Best practice

Increased protection

Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?

Yes, the Singapore authorities have introduced various non-legislative initiatives aimed at enhancing cybersecurity standards. For instance, the authorities have introduced standards and guidelines to promote security amongst cloud service providers.

The Cybersecurity Agency of Singapore (CSA) has also published supplementary references to help owners of critical information infrastructure (CII) proactively secure and build resilience into their systems, such as its Security-by-Design Framework, which was developed to guide CII owners through the process of incorporating security into their systems development lifecycle process.

The Singapore Computer Emergency Response Team (SingCERT), which is part of the CSA, facilitates the detection, resolution and prevention of cybersecurity-related incidents on the internet. It publishes alerts, advisories and recommendations from time to time, detailing procedures or mitigating measures for organisations to respond to new cyber threats.

On 31 May 2019, the Personal Data Protection Commission (PDPC) issued its Guide to Data Protection by Design for ICT Systems (Design for ICT Systems Guide), which aims to assist organisations in applying Data Protection by Design principles in designing and building information and communications technology (ICT) systems, by recommending best practices to adopt at each stage of the software development life cycle.

A non-exhaustive list of measures recommended in the Design for ICT Systems Guide includes the following:

  • prior to development, a data protection impact assessment should be conducted;
  • the collection of personal data by ICT systems that is not used or necessary should generally be avoided;
  • when developing bespoke solutions through ICT vendors, organisations should spell out to them their data protection and security requirements, document these and ensure their fulfilment;
  • prior to utilising ready-made solutions (whether purchased or open source), organisations should understand what it does to personal data entrusted to it, and should satisfy themselves that such data is adequately protected (including whether there is adequate developer support);
  • updates and security patches should be applied to ICT system components as soon as possible;
  • https instead of http should be utilised;
  • a Web Application Firewall should be deployed; and
  • code reviews, vulnerability assessments, penetration testing and user acceptance testing should be conducted.

How does the government incentivise organisations to improve their cybersecurity?

The government has publicly stated that it does not intend to provide funding to offset the costs of CII obligations which are regulatory requirements under the Cybersecurity Act. However, the government has established several schemes to enhance the cybersecurity capabilities of organisations, particularly small and medium enterprises (SMEs).

For instance, the Infocomm Media Development Authority (IMDA) has established an SME Digital Tech Hub, a dedicated hub that provides specialist digital technology advice to SMEs on areas including, but not limited to, data analytics and cybersecurity. It also works with SME Centres and Trade Association & Chambers to provide assistance in connecting SMEs with digital technology vendors and consultants, as well as conducting workshops and seminars to improve the digital capabilities of SMEs.

The CSA and the IMDA have also established partnerships with private organisations through the Critical Infocomm Technology Resource Programme Plus, Cybersecurity Professional Scheme, Cyber Security Associates and Technologists programme and the Tech Skills Accelerator initiative. These partnerships help to train and up-skill professionals with ICT or engineering disciplines, enabling them to take on cybersecurity job roles through company-led, on-job training.

In the area of certifications and accreditations, the government has also announced that it will allow small service providers to apply for government funding to cover a proportion of the costs to become member companies of CREST. The CREST Singapore chapter has been established in collaboration and partnership with the CSA, the Association of Information Security Professionals, the Monetary Authority of Singapore (MAS), the Association of Banks in Singapore and the IMDA, and offers various certifications for cybersecurity services in Singapore.

Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?

The following publicly available industry standards and codes of practice may be accessed at the links provided:

Are there generally recommended best practices and procedures for responding to breaches?

In the case of certain breaches involving personal data, there may be a need to notify the authorities.

The recent amendments to the Personal Data Protection Act 2012 (No. 26 of 2012) (PDPA), which came into effect on 1 February 2021, have introduced a mandatory data breach notification obligation (Part VIA of the PDPA). In the event of a data incident, an organisation has a duty to conduct, in a reasonable and expeditious manner, an assessment of the incident to determine if it is a 'notifiable data breach'. If the data incident is a 'notifiable data breach', the organisation has an obligation to notify the PDPC of such a data breach as soon as practicable, but in any case no later than three calendar days from when the organisation makes the assessment.

A data breach is classified as a 'notifiable data breach' if the data breach (i) results in, or is likely to result in, significant harm to the individual; or (ii) is, or is likely to be, of a significant scale.

