Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Back
Apr 2022
LinkedIn Created with Sketch. Twitter Created with Sketch.

Singapore: Cybersecurity

Cybersecurity
Quardia / Essentials collection / istockphoto.com

1. GOVERNING TEXTS

1.1. Legislation

The Cybersecurity Act 2018 ('the Cybersecurity Act') and the Cybersecurity (Critical Information Infrastructure) Regulations 2018 ('the Cybersecurity Regulations') sets out the regulatory framework governing cybersecurity in Singapore.

The Cybersecurity Act provides for the appointment of a Cybersecurity Commissioner, who is the CEO of Singapore's cybersecurity regulatory authority, the Cybersecurity Agency of Singapore ('CSA'), and has extensive powers to regulate cybersecurity in Singapore. While the CSA has powers that apply to all computer or computer systems, the Cybersecurity Act specifically imposes cybersecurity obligations on owners of critical information infrastructure ('CII') that provide essential services in Singapore, such as in the sectors of energy, info-communications, water, healthcare, as well as banking and finance.

The Cybersecurity Act also provides for a licensing framework for certain cybersecurity service providers.

The Computer Misuse Act 1993 ('CMA') criminalises certain acts involving unauthorised access, modification, or obstruction of the use of computers and computer material.

The Personal Data Protection Act 2012 ('PDPA') governs the collection, use, and disclosure of an individual's personal data by organisations, and also contains Do Not Call provisions that prohibit organisations from sending certain marketing messages to Singapore telephone numbers. The PDPA imposes obligations on organisations to protect personal data in its possession or under its control (Section 24 of the PDPA) and requires organisations to ensure that the relevant computer systems are secured. In addition, the Personal Data Protection (Amendment) Act 2020 was passed by Parliament on 2 November 2020 and partially entered into effect on 1 February 2021.

1.2. Regulatory authority 

CSA

The Cybersecurity Act provides for the appointment of a Cybersecurity Commissioner, who is the CEO of Singapore's cybersecurity regulatory authority, the CSA, and has extensive powers to regulate cybersecurity in Singapore.

The CSA oversees national cybersecurity matters in Singapore and has extensive powers to respond to, prevent, and monitor cybersecurity incidents and threats in Singapore.

For example, the CSA is empowered to monitor cybersecurity threats, establish standards relating to cybersecurity providers as well as products, and advise the Government of Singapore ('the Government') on cybersecurity issues (Section 5 of the Cybersecurity Act). Where there is information on cybersecurity threats or incidents, the CSA has powers to investigate and prevent such threats or incidents and direct any person to carry out remedial measures or cease certain activities if these threats or incidents are serious (Sections 19 and 20 of the Cybersecurity Act).

The CSA also has powers to issue fines in certain situations of non-compliance such as where a person fails to furnish information relating to a CII when directed by the CSA, and a person's non-compliance with the CSA's written directions (Sections 8 and 10 of the Cybersecurity Act).

Apart from its enforcement powers, the CSA also engages with various industries and the public to increase cybersecurity awareness in Singapore through public outreach programs and the promotion of security-by-design. The CSA has also launched a Cybersecurity Labelling Scheme ('CLS') that provides different cybersecurity rating levels for registered smart devices that currently comprise Wi-Fi routers (residential gateways) and all categories of consumer Internet of Things ('IoT') devices.

Further, the CSA works with sector leads to protect Singapore's CII. Specifically, it may designate certain computer systems as CIIs and conduct cybersecurity exercises to test the readiness of CIIs owners in responding to cybersecurity incidents (Sections 7 and 16 of the Cybersecurity Act).

Moreover, the CSA works closely with sector leads to coordinate or supplement cybersecurity efforts across all sectors, and officers from sector regulators may be appointed as assistant commissioners to oversee and enforce cybersecurity requirements on the CII owners.

There are other sector leads that may, or may not, be regulators with general oversight of their respective sectors and have a better understanding of the unique contexts and complexities in their sectors but may not have the same capabilities or statutory powers as the CSA to regulate cybersecurity matters.

PDPC

The Personal Data Protection Commission ('PDPC') is the authority with oversight of personal data in Singapore, developing as well as implementing policies relating to personal data protection, including regulations and advisory guidelines. The PDPC has powers to investigate whether an organisation is in compliance with the PDPA.

Recognising the importance and relevance of technological solutions and cybersecurity concerns in data protection, the PDPC has issued advisory guidelines highlighting issues organisations should take into consideration when implementing solutions to fulfil their obligations.

IMDA

The Infocomm Media Development Authority ('IMDA') regulates the info-communications and media sector in Singapore. The IMDA does not have specific enforcement powers in relation to cybersecurity matters but has powers to issue guidance and establish standards of practice within the info-communications and media sector. Specifically, the IMDA has issued the telecommunication cybersecurity codes of practice for compliance by all internet service providers ('ISPs'), as well as technical specifications for residential gateways. Wi-Fi home routers that meet these specifications qualify for Level 1 of the CSA's CLS.

MAS

The Monetary Authority of Singapore ('MAS') is the financial regulatory authority and central bank. Apart from implementing economic policies in Singapore and managing Singapore's official foreign reserves, the MAS also regulates financial institutions and other entities in the financial sector including businesses that provide any service dealing in digital payment tokens or any service facilitating the exchange of digital payment tokens. The MAS has powers to issue codes, guidelines, notices, and regulations that impose legal obligations on financial institutions and other entities in the financial sector to comply with broad cybersecurity practices.

These include the following guidance which stipulates certain cybersecurity practices that financial institutions are expected to adopt:

The MAS also has the power to issue fines or revoke licences where a financial institution contravenes its directions.

For further information on the MAS, please see section 9 below on sector-specific requirements.

EMA

The Energy Market Authority ('EMA') regulates Singapore's electricity and gas industries as well as district cooling services. The EMA is also responsible for ensuring a reliable and secure energy supply, as well as promoting and developing the energy sector in Singapore.

