Best practiceIncreased protection
Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?
Yes, the Singapore authorities have introduced various non-legislative initiatives aimed at enhancing cybersecurity standards. For instance, the authorities have introduced standards and guidelines to promote security amongst CSPs (see ‘Scope and jurisdiction’).
The CSA has also published supplementary references to help owners of CII proactively secure and build resilience into their systems, such as its Security-by-Design Framework, which was developed to guide CII owners through the process of incorporating security into their systems development lifecycle process.
The Singapore Computer Emergency Response Team (SingCERT), which is part of the CSA, facilitates the detection, resolution and prevention of cybersecurity-related incidents on the internet. It publishes alerts, advisories and recommendations from time to time, detailing procedures or mitigating measures for organisations to respond to new cyber threats.
On 31 May 2019, the PDPC issued its Design for ICT Systems Guide, which aims to assist organisations in applying data protection by design principles in designing and building information and communications technology (ICT) systems by recommending best practices to adopt at each stage of the software development life cycle.
A non-exhaustive list of measures recommended in the Design for ICT Systems Guide includes the following:
- prior to development, a data protection impact assessment should be conducted;
- the collection of personal data by ICT systems that is not used nor necessary should generally be avoided;
- when developing bespoke solutions through ICT vendors, organisations should explain in detail their data protection and security requirements, document these and ensure their fulfilment;
- prior to utilising ready-made solutions (whether purchased or open source), organisations should understand what it does to personal data entrusted to it, and should satisfy themselves that such data is adequately protected (including whether there is adequate developer support);
- updates and security patches should be applied to ICT system components as soon as possible;
- HTTPS instead of HTTP should be utilised;
- a web application firewall should be deployed; and
- code reviews, vulnerability assessments, penetration testing and user acceptance testing should be conducted.
How does the government incentivise organisations to improve their cybersecurity?
The government has publicly stated that it does not intend to provide funding to offset the costs of CII obligations, which are regulatory requirements under the Cybersecurity Act. However, the government has established several schemes to enhance the cybersecurity capabilities of organisations, particularly small and medium enterprises (SMEs).
For instance, IMDA has established an SME Digital Tech Hub, a dedicated hub that provides specialist digital technology advice to SMEs on areas including, but not limited to, data analytics and cybersecurity. It also works with SME Centres and Trade Association and Chambers to provide assistance in connecting SMEs with digital technology vendors and consultants, as well as conducting workshops and seminars to improve the digital capabilities of SMEs.
The CSA and the IMDA have also established partnerships with private organisations through the Critical Infocomm Technology Resource Programme Plus, Cybersecurity Professional Scheme, Cyber Security Associates and Technologists programme and the Tech Skills Accelerator initiative. These partnerships help to train and up-skill professionals with ICT or engineering disciplines, enabling them to take on cybersecurity job roles through company-led, on-job training.
In the area of certifications and accreditations, the government has also announced that it will allow small service providers to apply for government funding to cover a proportion of the costs to become member companies of CREST. The CREST Singapore chapter has been established in collaboration and partnership with the CSA, the Association of Information Security Professionals, MAS, the Association of Banks in Singapore and the IMDA, and offers various certifications for cybersecurity services in Singapore.
Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?
Refer to ‘Legislation’ for a non-exhaustive list of existing industry standards and codes of practice related to cybersecurity. The following publicly available industry standards and codes of practice may be accessed as follows:
- the TRM Notices and Guidelines may be accessed on the MAS’s website at www.mas.gov.sg;
- the Cyber Hygiene Notices may be accessed on the MAS’s website at www.mas.gov.sg/regulation/regulations-and-guidance?content_type=Notices&topics=Risk%20Management%2FTechnology%20Risk&page=1&q=cyber%20hygiene;
- the PDPC’s guides (which apply across the private sector), including the Data Breach Guide, the Securing Personal Data Guide, and the Guide on Building Websites for SMEs, may be accessed on the PDPC website at www.pdpc.gov.sg; and
- the Association of Banks in Singapore’s (ABS) industry guidelines on cybersecurity can be accessed on the ABS website at www.abs.org.sg.
Are there generally recommended best practices and procedures for responding to breaches?
