Threat detection and reportingPolicies and procedures
What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?
Sections 11 and 12 of the Cybersecurity Act 2018 impose duties on owners of CII to comply with the codes of practice or standards of performance, or directions either of a general or specific nature issued by the Commissioner, which may contain provisions with respect to the measures to be taken by them to ensure the cybersecurity of the CII. On 1 September 2018, the Commissioner of Cybersecurity issued the Cybersecurity Code of Practice for CII. Detailed requirements are not published in the public domain.
In relation to the Protection Obligation under the PDPA, the PDPC does not prescribe any ‘one-size-fits-all’ solution to compliance, as it recognises that each organisation will need to address its own unique circumstances. Instead, the PDPC has issued various guidelines to provide guidance to organisations. For instance, PDPC’s Advisory Guidelines on Key Concepts in the PDPA sets out security arrangements (including administrative, physical and technical measures) that organisations may use to protect personal data. The PDPC has also published the Securing Personal Data Guide to provide greater clarity on the obligation to provide reasonable security arrangements in respect of personal data held or controlled by organisations.
In particular, the Securing Personal Data Guide sets out a series of good practices that organisations should undertake, including but not limited to:
- providing clear direction on ICT security goals and policies for personal data protection within the organisation;
- establishing, enforcing, and periodically reviewing ICT security policies, standards and procedures;
- instituting a risk management framework to identify security threats, assessing the risks involved and determining the controls to remove or reduce them; and
- designing and implementing an internal network with multi-tier or network zones, segregating the internal network according to function, physical location, access type, etc.
The Securing Personal Data Guide also sets out a series of enhanced practices that organisations may consider, including but not limited to:
- disabling unused network ports;
- monitoring LAN/WiFi regularly and removing unauthorised clients and WiFi access points;
- using network proxies to restrict employee access to known malicious websites;
- using two-factor authentication and strong encryption for remote access;
- disallowing remote network administration; and
- logging database activities, such as any changes to the database and data access activities to track unauthorised activities or anomalies.
Describe any rules requiring organisations to keep records of cyberthreats or attacks.
There are currently no provisions in the Cybersecurity Act or the PDPA expressly requiring organisations to keep records of cyber threats or attacks. It may, however, be prudent for organisations to consider the need to keep records in order to ensure compliance with other regulatory requirements, for example, in the case of CII owners, to fulfil audit requirements.
Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.
Section 14 of the Cybersecurity Act provides that the owner of a CII must notify the Commissioner within the prescribed period in the prescribed form and manner upon becoming aware of the occurrence of any of the following events:
- a prescribed cybersecurity incident in respect of a CII;
- a prescribed cybersecurity incident in respect of any computer or computer system under the owner’s control that is interconnected with or that communicates with a CII; and
- any other type of cybersecurity incident in respect of the CII that the Commissioner has specified by written direction to the owner.
For this purpose, the prescribed cybersecurity incidents are set out in the CII Regulations and include:
- the unauthorised hacking of a CII;
- the installation or execution of unauthorised software or code on a CII;
- man-in-the-middle attacks, session hijacks or other unauthorised interception of communication between a CII and an authorised user; and
- denial-of-service attacks.
Please see question 29 for further details.
There is currently no mandatory data breach reporting obligation under the PDPA. Instead, the Data Breach Guide issued by the PDPC recommends that organisations notify the PDPC of data breaches that might cause public concern, or where there is a risk of harm to a group of affected individuals. The notification should include the following information:
- extent of the data breach;
- type and volume of the personal data breached;
- cause or suspected cause of the breach;
- whether the breach has been rectified;
- measures and processes that the organisation had put in place at the time of the breach;
- information on whether affected individuals were notified or when the organisation intends to do so; and
- contact details of persons with whom the PDPC may liaise for further information or clarification.
The PDPC’s Data Breach Guide also recommends that where criminal activity (eg, hacking, theft or unauthorised system access by an employee) is suspected, organisations should notify the police.
On 1 February 2018, the PDPC published its response to feedback following a public consultation exercise on proposed amendments to the PDPA. The PDPC has stated that it intends to introduce a mandatory data breach notification regime, under which organisations will be required to notify the PDPC and affected individuals of data breaches that are ‘likely to result in significant harm or impact to the individuals to whom the information relates’.
The PDPC has proposed to allow organisations an assessment period of up to 30 days to assess their eligibility for notification, from the day that they first become aware of a suspected breach. Once they determine that the breach is eligible for reporting, organisations will then need to notify the PDPC ‘as soon as practicable, no later than 72 hours’, and affected individuals ‘as soon as practicable’.
Presently, the proposed amendments to the PDPA have not been formally introduced in Parliament.
Within the financial sector, the Notice on Technology Risk Management issued by MAS requires financial institutions to notify MAS as soon as possible, but not later than one hour, upon the discovery of a relevant IT incident. The Notice also requires the financial institution to submit a root-cause and impact analysis report in respect of the IT incident to MAS within 14 days or such longer period as MAS may allow, from the discovery of the relevant IT incident.Timeframes
What is the timeline for reporting to the authorities?
Section 14 of the Cybersecurity Act sets out that the owner of a CII must notify the Commissioner within the prescribed period upon becoming aware of the occurrence of the cybersecurity breaches described in question 28.
The prescribed period is set out in Regulation 5 of the CII Regulations, which sets out that a CII owner must notify the Commissioner of the occurrence of a prescribed cybersecurity incident in the required form within two hours after becoming aware of the occurrence, and provide, within 14 days of the initial submission, the following supplementary details:
- the cause of the cybersecurity incident;
- its impact on the CII, or any interconnected computer or computer system; and
- what remedial measures have been taken.
See question 28 for more details on the reporting timeline as prescribed by the Notice on Technology Risk Management issued by MAS and the timeline for mandatory data breach notification as proposed by the PDPC.Reporting
Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.
There are no provisions within the Cybersecurity Act that expressly require organisations to report threats or breaches to others in the industry, to customers or to the general public.
In addition, while there are currently no mandatory requirements under the PDPA to report threats or data breaches to others in the industry, to customers or to the general public, the PDPC’s Data Breach Guide recommends that organisations immediately notify the PDPC, affected individuals whose personal data was compromised, and other third parties such as banks, credit card companies and the police, where relevant, if the data breach involves sensitive personal data.
In addition, the PDPC has proposed to introduce a mandatory data breach notification regime, which would require organisations to notify individuals of data breaches that are ‘likely to result in significant harm or impact to the individuals to whom the information relates’. See question 28.