For further information on the EMA, please see section 9 below on sector-specific requirements.

1.3. Regulatory authority guidance

CSA

The CSA has issued a Cybersecurity Code of Practice for CII ('the Cybersecurity Code'), which specifies the minimum protection policies that all CII operators must implement to ensure the cybersecurity of its CII.

Some obligations of CII operators include:

  • establishing in writing a cybersecurity risk management framework;
  • regularly monitoring cybersecurity risks identified (by way of a risk register); and
  • implementing policies, standards, and guidelines to manage cybersecurity risks, which must be aligned with the Cybersecurity Code and communicated to all personnel and external parties who act on or have access to the CII.

The CSA also issued supplementary references to help owners of CII establish a secure and resilient cybersecurity network. One such supplementary reference is the Security by Design Framework, which provides guidance to organisations on how they may integrate security into every step of their systems development lifecycle, starting from the initiation and leading right up to the eventual disposal of the system. This is complemented by the Security by Design Framework Checklist, which is a step-by-step worksheet to aid cybersecurity practitioners in adopting the Security by Design Framework. To assist in cybersecurity risk management, the CSA has also issued a Guide to Auditing CII and a Guide to Conducting Cybersecurity Risk Assessment for CII.

PDPC

In relation to the protection of personal data, the PDPC has issued the Advisory Guidelines on Key Concepts in the PDPA ('the Advisory Guidelines on Key Concepts'), wherein Chapter 17 specifically details guidance regarding an organisation's obligations to protect personal data.

Chapter 17 of the Advisory Guidelines on Key Concepts generally states that each organisation's security arrangements relating to personal data should be reasonable and appropriate in the circumstances, considering the form and nature of the personal data collected. This may include commissioning trained professionals to ensure information security and the performance of a risk assessment exercise to assess the adequacy of its IT security arrangements.

CSA and PDPC

Additionally, the CSA and the PDPC have collaborated to issue guides on how an organisation may protect its data from cyber threats and how data breaches may be prevented:

MAS

In relation to the financial sector, the MAS issued the revised TRM Guidelines in January 2021. These TRM Guidelines outline industry best practices that financial institutions are expected to adopt and detail risk management principles with respect to cybersecurity to address risks of data theft, loss, and leakage. The revised TRM Guidelines:

  • expand the roles and responsibilities of the board of directors for the implementation of risk management and internal control practices;
  • requires more stringent controls and assessments of vendors and third parties accessing the IT systems of financial institutions; and
  • introduces guidance for financial institutions to monitor and share information about threats, establish cybersecurity incident response and management plans, and conduct cybersecurity assessments and scenario-based exercises in the form of adversarial red-team attacks to validate response and management plans.

In August and December 2019, the MAS issued a series of Notices on Cyber Hygiene for various industries under its supervision, listing a set of essential practices that financial institutions must comply with to manage cyber threats. The Notices Cyber Hygiene came into effect in August 2020 and made key elements in the TRM Guidelines (and subsequent revisions) legally binding.

EMA

The EMA has issued codes setting out standards of performance and conditions expected of licensees and market participants, namely;

Cybersecurity requirements are not set out in detail in most of the codes but form part of the general security obligations expected of licensees and market participants in ensuring that their solutions are generally secure and that the electricity, gas, and district cooling systems and infrastructure remain secure.

2. SCOPE OF APPLICATION

Cybersecurity Act

The Cybersecurity Act imposes cybersecurity obligations on CII owners and sets out a licensing regime for the licensing of service providers of certain cybersecurity services.

Personal scope

Obligations are generally imposed on the CII owners, but officers or managers of the CII owner can be personally liable if the CII owner has committed an offence because the officer or manager:

  • consented or connived, or conspired with others, to effect the commission of the offence;
  • is in any other way, whether by act or omission, knowingly concerned in, or is party to, the commission of the offence; or
  • knew or ought reasonably to have known that the offence (or an offence of the same type) would be or is being committed and failed to take all reasonable steps to prevent or stop the commission of that offence.

Territorial scope

The main focus of the Cybersecurity Act is to establish a legal framework for the oversight and maintenance of national cybersecurity, in particular strengthening the protection of CII in Singapore.

CII, by definition, are computers or computer systems located wholly or partly in Singapore that are necessary for the continuous delivery of essential services and would be subject to oversight under the Cybersecurity Act.

Foreign entities that own CII must still comply with the relevant provisions of the Cybersecurity Act.

Material scope

The obligations expected of CII owners include:

  • establishing in writing a cybersecurity risk management framework;
  • regularly monitoring cybersecurity risks identified (by way of a risk register); and
  • implementing policies, standards, and guidelines to manage cybersecurity risks, which must be aligned with the Cybersecurity Code and communicated to all personnel and external parties who act on or have access to the CII.

PDPA

Personal scope

The data protection provisions of the PDPA generally apply to organisations. Organisations are defined in the PDPA to include individuals, companies, associations, or bodies of persons, corporate or unincorporated.

Territorial scope

The definition of organisations in the PDPA includes organisations that are:

  • formed or recognised under the law of Singapore; or
  • resident, or having an office or a place of business, in Singapore.

This would include foreign entities and individuals.

Material scope

The PDPA governs the collection, use, and disclosure of an individual's personal data by organisations. The PDPA imposes obligations on organisations to protect personal data in its possession or under its control and requires organisations to ensure that the relevant computer systems are secured.

CMA

Personal scope

The CMA applies to persons which include individuals, companies, associations, or bodies of persons, corporate or unincorporated.

Territorial scope

The CMA expressly provides that its provisions, and offences created therein, have effect in relation to any person regardless of nationality or citizenship, outside as well as within Singapore. Furthermore, a person in any place outside Singapore who commits an offence under the CMA may be dealt with as if the offence had been committed within Singapore.

