Introduction

  • A standalone Cybersecurity Bill (“Bill”) will be tabled in Parliament in 2017.
  • The new Bill will ensure that the operators of Singapore’s critical information infrastructure (“CII”) take proactive steps to secure such CIIs and report incidents of cybersecurity breaches.
  • The new Bill will empower the Cyber Security Agency (“CSA”) to manage cyber incidents and raise the standards of cybersecurity providers.
  • All businesses (not just CII) are recommended to adopt a cybersecurity-by-design approach to their operations.
  • CII operators (and potentially other businesses that deal with them) need to establish additional policies and procedures (if they have not already done so) to deal with cyber incidents, and comply with the new reporting obligation.

A standalone Cybersecurity Bill will be tabled in Parliament next year to keep pace with the evolving cyber security landscape in Singapore and beyond. This was revealed by Dr Yaacob Ibrahim, Minister for Communications and Information, at the Committee of Supply Debate on 11 April 2016. In his speech, Dr Yaacob said that the Ministry of Communications and Information (“MCI”) will review the country’s policy and legislative framework for cybersecurity as the Government moves towards building Singapore as a Smart Nation.

The introduction of the Bill is subsumed in the vision outlined in the National Cyber Security Masterplan 2018 (“NCSM 2018”) to make Singapore a “Trusted and Robust Infocomm Hub” by 2018. Taking its cue from two previous infocomm security masterplans, NCSM2018 aims to reinforce Singapore’s cybersecurity by intensifying efforts in the Government and critical information infrastructure (“CII”), as well as the wider infocomm ecosystem which includes businesses and individuals. It intends to engender a secure and resilient infocomm environment and a vibrant cybersecurity ecosystem.

What is the current legislation

Currently, the primary legislation on cybersecurity is the Computer Misuse and Cybersecurity Act (“CMCA”). The CMCA criminalises certain activities including the unauthorised access, use, interception and modification of computers, data and computer services.

Amendments introduced to the CMCA in 2013 empower the Minister of Home Affairs to act against cybersecurity threats. For instance, the Minister of Home Affairs can, through the issuance of a certificate, authorise, direct or compel a person or entity to take such steps or to comply with certain obligations as are necessary for the detection and prevention of cybersecurity threats to the national security, defence, foreign relations and essential services of Singapore.

The definition of essential services (also known as CII) as set out in the CMCA is limited to the specified sectors of communications infrastructure, banking and finance, public utilities (eg, energy, water), public transportation, land transport infrastructure, aviation, shipping, public key infrastructure and emergency services such as police, civil defence or health services.

Recent trends in the cybersecurity landscape

Through the years, the cybersecurity landscape has seen increased sophistication in cyber attacks, and faster and bolder attackers. As demonstrated by recent incidents, attacks may be launched by well trained and resourced nation states, organized crime, terror groups, hacktivists, or even insiders. Dr Yaacob noted in his speech that “it is inevitable that Singapore’s critical information infrastructure will at some point be targets. The interconnectivity in our networks also means that the effects of cyber attacks can be contagious.” As such, attacks on CII could spread to other connected infrastructure, thereby affecting organisations in sectors not specified as essential services, and vice versa.

This year, there have been alarming cybersecurity incidents in both the private and public sectors which call for more vigilant measures. In January 2016, hackers used the credit card details of an individual, including the one-time password issued to authenticate online transactions using his credit card, to make purchases amounting to $12,327 for flight tickets in Europe. The credit card details were ostensibly stolen through the malware that was residing in his smartphone, while the bank asserted that its security systems were not compromised. It was reported that the individual was engaged in a dispute with the bank as to which party should bear the costs of the aforementioned fraudulent transactions.

What is the intended change and effect

In his speech, Dr Yaacob gave a glimpse of the scope of the new Bill. The Bill is intended to provide the Cyber Security Agency of Singapore, the national agency overseeing the country’s cybersecurity strategy, with wider powers to enable it to prevent and cope with cybersecurity threats to Singapore’s CII.

Dr Yaacob cited examples of other countries that have recently strengthened their cybersecurity legislation. Germany passed a law last year to raise cybersecurity standards for CII operators and mandate reporting of significant security incidents. The United States also enacted a law to facilitate sharing of information on cyber threats. The Singapore government intends to follow suit.

Securing critical information infrastructure; Reporting obligation

The new Bill will ensure that the operators of Singapore’s CII take proactive steps to secure such CIIs and report incidents of cybersecurity breaches. The reporting obligation is not presently mandated under the CMCA unless the Minister for Home Affairs specifically requires a person to do so.