In the event of certain breaches, there may be a need to notify the authorities (see below in this section, and ‘Policies and procedures’ and ‘Reporting’). For data breaches involving personal data, the PDPC’s Data Breach Guide contains a number of recommendations that organisations may consider in responding to a data breach, including that an organisation should act as soon as it is aware of a data breach and consider the following measures, where applicable:
- shutting down the compromised system that led to the data breach;
- establishing whether steps can be taken to recover lost data and limit any damage caused by the data breach;
- isolating causes of the data breach in the system and, where applicable, changing the access rights to the compromised system and removing external connections to the system;
- preventing further unauthorised access to the system and resetting passwords if accounts and passwords have been compromised;
- notifying the police if criminal activity is suspected and preserving evidence for investigation;
- putting a stop to practices that led to the data breach; and
- addressing lapses in processes that led to the data breach.
The Data Breach Guide also sets out recommendations on notifying affected individuals and other third parties, such as banks, credit card companies or the police.Information sharing
Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?
Section 45 of the Cybersecurity Act protects the identities of informers of certain offences relating to CII. Generally, no witness in any proceedings for an offence under Part 3 of the Cybersecurity Act is obliged or permitted to:
- disclose the name, address or other particulars of an informer who has given information with respect to that offence, or the substance of the information received; or
- answer any question if the answer would lead or tend to lead to the discovery of the name, address or other particulars of the informer.
In addition, the court must also order any entries containing the informer’s name or descriptions, which may lead to the discovery of the informer’s identity, to be concealed from documents in evidence, or those available for inspection in such proceedings as mentioned in section 45(1) of the Cybersecurity Act.
Beyond the Cybersecurity Act, the Ministry of Communications and Information and the CSA have stated that they intend to explore implementing administrative arrangements and partnerships to facilitate and encourage information sharing.
In the telecommunications sector, IMDA has also published a Cyber Security Vulnerability Reporting Guide to facilitate and encourage the reporting of cybersecurity vulnerabilities that the cybersecurity researcher community has detected in the public-facing applications and networks of telecommunication service providers, such as internet access, mobile and fixed-line voice and data service providers, broadcast, print (newspaper) and postal service providers.
In the financial sector, MAS has partnered with the Financial Services Information Sharing and Analysis Centre to set up a regional centre in Singapore to share information on cybersecurity threats among financial institutions.
How do the government and private sector cooperate to develop cybersecurity standards and procedures?
In practice, it is not uncommon for the government to consult industry players and relevant private sector parties in developing legislative and regulatory standards. For instance, prior to the introduction of the Cybersecurity Act, the government had conducted several rounds of consultations with potential CII owners, industry associations and cybersecurity professionals. The government has also announced its intent to continue working with the industry and professional association partners to establish accreditation regimes for cybersecurity professionals.
The Singapore government has actively promoted cybersecurity through research-and-development (R&D) collaborations between the government, academia and industry. In 2013, the Singapore government launched the National Cybersecurity R&D Programme to promote such research collaboration, with a total of S$190 million in funding having been made available to support the programme until 2020. The government has also kick-started other initiatives, such as the Cybersecurity Consortium with S$1.5 million in funding over three years from 2016 and the National Cybersecurity R&D Laboratory.
Grant schemes, such as the Co-Innovation and Development Proof-of-Concept Funding Scheme, are also available to Singapore-registered companies or overseas firms that partner with Singapore-registered companies. The scheme aims to support the co-development of innovative cybersecurity solutions that help to meet national cybersecurity needs, with potential for commercial application.
The Computer Emergency Response Teams (CERTs) overseeing specific sectors also issue advisories to the operators in their respective sectors. For example, the Info-communications Singapore CERT, or ISGCERT, issues alerts to operators in the telecommunications and media sector to enhance their cyber readiness, and advisories on cybersecurity vulnerabilities pertaining to this sector.
SingCERT also works with the sectoral CERTs, where necessary, to inform local companies and affected customers on cybersecurity threats and incidents.Insurance
Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?
Yes, various insurance solutions covering cyber risks are offered by several insurers in the Singapore market. These insurance solutions remain relatively new to the Singapore market, with AXA being reported to be the first insurer to commence such an offering in 2014.
Law Stated DateCorrect On
Give the date on which the information above is accurate.
The information above is accurate as at 6 December 2019.