Material scope

The CMA criminalises:

  • certain activities such as hacking, denial-of-service ('DoS') attacks;
  • the supply, possession, or use of hardware, software, or other tools to commit offences; and
  • the supply, misuse, or acquisition of personal information in contravention of certain provisions of the CMA.

MAS

The MAS is empowered under several pieces of legislation to issue codes, guidelines, notices, and regulations affecting financial institutions and other entities in the financial sector. These include banks, finance companies, insurance companies, capital markets licence holders, and financial advisors.

Personal scope

The MAS has supervisory powers over corporate or unincorporated entities, officers, managers, or individuals depending on the specific legislation.

Territorial scope

Depending on the specific legislation, foreign entities or individuals whose conduct have an effect in Singapore may be subject to licensing requirements and/or the MAS' supervisory powers and would be subject to the codes, guidelines, notice, and regulations issued by the MAS.

Material scope

Depending on the specific legislation, entities or individuals under the MAS' supervisory powers are required to ensure the following, which are non-exhaustive:

  • implement risk management and internal control practices;
  • implement appropriate security solutions to address risks of data theft, loss, and leakage;
  • implement stringent controls and assessments of vendors and third parties accessing the IT systems of financial institutions;
  • monitor and share information about threats;
  • establish cybersecurity incident response and management plans; and
  • conduct cybersecurity assessments and scenario-based exercises in the form of adversarial red-team attacks to validate response and management plans.

3. DEFINITIONS

Critical information infrastructure: As specified in Section 7(1) of the Cybersecurity Act, CIIs in Singapore are designated by the Commissioner of Cybersecurity and are computer or computer systems necessary for the continuous delivery of an essential service, and the loss of which will have a debilitating effect on the availability of essential services in Singapore, and such computer or computer system is located wholly or partly in Singapore.

Specifically, the First Schedule of the Cybersecurity Act lists 11 sectors that provide essential services, and which would be designated as a CII:

  • energy;
  • info-communications;
  • water;
  • healthcare;
  • banking and finance;
  • security and emergency services;
  • aviation;
  • land transport;
  • maritime;
  • government functions; and
  • media.

Chief information officer / chief technology officer / head of information technology: Reflecting the approach that actual roles and responsibilities are of greater concern than actual titles, these are not expressly defined in statutes, but references are found in the TRM Guidelines. These are referenced in the TRM Guidelines as an individual who is principally responsible for establishing and implementing the overall information technology strategy, overseeing the day-to-day information technology operations, and managing the information technology risks of the financial institution.

Chief information security officer / head of information security: Reflecting the approach that actual roles and responsibilities are of greater concern than actual titles, these are not expressly defined in statutes, but references are found in the TRM Guidelines. These are referenced in the TRM Guidelines as an individual who is principally responsible for the information security strategy and program of the financial institution, including but not limited to information security policies and procedures to safeguard information assets, information security controls, and the management of information security.

Cybersecurity incident: As defined in the Cybersecurity Act, a cybersecurity incident means an act or activity carried out without lawful authority on or through a computer or computer system that jeopardises or adversely affects its cybersecurity or the cybersecurity of another computer or computer system.

Cybersecurity officer: As defined in the Cybersecurity Act, a cybersecurity officer is a public officer appointed by the Commissioner of Cybersecurity in writing and is necessary to carry the Cybersecurity Act into effect.

Cybersecurity Risk Management Framework: As referenced in the Cybersecurity Code issued by the CSA, CII owners are required to establish in writing a cybersecurity risk management framework that includes:

  • roles and responsibilities in managing cybersecurity risk, including reporting lines and accountabilities;
  • identification and prioritisation of CII assets;
  • the organisation's cybersecurity risk appetite, as well as thresholds or limits for residual risk;
  • cybersecurity risk assessment methodology; and
  • treatment and monitoring of cybersecurity risk.

Cybersecurity service provider: Cybersecurity service providers must be licensed under the Cybersecurity Act (Section 24 of the Cybersecurity Act). Cybersecurity operators that must be licensed are:

  • providers of managed security operations centre monitoring services, i.e. operators that assess the level of cybersecurity in a computer by identifying and scanning information in the computer or computer systems; and
  • penetration testing services, i.e. operators that evaluate the level of cybersecurity of a computer or computer system by searching for vulnerabilities and compromising the cybersecurity defences of the computer or computer systems.

Data protection management program: The PDPC has issued a Guide to Developing a Data Protection Management Programme ('DPMP') for the development and implementation of policies and practices necessary for the organisation to comply with the PDPA. The DPMP is a systematic framework to help organisations establish a robust data protection infrastructure. It covers management policies and processes for the handling of personal data, as well as defines the roles and responsibilities of the people in the organisation in relation to personal data protection.

Data protection officer: This is not expressly defined under the PDPA but is referenced in Guidelines on Data Protection Officers issued by the PDPC. A data protection officer ('DPO') or multiple DPOs are designated by organisations and are responsible for overseeing the organisation's data protection responsibilities and ensuring compliance with the PDPA. The DPO function may be a dedicated responsibility or added to an existing role in the organisation. The appointed DPO may also delegate certain responsibilities to other officers.

Personal data: As defined under the PDPA, personal data means data, whether true or not, about an individual who can be identified:

  • from that data; or
  • from that data and other information to which the organisation has or is likely to have access.