Dr Yaacob did not elaborate on the extent of measures that the CII operators should take to secure Singapore’s CII, and the thresholds beyond which the reporting obligation will be triggered. We anticipate that more details will be provided when the MCI consults the stakeholders in due course.

The Bill could potentially adopt the approach taken by the Monetary Authority of Singapore (“MAS”) viz- a-viz financial institutions. Under the MAS’ Notice on Technology Risk Management, financial institutions regulated by the MAS are required to notify the MAS of, inter alia, any security breaches to their IT systems. Timelines have also been stipulated such that an initial notification must be made within an hour of the discovery of such an incident, with a detailed report to follow within fourteen (14) days of the incident.

CSA to manage cyber incidents; raise the standards of cybersecurity providers

Along with the objective of securing Singapore’s CII, the new Bill will also empower the CSA to manage cyber incidents and raise the standards of cybersecurity providers here. Potentially, the Bill could grant the CSA the authority to take actions or direct other persons or entities to take actions, so as to effectively manage and coordinate multi-sector responses to cyber incidents.

In this regard, it was highlighted that the CSA advocates a multi-faceted approach to cybersecurity, including risk-based mitigation, early detection and robust response. The CSA has already been involved in coordination with other sectors to mitigate widespread cyber attacks, by assessing critical infrastructure for vulnerabilities, and simulating cyber attacks.

It is understood that this aspect of the new Bill will also be the subject of MCI’s consultation with the stakeholders.

What is the potential impact on organisations

The new Bill can potentially impact businesses beyond those in the CII sector. As Dr Yaacob mentioned, cyber attacks can be contagious. Attackers may find that the weak link may not lie with the CII operators, but in other businesses dealing with the CII operators, such as their service providers. As such, the requirements imposed by the new Bill on CII operators could directly or indirectly affect those other businesses dealing with CII operators.

All businesses should bear in mind that, in line with the NCSM2018, the authorities have broadened their attention to businesses and individuals, beyond just the government and CII sectors. As stated by Dr Yaacob, businesses “need to come round to the fact that cyber threats can hurt bottom lines”.

What should organisations do at this time

All businesses are recommended to adopt a cybersecurity-by-design approach to their operations. This should be based on the multi-faceted approach advocated by the CSA – risk-based mitigation, early detection and robust response.

In particular, CII operators (and businesses dealing with CII operators) should be prepared to take more proactive actions to secure their information infrastructure. They will also need to prepare for compliance with the reporting obligation, which will likely involve establishing additional policies and procedures (if they have not already done so) to deal with cyber incidents. An important element of such policies is training employees to deal effectively with cyber incidents, which would involve regular cyber breach simulations (akin to fire drills), among others.

CII operators may also need to ensure that their service providers, which are connected through information infrastructure (which may provide technology or cloud services), are well-equipped to handle cyber incidents.

In any case, it is necessary for businesses to keep apprised of any developments relating to the new Bill, given its potential to have significant implications, from an operational and compliance standpoint, for businesses in every industry, especially those in the CII sector as cited above.

Businesses should also conduct cybersecurity breach readiness training and simulation, as well as secure the necessary resources for cybersecurity breach management, so as to be well-prepared to manage any breach that may occur.

Concluding Remarks

In light of the severe damage and harm that cyber attacks can cause, the introduction of a standalone Cybersecurity Bill represents the government’s intention to address cybersecurity threats decisively, which could involve a multi-sector response managed by the CSA.

Businesses should also note the possibility that personal data (eg, of clients and employees) could be disclosed as a result of a cybersecurity breach. In such a case, the Personal Data Protection Commission could be involved to investigate if there is a breach of the Personal Data Protection Act.

While further details on the Bill have yet to be released, businesses can start taking action. The mandatory notification requirement is especially important, given that CII operators (and potentially, businesses dealing with CII operators) will need to establish compliance measures, including but not limited to additional policies and procedures to deal with cyber incidents. CII operators may also need to ensure that their service providers are well-equipped to handle cyber incidents.

Businesses need to adopt a proactive, instead of reactive, cybersecurity stance and ensure that personnel are trained and ready to manage any cybersecurity breach that occurs. Businesses should also adopt the attitude that cybersecurity breaches are most probably inevitable, and take proactive steps to mitigate such risk. The necessary training, protocols and policies for cybersecurity breach readiness should be put in place, and we will be happy to assist on this front.