In addition, organisations are also required to notify the affected individuals of the 'notifiable data breach' in a reasonable manner, unless an exception applies. The two exceptions are (i) if, on or after assessing that the data breach is a 'notifiable data breach', the organisation takes any action that renders it unlikely that the data breach will result in significant harm to the affected individual; or (ii) if the organisation had implemented, prior to the occurrence of the data breach, any technological measure that renders it unlikely that the data breach will result in significant harm to the affected individual.

Apart from the mandatory data breach notification obligation, PDPC’s Guide to Managing Data Breaches 2.0 contains a number of recommendations that organisations may consider in responding to a data breach, including that an organisation should act as soon as it is aware of a data breach and consider the following measures, where applicable:

  • shutting down the compromised system that led to the data breach;
  • establishing whether steps can be taken to recover lost data and limit any damage caused by the data breach;
  • isolating causes of the data breach in the system, and where applicable, changing the access rights to the compromised system and removing external connections to the system;
  • preventing further unauthorised access to the system, and resetting passwords if accounts and passwords have been compromised;
  • notifying the police if criminal activity is suspected and preserving evidence for investigation;
  • putting a stop to practices that led to the data breach; and
  • addressing lapses in processes that led to the data breach.
Information sharing

Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?

Section 45 of the Cybersecurity Act protects the identities of informers of certain offences relating to CII. Generally, no witness in any proceedings for an offence under Part 3 of the Cybersecurity Act is obliged or permitted to:

  • disclose the name, address or other particulars of an informer who has given information with respect to that offence, or the substance of the information received; or
  • answer any question if the answer would lead, or tend to lead, to the discovery of the name, address or other particulars of the informer.

 

In addition, the court must also order any entries containing the informer’s name or descriptions, which may lead to the discovery of the informer’s identity, to be concealed from documents in evidence, or those available for inspection in such proceedings as mentioned in section 45(1) of the Cybersecurity Act.  

Beyond the Cybersecurity Act, the Ministry of Communications and Information and CSA have stated that they intend to explore implementing administrative arrangements and partnerships to facilitate and encourage information sharing.

In the telecommunications sector, IMDA has also published a Cyber Security Vulnerability Reporting Guide in order to facilitate and encourage the reporting of cybersecurity vulnerabilities that the cybersecurity researcher community has detected in the public-facing applications and networks of telecommunication service providers, such as internet access, mobile and fixed-line voice/data service providers, broadcast, print (newspaper) and postal service providers.

In the financial sector, MAS has partnered with the Financial Services Information Sharing and Analysis Centre to set up a regional centre in Singapore to share information on cybersecurity threats among financial institutions.

How do the government and private sector cooperate to develop cybersecurity standards and procedures?

In practice, it is not uncommon for the government to consult industry players and relevant private sector parties in developing legislative and regulatory standards. For instance, prior to the introduction of the Cybersecurity Act, the government had conducted several rounds of consultations with potential CII owners, industry associations and cybersecurity professionals. The government has also announced its intent to continue working with the industry and professional association partners to establish accreditation regimes for cybersecurity professionals.

The Singapore government has actively promoted cybersecurity through research-and-development (R&D) collaborations between government, academia and industry. In 2013, the Singapore government launched the National Cybersecurity R&D Programme to promote such research collaboration, with a total of S$190 million in funding having been made available to support the programme until 2020. The government has also kick-started other initiatives such as the Cybersecurity Consortium with S$1.5 million in funding over three years from 2016, and the National Cybersecurity R&D Laboratory.

Grant schemes such as the Co-Innovation and Development Proof-of-Concept Funding Scheme are also available to Singapore-registered companies or overseas firms that partner with Singapore-registered companies. The scheme aims to support the co-development of innovative cybersecurity solutions that help to meet national cybersecurity needs, with potential for commercial application.

The Computer Emergency Response Teams (CERTs) overseeing specific sectors also issue advisories to the operators in their respective sectors. For example, the Info-communications Singapore CERT, or ISGCERT, issues alerts to operators in the telecommunications and media sector to enhance their cyber readiness, and advisories on cybersecurity vulnerabilities pertaining to this sector.

SingCERT also works with the sectoral CERTs, where necessary, to inform local companies and affected customers on cybersecurity threats and incidents.

Insurance

Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?

Yes, various insurance solutions covering cyber risks are offered by several insurers in the Singapore market. Such insurance solutions remain relatively new to the Singapore market, with AXA being reported to be the first insurer to commence such an offering in 2014.

Law Stated Date

Correct On

Give the date on which the information above is accurate.

The information above is accurate as at 8 February 2020.