Technology risk management framework: As referenced in the TRM Guidelines, financial institutions are expected to establish a risk management framework to manage technology risks. The technology risk management framework should include:

  • appropriate governance structures and processes with well-defined roles, responsibilities, and clear reporting lines across the various organisational functions;
  • effective risk management practices and internal controls to achieve data confidentiality and integrity, system security and reliability, as well as stability and resilience in the IT operating environment;
  • identification of the relevant risk owner accountable for ensuring proper risk treatment measures are implemented and enforced for a specific technology risk;
  • risk identification, i.e. identifying threats and vulnerabilities to the financial institution and information assets;
  • risk assessment, i.e. assessing the potential impact and likelihood of threats and vulnerabilities to the financial institution and information assets;
  • risk treatment, i.e. implementing processes and controls to manage technology risks posed to the financial institution and protect the confidentiality, integrity, and availability of information assets; and
  • risk monitoring, review, and reporting, i.e. monitoring and reviewing technology risks, which include risks that customers are exposed to, changes in business strategy, IT systems, and environmental or operating conditions.

4. IMPLEMENTATION OF AN INFORMATION MANAGEMENT SYSTEM/FRAMEWORK

Most if not, all organisations will need to have policies and practices in place to protect personal data (such as employee personal data). This may be the main focus of their information management system or framework or a subset of a broader system or framework.

The requirements to implement an information management system or framework and specifics therein vary depending on the industry and regulator. Even within the same industry specifics of the system or framework will vary depending on the organisation's risk profile.

4.1.Cybersecurity training and awareness

CSA

The Cybersecurity Code issued by the CSA requires CII owners to establish a cybersecurity awareness program to educate and build cybersecurity awareness for their employees, contractors, and third-party vendors. The program needs to be reviewed once every 12 months and should minimally include:

  • awareness activities for all categories of personnel;
  • dissemination of respective groups' and individuals' responsibilities for cybersecurity of CII;
  • awareness of cybersecurity laws, regulations, codes of practices policies, standards, and procedures pertaining to the usage, deployment, and access to CII; and
  • regular and timely communication covering general cybersecurity awareness messages and prevailing cybersecurity threats, impacts, and mitigations.

PDPC

Guidelines issued by the PDPC set out different types of training for different groups of stakeholders such as the board of directors, senior management, and staff in general. These include training for the board of directors on the inclusion of personal data protection risks into the corporate risk management framework, and training for senior management on rationalising business benefits of personal data protection, key roles of senior management, and establishing risk reporting structures to identify and manage risks.

MAS

The TRM Guidelines require financial institutions to implement a comprehensive IT security awareness training program for all staff in the financial institution. The program should minimally include information on the prevailing cyber threat landscape and its implications, the financial institution's internal security policies and standards, and the individual staff's responsibility to safeguard information assets.

The TRM Guidelines also specify that the board of directors should undergo training to raise awareness of risks associated with the use of technology and enhance their understanding of technology risk management practices.

4.2. Cybersecurity risk assessments

CSA

The Cybersecurity Act imposes obligations specifically on owners of a CII to establish mechanisms and processes to detect cybersecurity threats and incidents in respect of CIIs, in compliance with any codes of practices issued or approved by the CSA (Section 14 of the Cybersecurity Act) and regularly carry out cybersecurity audits and risk assessments in relation to its CII (Section 16 of the Cybersecurity Act).

Cybersecurity risk assessments of a CII must:

  • identify, as far as reasonably practicable, every cybersecurity risk to the CII;
  • evaluate the likelihood of the occurrence and possible consequences of the risk; and
  • identify the action that the owner of the CII will take with respect to each identified risk (Regulation 6(1)(a) of the Cybersecurity Regulations).

PDPC

With respect to personal data, an organisation must develop and implement policies and practices necessary to meet its obligations under the PDPA (Section 12(a) of the PDPA). The exact scope of an organisation's obligations is not specifically defined under the PDPA. However, the PDPC has issued non-mandatory risk management guidelines that organisations are encouraged, but not legally obliged, to comply with. These include the implementation of the DPMP as well as the use of Data Protection Impact Assessments ('DPIAs') at various points of the data lifecycle.

Further, where an organisation wishes to transfer data to a country outside of Singapore, it must provide a standard of protection to the personal data transferred that is comparable to the protection available under the PDPA (Section 26(1) of the PDPA).

MAS

The TRM Guidelines require financial institutions to incorporate and conduct risk assessments at various levels and stages of their operations. The risk assessments should involve an analysis of the impact and consequences of existing and new threats and vulnerabilities on overall business and operations, taking into consideration financial, operational, legal, reputational, and regulatory factors. Criteria should be established to measure and determine the likelihood and impact of risk scenarios in order to facilitate the prioritisation of technology risks.

4.3. Vendor management

CSA

The Cybersecurity Code issued by the CSA requires CII owners to ensure that vendors' access to CII's interfaces and service applications are:

  • made only under the supervision of the CII owner; and
  • performed on-site where possible.

Further, CII owners are required to put in place controls for mitigating the risks associated with the vendor's access, process, storage, communication, and operation of CII in the service level agreement or terms of the contract with the vendor. This may include external validation of the vendor's compliance such as by way of third-party review and product validation.

It is also emphasised that CII owners remain responsible and accountable for the maintenance of the cybersecurity of the CII even if any of its operations are outsourced.

PDPC

Guidelines issued by the PDPC encourage organisations to clearly communicate the organisation's personal data protection requirements to their vendors. It is important that the binding contractual agreement between the organisation and their vendors highlights the responsibilities of vendors with regard to the protection of the personal data both where such data is transferred to the vendor to be processed, or where the organisation uses the products or services of the vendor with no transfer of personal data.

MAS

The TRM Guidelines require financial institutions to establish standards and procedures for vendor evaluation and selection at a level that should be commensurate with the criticality of the project deliverables. Financial institutions are required to assess the robustness of the vendor's software development and quality assurance practices and ensure stringent security practices are in place to safeguard and protect any sensitive data the vendor has access to over the course of the project. Vendor access to the financial institution's IT systems should be controlled and monitored.

