Best practice

Increased protection

Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?

Yes, the Singapore authorities have introduced various non-legislative initiatives aimed at enhancing cybersecurity standards. Some non-exhaustive examples are as follows.

For instance, the authorities have introduced standards and guidelines to promote security among cloud service providers (see question 11).

CSA has also published supplementary references to help owners of CII proactively secure and build resilience into their systems, such as its Security-by-Design Framework, which was developed to guide CII owners through the process of incorporating security into their systems development life-cycle process.

The Singapore Computer Emergency Response Team (SingCERT), which is part of the CSA, facilitates the detection, resolution and prevention of cybersecurity-related incidents on the internet. It occasionally publishes alerts, advisories and recommendations detailing procedures or mitigating measures for organisations to respond to new cyber threats.

How does the government incentivise organisations to improve their cybersecurity?

The government has publicly stated that it does not intend to provide funding to offset the costs of CII obligations that are regulatory requirements under the Cybersecurity Act. However, the government has established several schemes to enhance the cybersecurity capabilities of SMEs, as well as other corporations and organisations.

For instance, IMDA has established an SME Digital Tech Hub, a dedicated hub that provides specialist digital technology advice to SMEs on areas including, but not limited to, data analytics and cybersecurity. It also works with SME Centres and Trade Association & Chambers to provide assistance in connecting SMEs with digital technology vendors and consultants, as well as conducting workshops and seminars to improve the digital capabilities of SMEs. The CSA and the IMDA have also established partnerships with private organisations through the Critical Infocomm Technology Resource Programme Plus, Cybersecurity Professional Scheme, Cyber Security Associates and Technologists programme and the Tech Skills Accelerator initiative. These partnerships help to train and up-skill professionals with infocomm technology (ICT) or engineering disciplines, enabling them to take on cybersecurity job roles through company-led, on-the-job training.

CSA, through the Cyber Security Awareness Alliance, has also published guides and other resources on various topics such as securing company and tackling e-commerce fraud, and provided guides for SMEs such as the Employee Cyber Security Kit, which features an initial assessment of a company’s cybersecurity readiness and follows up with a recommended cybersecurity education programme. In the area of certifications and accreditations, the government has also announced that it will allow small service providers to apply for government funding to cover a proportion of the costs to become member companies of the Certfication Registry for Electronic Share Transfer (CREST). The CREST Singapore chapter has been established in collaboration and partnership with the CSA, the Association of Information Security Professionals, MAS, the Association of Banks in Singapore and the IMDA, and offers various certifications for cybersecurity services in Singapore.

Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?

See question 1 for a non-exhaustive list of existing industry standards and codes of practice related to cybersecurity, some of which are confidential and not published in the public domain.

The following publicly available industry standards and codes of practice may be accessed as follows:

  • MAS’s Technology Risk Management Guidelines and Notice on Technology Risk Management may be accessed on the MAS website at: www.mas.gov.sg;
  • PDPC’s guides (which apply across the private sector), including the Data Breach Guide, the Securing Personal Data Guide and the Guide to Building Websites for SMEs, may be accessed on the PDPC website at: www.pdpc.gov.sg; and
  • the Association of Banks in Singapore’s (ABS) industry guidelines on cybersecurity can be accessed on the ABS website at: www.abs.org.sg.

Are there generally recommended best practices and procedures for responding to breaches?

In the case of certain breaches, there may be a need to notify the authorities (see question 28). For data breaches involving personal data, the PDPC’s Data Breach Guide contains a number of recommendations that organisations may consider in responding to a data breach, including that an organisation should act as soon as it is aware of a data breach and consider the following measures, where applicable:

  • shutting down the compromised system that led to the data breach;
  • establishing whether steps can be taken to recover lost data and limit any damage caused by the data breach;
  • isolating causes of the data breach in the system, and where applicable, changing the access rights to the compromised system and removing external connections to the system;
  • preventing further unauthorised access to the system, and resetting passwords if accounts and passwords have been compromised;
  • notifying the police if criminal activity is suspected and preserving evidence for investigation;
  • putting a stop to practices that led to the data breach; and
  • addressing lapses in processes that led to the data breach.

The Data Breach Guide also sets out recommendations on notifying affected individuals and other third parties such as banks, credit companies or the police.

Information sharing

Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?

Section 45 of the Cybersecurity Act protects the identities of informers of certain offences relating to CII. Generally, no witness in any proceedings for an offence under Part 3 of the Cybersecurity Act is obliged or permitted to:

  • disclose the name, address or other particulars of an informer who has given information with respect to that offence, or the substance of the information received; or
  • answer any question if the answer would lead, or tend to lead, to the discovery of the name, address or other particulars of the informer.

In addition, the court must also order any entries containing the informer’s name or descriptions, which may lead to the discovery of the informer’s identity, to be concealed from documents in evidence, or those available for inspection in such proceedings as mentioned in section 45(1) of the Cybersecurity Act.

Beyond the Cybersecurity Act, the Ministry of Communications and Information and CSA have stated that they intend to explore implementing administrative arrangements and partnerships to facilitate and encourage information sharing.

In the telecommunications sector, IMDA has also published a Cyber Security Vulnerability Reporting Guide to facilitate and encourage the reporting of cybersecurity vulnerabilities that the cybersecurity researcher community has detected in the public-facing applications and networks of telecommunication service providers, such as internet access, mobile and fixed-line voice or data service providers, broadcast, print (newspaper) and postal service providers.

In the financial sector, MAS has partnered with the Financial Services Information Sharing and Analysis Center to set up a regional centre in Singapore to share information on cybersecurity threats among financial institutions.

How do the government and private sector cooperate to develop cybersecurity standards and procedures?

In practice, the government typically consults relevant parties in developing legislative and regulatory standards. For instance, prior to the introduction of the Cybersecurity Act, the government had conducted several rounds of consultations with potential CII owners, industry associations and cybersecurity professionals. The government has also announced its intent to continue working with the industry and professional association partners to establish accreditation regimes for cybersecurity professionals.

The government has actively promoted cybersecurity through research and development (R&D) collaborations between government, academia and industry. In 2013, the government launched the National Cybersecurity R&D Programme to promote such research collaboration, with a total of S$190 million in funding having been made available to support the programme until 2020. The government has also kickstarted other initiatives such as the Cybersecurity Consortium with S$1.5 million in funding over three years from 2016, and the National Cybersecurity R&D Laboratory.

Grant schemes such as the Co-Innovation and Development Proof-of-Concept Funding Scheme are also available to Singapore-registered companies or overseas firms that partner with Singapore-registered companies. The scheme aims to support the co-development of innovative cybersecurity solutions that help to meet national cybersecurity needs, with potential for commercial application.

The Computer Emergency Response Teams (CERTs) overseeing specific sectors also issue advisories to the operators in their respective sectors. For example, the Infocommunications Singapore CERT, (ISGCERT) issues alerts to operators in the telecommunications and media sector to enhance their cyber readiness, and advisories on cybersecurity vulnerabilities pertaining to this sector.

SingCERT also works with the sectoral CERTs, where necessary, to inform local companies and affected customers on cybersecurity threats and incidents.

Insurance

Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?

Yes, various insurance solutions covering cyber risks are offered by several insurers in the Singapore market. Such insurance solutions remain relatively new to the Singapore market, with AXA being reported to be the first insurer to commence such an offering in 2014.