule of the Act. New essential services may be added from time to time if necessary.
CII designation is intended by the Singapore authorities to be a consultative process, and there are prescribed timelines to appeal against any such designation.
CSA have already consulted with the sector regulators in identifying potential CII, and engaged potential CII owners twice since July 2016 during the consultation on this Act. Hence, potential CII owners will have heard from the regulator and will already know who they are.
Relationship with existing legislation in Singapore
The Cybersecurity Act forms part of a wider legislative framework in Singapore relating to cybersecurity and data protection, which includes the Personal Data Protection Act 2012 (PDPA) and the Computer Misuse and Cybersecurity Act 2007 (CMCA).
For example, section 24 of the PDPA places an obligation on organisations to protect personal data in its possession by making reasonable security arrangements to prevent unauthorised access. Where an organisation fails to employ reasonable measures to protect personal data, it will be liable to pay a fine of up to S$1m.
In addition, the Act will enhance the powers available in Section 15A of the CMCA by providing more powers which focus explicitly on cybersecurity. For instance, Section 15A allows the Government to make requests for information to protect against cybersecurity threats, but does not mandate CII incident reporting or facilitate the sharing of cybersecurity information with the Government. The Cybersecurity Act will address these gaps.
MAS also plans to update TRM Guidelines (Banking and Finance Sector)
While the Act is a new development, the Banking and Finance sector already faces regulatory scrutiny in this area from the Monetary Authority of Singapore (MAS). For example, the Notice on Technology Risk Management (TRM) already imposes various obligations on regulated financial institutions such as to:
- maintain a high availability of critical systems
- establish a recovery time objective for each critical system
- notify and submit a report to the MAS of a relevant incident, and
- implement IT controls to protect customer information from unauthorised access or disclosure.
The MAS also recently announced that it is planning to update its TRM guidelines, including providing specific guidance on cyber security operations, surveillance, assessment and exercises, and outlining risk management principles that are relevant to new technologies. The revised guidelines will likely raise expected risk management standards for regulated institutions in Singapore. The MAS’s announcement to asset managers (see here) and banks (see here) are linked.
Unsurprisingly, cybersecurity and technology risk management will remain at the forefront of the regulatory agenda in Singapore.
This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.