4.4. Accountability/record keeping

CSA

The Cybersecurity Code issued by the CSA requires independent cybersecurity audits pursuant to Section 15(1)(a) of the Cybersecurity Act to be conducted at least once every two years or at such higher frequency as may be directed. The scope of the audit must include:

  • all CII owned by the CII owners; and
  • compliance with the Cybersecurity Act, the Cybersecurity Code, and any applicable codes of practice, codes of standards of performance, and directions that may have been issued.

CII owners are required to establish mechanisms and processes for:

  • detecting all cybersecurity events in respect of its CII;
  • collating and analysing the cybersecurity events detected; and
  • identifying whether there are any cybersecurity threats or cybersecurity incidents in respect of the CII.

These mechanisms and processes should be reviewed at least once every 24 months.

CII owners are also required to adopt the Security by Design Framework established by the CSA to the extent that it is applicable to the CII's system development lifecycle. CII owners will need to provide explanations regarding how and why any part of the framework is not applicable.

PDPC

Guidelines issued by the PDPC strongly encourage organisations to include processes as part of data protection management. This includes documenting personal data flows in the organisation and adopting accountability tools to monitor data access and usage as well as to address gaps.

The PDPC also encourages organisations to adopt the Data Protection by Design approach from the earliest possible design stage of any project and throughout the project's lifecycle.

MAS

The TRM Guidelines require financial institutions to ensure that they identify a comprehensive set of auditable areas so an effective risk assessment can be performed. IT audits should be performed to provide an independent and objective opinion of the adequacy and effectiveness of the financial institution's risk management, governance, and internal controls relative to existing and emerging technology risks. The IT auditors should have the requisite level of competency and skills to effectively assess and evaluate the adequacy of IT policies, procedures, processes, and controls implemented.

The TRM Guidelines also require financial institutions to adopt a Security by Design approach in managing their system development lifecycle. Financial institutions should incorporate security in every phase of their system development lifecycle to minimise system vulnerabilities and reduce the attack surface.

5. DATA SECURITY

CSA

The Cybersecurity Code issued by the CSA requires CII owners to ensure that access to the CII is restricted to authorised personnel and activities and authorised process interfaces and devices. This requires the implementation of authentication techniques that are commensurate with the risk profiles for each mode of access. CII owners are also required to maintain logs of all access and attempts to access a CII and review such logs regularly for any anomalous activities.

CII owners are required to establish and implement security baseline configuration standards for all operating systems, applications, and network devices of the CII and should address the following:

  • least access privilege and separation of duties;
  • enforcement of password complexities and policies;
  • removal of unused accounts;
  • removal of unnecessary services and applications;
  • closure of unused network port;
  • protection against malware; and
  • timely update of software and security patches that are approved by system vendors.

Remote connections to the CII should be subject to the following practices:

  • where functionally possible, enable the connection to or from a remote site only when required;
  • implement strong authentication techniques, transmission security, and message integrity, where available;
  • implement encryption for all network connections;
  • disallow remote connection from issuing system commands that would impact the CII operation, unless explicitly authorised due to business need; and
  • limit data flow to only the minimum function required of the connection.

Connection and use of removable storage media should be strictly controlled by CII owners by adopting the following measures:

  • where the function is available, disable all external connection ports supporting removable storage media and portable computing devices, and enable only when required;
  • use only storage media authorised after the necessary risk assessment and authentication;
  • check that all removable storage media and portable computing devices are free of malware prior to connecting to the CII; and
  • any sensitive CII information on removable storage media should be encrypted.

PDPA

The PDPA does not prescribe specific security arrangements that must be undertaken by organisations. Organisations are required to take reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks.

The PDPC has issued guides to aid organisations in designing their ICT systems and securing personal data in electronic mediums (see the PDPC's Guide to Data Protection by Design for ICT Systems published in conjunction with the Hong Kong's Privacy Commissioner for Personal Data ('PDPC'), and Guide to Securing Personal Data in Electronic Medium). These guides include the following recommendations:

  • implementing end-to-end security in the complete software development lifecycle;
  • using a web application firewall;
  • equipping networks with defence devices or software;
  • designing or implementing internal networks with multi-tier or network zones and segregating the internal network as appropriate;
  • validating user inputs and scanning user uploaded files for malware;
  • encrypting data at rest;
  • implementing access control at the application;
  • limiting the number of failed logins;
  • requiring multi-factor authentication;
  • protecting passwords during transmission and storage;
  • defining user roles or groups and assigning rights as appropriate;
  • log access to sensitive data;
  • conduct vulnerability assessments and penetration testing;
  • identifying appropriate storage media for relevant data, relevant methods for secure deletion, erasure, or destruction, and processes to track the media, data, and status of the media;
  • implementing additional controls for share computers to prevent access to personal data;
  • minimising the use of portable devices and removable storage media, where their use is required, securing portable devices and removable storage media both physically and via electronic means including encryption, and remote locking and wiping features; and
  • implementing controls to review recipient lists prior to sending out emails, and implementing encryption or password protection for attachments containing personal data.

MAS

The TRM Guidelines require financial institutions to implement security measures, including access control, implementation of cryptography, and data and infrastructure security.

Access control

The TRM Guidelines specify that principles of 'never alone,' 'segregation of duties,' and 'least privilege' should be applied when granting staff access to information assets so that no one person has access to perform sensitive system functions. There should be processes in place to manage user access and to provision, change, or revoke access rights. Financial institutions should also ensure that user access and management are logged and monitored, a password policy and processes are implemented to enforce strong password controls, and multi-factor authentication is implemented at least for access to sensitive systems.

Access to privileged accounts should only be granted on a need-to-use basis, and activities of these accounts should be logged and monitored.

Cryptography

Cryptographic algorithms should only be adopted from well-established international standards. The algorithm and encryption key length should also be appropriate to meet the needs of the financial institution's security objectives and requirements.

Cryptographic keys should be securely generated, protected from unauthorised disclosure, and managed, processed, and stored in hardened and tamper-resistant systems. The lifespan of each cryptographic key should be determined based on factors, such as the sensitivity of the data, the criticality of the system, and the risks that the data or system may be exposed to.

Compromised cryptographic keys should be promptly revoked and replaced. Financial institutions should have in place secure methods to destroy revoked or expired keys and generate replacement keys that cannot be derived from the revoked or expired keys.

Data and infrastructure security

Financial institutions are required to implement appropriate measures to prevent and detect data theft, as well as unauthorised modification in systems and endpoint devices. Systems managed by service providers should also be afforded the same level of protection and subject to the same security standards.

Security measures should be implemented to prevent and detect the use of unauthorised internet services which allow users to communicate or store confidential data.

The use of sensitive data in non-production environments should be restricted and strictly controlled, and the financial institution must ensure appropriate controls are implemented in non-production environments to manage the access and removal of such data.

Network security devices and intrusion prevention systems should be deployed to detect and block malicious traffic including DoS protection and mitigation measures. Measures should be implemented to prevent lateral movement and insider threats. Controls should be implemented to isolate internal networks and systems from internet web browsing activities.

Endpoint protection, including behavioural-based and signature-based solutions, should be implemented. A comprehensive risk assessment should be conducted prior to implementing any bring-your-own-device policies, and a comprehensive security standard for hardware and software should be established and consistently and uniformly applied across the financial institution.

Strong security standards should be established for all components of a virtualisation solution, including the management of virtual images and snapshots. Financial institutions should implement strong access controls to restrict administrative access to the hypervisor and host operating system in the virtual environment.

IoT devices should be comprehensively assessed and inventoried, and networks that host such devices should be secured and should be isolated where possible.

6. NOTIFICATION OF CYBERSECURITY INCIDENTS

CSA

Under Section 14 of the Cybersecurity Act, owners of a CII have a duty to report to the CSA upon being aware of the occurrence of:

  • a prescribed cybersecurity incident in respect of the CII;
  • a prescribed cybersecurity incident in respect of any computer or computer system under the owner's control that is interconnected with or that communicates with the CII; or
  • any other cybersecurity incident in respect of the CII that the CSA has specified.

When such a cybersecurity incident occurs, the report must be made within two hours after becoming aware of the occurrence, specifying:

  • the CII affected;
  • the name and contact number of the owner of the CII;
  • the nature of the cybersecurity incident;
  • the resulting effect observed, including how the CII or any interconnected computer or computer system has been affected; and
  • the personal details of the individual submitting the notification (Regulation 5(1)(a) of the Cybersecurity Regulations).

These details must be submitted by calling a number specified by the CSA or, if this is not possible, by text message or via email to the address set out on the CSA website (Regulation 5(2) of the Cybersecurity Regulations). Within 14 days of such submission being made, the owner of the CII must provide fully:

  • the cause of the cybersecurity incident;
  • its impact on the CII or any interconnected computer or computer system; and
  • what remedial measures have been taken (Regulation 5(1)(b) of the Cybersecurity Regulations).

PDPA

With respect to data breaches relating to personal information, organisations are required to notify the PDPC as soon as practicable and, in any case, no later than three calendar days after the day the organisation assesses that it has suffered a notifiable breach. If the data breach results in, or is likely to result in, significant harm to the affected individuals, an organisation must also notify each affected individual in any manner that is reasonable in the circumstances.

Data intermediaries must notify the relevant organisation without undue delay from the time the data intermediary has credible grounds to believe that a data breach has occurred in relation to personal data that it is processing on behalf of and for the purposes of the organisation. The organisation must then conduct an assessment to determine if it has suffered a notifiable breach.

A notifiable breach is one that:

  • results in, or is likely to result in, significant harm to the affected individuals; or
  • is of a significant scale (i.e. affecting 500 or more individuals).

As a single cybersecurity incident may trigger separate reporting requirements to different regulators, the various regulators have indicated that there are ongoing efforts to streamline and coordinate reporting lines and responses.

Public sector cybersecurity incidents and response

There were two significant public sector data breaches that were reported in 2018 and 2019. Between 27 June 2018 and 4 July 2018, attackers exfiltrated the data of almost 1.5 million patients who visited SingHealth Group specialist outpatient clinics and polyclinics. On 28 January 2019, the Ministry of Health ('MOH') disclosed that information matching its HIV Registry records up to January 2013 had been disclosed by an unauthorised person.

The Public Sector Data Security Review Committee ('the Public Sector Committee') was subsequently convened in March 2019 to conduct a comprehensive review of data security policies and practices across the public sector. The Public Sector Data Security Review Committee's Report was published in November 2019, proposing 13 technical safeguards and 10 process safeguards to be adopted by the public sector to minimise the risk of data compromises. These safeguards were accepted by the Government and are being rolled out in phases.

7. REGISTRATION WITH AUTHORITY

Cybersecurity service providers that provide managed security operations centre monitoring services and penetration testing services (as defined above) must be licensed and thus registered with the CSA.

8. APPOINTMENT OF A SECURITY OFFICER

CSA

There is currently no express requirement for the appointment of a security officer under the Cybersecurity Act.

However, the Cybersecurity Code for CIIs stipulates that CII operators must ensure that the roles relevant to ensuring the CII's cybersecurity are set out in writing, and the responsibility for each of these roles be assigned to a relevant officer. The document must set out, amongst others, the organisational structure for the management of the CII's cybersecurity, and a person who is ultimately responsible for ensuring the CII is compliant with the Cybersecurity Act and other subsidiary legislation and codes.

PDPA

Under the PDPA, all organisations, including sole proprietorships, must appoint at least one person to be a DPO, who is responsible for overseeing the data protection responsibilities within an organisation and ensuring the organisation complies with the PDPA (Section 11(3) of the PDPA). Specifically, the DPO's responsibilities may include:

  • assisting to implement policies on the handling of personal data and communicating such policies to stakeholders;
  • fostering a data protection culture among employees;
  • managing personal data protection related queries and complaints; and
  • identifying risks that might arise relating to personal data and informing management of such risks.

Organisations must make available to the public the business contact information of the appointed DPO. Organisations registered with the Accounting and Corporate Regulatory Authority ('ACRA') can do so by registering and updating their DPO's information via ACRA's BizFile+ electronic filing and information retrieval system.

MAS

The TRM Guidelines include guidance that financial institutions should ensure that a Chief Information Officer (or its equivalent) and a Chief Information Security Officer (or its equivalent), with the requisite experience and expertise, are appointed to be accountable for managing technology and cyber risks. Furthermore, the board and senior management of the financial institution should include members with knowledge of technology and cyber risk.

9. SECTOR-SPECIFIC REQUIREMENTS

Financial services

In the financial sector, the MAS is empowered under several pieces of legislation to issue codes, guidelines, notices, and regulations affecting financial institutions and other entities in the financial sector to comply with broad cybersecurity practices in Singapore. These include the following:

In the financial sector, financial institutions must comply with the legally binding TRM Notices. Pursuant to these TRM Notices, financial institutions must establish a framework and process to identify critical systems, which are defined as a system that, if fails, would cause significant disruption to the operations of the financial institution or materially impact the financial institution's service to its customers (e.g. automated teller machines and online banking systems). Financial institutions must make all reasonable efforts to maintain high availability for critical systems and must ensure that where critical systems are disrupted, they are restored within four hours. Furthermore, financial institutions must implement IT controls to protect customer information from unauthorised access or disclosure.

According to the TRM Notices, financial institutions must inform the MAS as soon as possible, within one hour, upon the discovery of a system malfunction or an IT security incident that has a severe and widespread impact on its operations or services. Where such cybersecurity incident occurs, the financial institution or bank must submit a root cause and impact analysis report to MAS within 14 days.

The MAS has issued TRM Guidelines that provide a set of best practices to financial institutions and provide a guide on how technology should be managed. The TRM Guidelines provide guidance for a financial institution's board of directors, guidance on establishing a risk management framework, and managing IT outsourcing risks.

The E-Payments User Protection Guidelines, issued on 28 September 2018, set out guidance on transaction notices expected to be sent by financial institutions to account holders in order to help prevent unauthorised transactions.

In 2020, the MAS announced the conclusion of its practical experimentation with industry partners and banks in a number of jurisdictions on a blockchain-based payments network that provides connectivity interfaces for other blockchain networks to connect and integrate with. Technical specifications for the prototype network have been made publicly available.

The MAS has regulatory oversight of new types of payment services, such as digital payment token services under the Payment Services Act that came into effect in January 2020, consolidating two now-repealed acts, the Payment Systems (Oversight) Act (Cap. 222A) and the Money-Changing and Remittance Businesses Act (Cap. 187).

The MAS has issued the Notices on Cyber Hygiene that come into effect in August 2020 affecting various financial institutions and entities in the financial sector. The entities include businesses that provide any service of dealing in digital payment tokens or any service of facilitating the exchange of digital payment tokens. The Notices on Cyber Hygiene requires the relevant entity to implement specified cyber hygiene practices, which include:

  • ensuring administrative accounts are secured;
  • ensuring that security patches are applied in a timeframe that is commensurate with the risks posed by the vulnerability, or if security patches are not available that controls are implemented to mitigate risks posed by such vulnerabilities;
  • ensuring that there are written sets of security standards for every system, that every system conforms with the standards or that controls are implemented to mitigate any risks if the system is unable to conform to the standard;
  • implementing controls at the network perimeter to restrict unauthorised network traffic;
  • implementing one or more malware protection measures; and
  • implementing multi-factor authentication for all administrative accounts in respect of any operating system, database, application, security appliance, or network device that is a critical system, and for all accounts on any system used by the relevant entity to access customer information through the internet.

Health

Following the release of the report of the Committee of Inquiry ('COI') into the cyber attack on the Singapore Health Services Pte Ltd ('SingHealth') database, the MOH issued a Cybersecurity Advisory 1/2019 strongly advising licensees to review the recommendations and cybersecurity best practices in the report and implement measures where appropriate. The best practices include:

  • viewing cybersecurity as a risk management issue and not just a technical issue;
  • developing and instituting a clearly stated IT policy;
  • reviewing the cyber stack to assess its adequacy in defending against and responding to advanced threats;
  • ensuring all employees and staff are regularly informed of the risks and threats of cyber attacks and are trained to abide by good cyber hygiene practices;
  • ensuring outsourced IT vendors are familiar with cyber hygiene measures;
  • putting in place safeguards to protect electronic medical records;
  • reviewing internet access strategies to minimise exposure to external threats;
  • implementing greater security measures and monitoring for 'privileged accounts';
  • periodically performing system and data backups; and
  • developing and maintaining proper response plans to cyber incidents and conducting cybersecurity exercises.

The MOH has also been working with licensees to develop more specific cybersecurity requirements and improve the standard of cybersecurity in the industry.

Telecommunications

In the telecommunications sector, the IMDA is empowered under the Telecommunications Act 1999 to issue codes of practice and standards of performance in relation to telecommunications service providers.

In relation to cybersecurity, the IMDA has issued the telecommunications cybersecurity codes of practice imposed on major ISPs for mandatory compliance to prevent, protect, detect, and respond to cybersecurity threats.

Employment

Guidelines and recommendations have been issued by the various regulators and include provisions to ensure that employees and staff are regularly informed of cybersecurity risks as well as threats and are trained to abide by good cyber hygiene practices. Moreover, the guidelines and recommendations promote regular briefings, training, and audits, as well as threat assessments of an organisation's systems and cybersecurity exercises and simulations, as well as the implementing and enforcing of controls such as password strength and complexity, multi-factor authentication, remote access, and endpoint device security.

The National Security Coordination Secretariat, together with the CSA and the Singapore Business Federation, released an Employee Cybersecurity Toolkit (accessible here) to help organisations educate and inform employees about cybersecurity risks and threats

Education

Schools organised and conducted directly by the Government are required to comply with public sector data and cybersecurity requirements. A series of technical and process safeguards are being rolled out in phases across the public sector. These safeguards were proposed by the Public Sector Committee that was convened to conduct a comprehensive review of data security policies and practices across the public sector after serious public sector data breaches in 2018. The technical safeguards being implemented include:

  • volume limited and time-limited data access;
  • automatic identity and access management tools;
  • digital watermarking of files;
  • enhancing logging and active monitoring of data access;
  • email data protection tools;
  • data loss protection tools;
  • hashing with salt;
  • field-level encryption;
  • tokenisation;
  • obfuscation, masking, and removal of entity attributes;
  • dataset partitioning;
  • password protecting and encrypting files; and
  • data file integrity verification.

Non-Government schools, which include private education institutes and autonomous universities, are not directly required to implement these safeguards but these measures taken by the public sector will factor into their considerations when reviewing their cybersecurity practices.

Insurance

Insurance companies are subject to the supervision of the MAS and are thus subject to similar obligations under financial services above.

They are also generally subject to the PDPA, and potentially further obligations that may be imposed on them due to their interactions with the health sector.

Energy

The EMA regulates Singapore's electricity and gas industries as well as district cooling services. The EMA is empowered under the Electricity Act 2001 ('the Electricity Act'), the Gas Act 2001 ('the Gas Act'), and the District Cooling Act 2001 ('the District Cooling Act'), and has issued codes setting out standards of performance and conditions expected of licensees and market participants. The EMA is also empowered to issue directions for or with respect to the codes of practice and other standards of performance and procedures to be observed by licensees and market participants.

Cybersecurity requirements are not set out in detail in most of the codes but form part of the general security obligations expected of licensees and market participants in ensuring that their solutions are generally secure and that the electricity, gas, and district cooling systems and infrastructure remain secure.

10. PENALTIES

CSA

Under the Cybersecurity Act, specified cybersecurity providers must be licensed. Specified cybersecurity providers operating without a licence may be guilty of a criminal offence and liable to a fine of up to SGD 50,000 (approx. €33,730) or a term of imprisonment up to two years or both (Section 24 of the Cybersecurity Act).

If a person fails to furnish information relating to its computer or computer system to allow the CSA to determine whether that computer or computer system is a CII or information relating to the design, security, or operations of the CII, that person shall be guilty of a criminal offence and liable to a fine of up to SGD 100,000 (approx. €67,460) or two years imprisonment or both; and in the case of a continuing offence, a further fine of up to SGD 5,000 (approx. €3,370) per day may be imposed (Sections 8 and 10 of the Cybersecurity Act).

PDPA

With respect to personal data, where there is non-compliance by the organisation, the PDPC may issue such directions it deems fit to ensure the organisation's compliance,

which may at present include imposing a fine of up to SGD 200,000 (approx. €135,000) or SGD 1 million (approx. €674,970) for individuals depending on the type of the breach (Section 48J of the PDPA). Following legislative amendments which have been passed but have not been put into effect as of February 2022, financial penalties for organisations will be raised to 10% of annual turnover or SGD 1 million (approx. €674,970) whichever is higher.

There are also criminal offences for the mishandling of personal data in the possession or under the control of an organisation. These offences are punishable on conviction with a fine of SGD 5,000 (approx. €3,370) and/or imprisonment for a term not exceeding two years.

Financial services

With respect to the financial sector, the MAS has the power to issue fines, depending on the type of financial institution concerned, where a financial institution contravenes directions in the TRM Notices.

Energy

It is an offence if licensees and market participants fail to comply with their obligations under the respective codes or with directions issued by the EMA, and if found guilty, the licensees or market participants may be liable on conviction to a fine not exceeding SGD 10,000 (approx. €6,750), or to imprisonment for a term not exceeding 12 months or to both and, in the case of a continuing offence, to a further fine not exceeding SGD 250 (approx. €170) for every day or part thereof during which the offence continues after conviction.

11. OTHER AREAS OF INTEREST

IoT cybersecurity developments

The IMDA introduced the IoT Cyber Security Guide ('the IoT Guide') and the CLS in March 2020.

The IoT Guide references international standards such as the Cloud Security Alliance IoT Controls Framework and ETSI TS 103 645 Cybersecurity for Consumer IoT. There are baseline recommendations and foundational concepts focusing on security aspects for the acquisition, development, operations, and maintenance of IoT systems. Users are advised to customise the provided checklists to their specific needs and reassess them on an ongoing basis.

The CLS is launched as a voluntary scheme and is aimed at network-connected consumer smart devices with an initial focus on WiFi routers and smart home hubs that has now expanded to all categories of consumer IoT devices. The labels will indicate the level of cybersecurity reflecting the security features of the smart devices. The devices will be assessed on a number of criteria such as:

  • meeting basic security requirements such as ensuring unique default passwords;
  • assistance to basic penetration testing.
  • absence of common software vulnerabilities; and
  • adherence to the principles of Security by Design;

5G cybersecurity

The IMDA, the CSA, and the National Research Foundation had previously awarded grants for research and development of 5G cybersecurity and other solutions in conjunction with the award and rollout of nationwide 5G networks.

Furthering the IMDA's support for research and development in 5G cybersecurity and other areas such as communications networks, the IMDA has set up three testbeds and made available SGD 30 million (approx. €20.2 million) in funding as part of its 5G innovation programme for companies that wish to trial their 5G solutions prior to commercialisation.

Jonathan Kao Associate
[email protected]
Sandra Seah Partner
[email protected]
Bird & Bird, Singapore

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.
Feedback