Use the Lexology Getting The Deal Through tool to compare the answers in this article with those from other jurisdictions.

Legal framework

Legislation

Summarise the main statutes and regulations that promote cybersecurity. Does your jurisdiction have dedicated cybersecurity laws?

On 31 August 2018, the Cybersecurity Act 2018 (No. 9 of 2018) (Cybersecurity Act), with the exception of sections 24 to 35 and the Second Schedule, came into effect. The Cybersecurity (Critical Information Infrastructure) Regulations 2018 (CII Regulations) and Cybersecurity (Confidential Treatment of Information) Regulations 2018 (Confidentiality Regulations) also came into operation on the same date.

Broadly, the Cybersecurity Act 2018 is a dedicated cybersecurity law that:

  • creates a framework for the protection of designated critical information infrastructure (CII) against cybersecurity threats;
  • provides for the appointment of the Commissioner of Cybersecurity (Commissioner) and other officers for the administration of the Cybersecurity Act;
  • authorises the taking of measures to prevent, manage and respond to cybersecurity threats and incidents in Singapore; and
  • establishes a licensing framework for providers of licensable cybersecurity services in Singapore, specifically, managed security operations centre monitoring services and penetration testing services.

Under the Cybersecurity Act, the Commissioner is empowered to issue codes of practice and standards of performance to ensure the cybersecurity of CII. Pursuant to these powers, the Commissioner has issued the Cybersecurity Code of Practice for Critical Information Infrastructure as of 1 September 2018.

The Cybersecurity Act will operate alongside the patchwork of existing legislation and various self-regulatory or co-regulatory codes that promote cybersecurity, including but not limited to the following:

  • the Computer Misuse Act (Chapter 50A) (CMA), which criminalises certain cyber activities such as hacking, denial-of-service attacks, infection of computer systems with malware, the possession or use of hardware, software or other tools to commit offences under the CMA, and other acts preparatory to or in furtherance of the commission of any offence under the CMA;
  • the Personal Data Protection Act 2012 (No. 26 of 2012) (PDPA) and the regulations issued thereunder, which impose certain obligations on organisations to make ‘reasonable security arrangements’ to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks with respect to personal data held or processed by those organisations (the Protection Obligation). The Personal Data Protection Commission (PDPC) is responsible for the administration and enforcement of the PDPA and has issued general guides that, though not legally binding, provide greater clarity on, for instance, the types of reasonable security arrangements that can be adopted by organisations in the protection of personal data. These general guides include:
  • the Guide to Managing Data Breaches (the Data Breach Guide);
  • the Guide to Securing Personal Data in Electronic Medium (the Securing Personal Data Guide);
  • the Guide to Building Websites for small and medium-sized enterprises (SMEs);
  • sector-specific codes of practice, such as the Telecommunication Cybersecurity Code of Practice formulated by the Info-communications Media Development Authority (IMDA), the converged telecommunications and media regulator in Singapore, which is imposed on major internet service providers in Singapore and includes security incident management requirements;
  • other sector-specific regulatory frameworks, such as the Notice on Technology Risk Management (and the related Technology Risk Management Guidelines) formulated by the Monetary Authority of Singapore (MAS), Singapore’s central bank and the regulator responsible for overseeing the financial sector in Singapore, which imposes certain requirements relating to technology risk management for MAS-regulated financial institutions; and
  • in respect of public sector agencies, the Business Continuity Readiness Assessment Framework and the Infocomm Security Health Scorecard, which were put in place to assess the level of security readiness and preparedness of Singapore’s public sector agencies.

Which sectors of the economy are most affected by cybersecurity laws and regulations in your jurisdiction?

The Cybersecurity Act provides for the regulation of CII in 11 critical sectors. CII is defined as a computer or computer system that is necessary for the continuous delivery of an essential service, the loss or compromise of which will lead to a debilitating effect on the availability of the essential service in Singapore. The 11 critical sectors containing essential services from which CII may be designated are:

  • energy;
  • info-communications;
  • water;
  • healthcare;
  • banking and finance;
  • security and emergency services;
  • aviation;
  • land transport;
  • maritime;
  • government; and
  • media.

Certain sector regulators have also promulgated their own sector-specific frameworks to deal with cybersecurity-related issues. For instance, MAS has issued the Technology Risk Management Guidelines and the Notice on Technology Risk Management for the financial sector, while the IMDA has issued the Telecommunication Cybersecurity Code of Practice for major internet service providers in the telecommunications sector.

Has your jurisdiction adopted any international standards related to cybersecurity?

The Cybersecurity Agency of Singapore (CSA) has launched a certification scheme known as the Singapore Common Criteria Scheme (SCCS). The SCCS is based on the international standard ISO/IEC 15408 for computer security certification, otherwise known as the Common Criteria for Information Technology Security Evaluation. The SCCS aims to provide a cost-effective regime for the info-communications industry to evaluate and certify that their IT products conform to an accepted protection profile under the SCCS.

In addition, the government has publicly stated that, in the implementation of the Cybersecurity Act, it will take reference from internationally recognised standards when developing codes of practice and standards of performance for different sectors.

What are the obligations of responsible personnel and directors to keep informed about the adequacy of the organisation’s protection of networks and data, and how may they be held responsible for inadequate cybersecurity?

Personal liability may in certain circumstances be imposed on certain individuals for offences committed by their organisations under the Cybersecurity Act.

Section 36 of the Cybersecurity Act imposes personal liability on officers, members (where the affairs of a corporation are managed by its members) and individuals involved in the management of the corporation and who are in a position to influence its conduct, for offences committed by the corporation under the Cybersecurity Act, where: (i) such person consented or connived, or conspired with others to effect the commission of the offence; (ii) is in any other way knowingly concerned or party to the commission of the offence; or (iii) knew or ought reasonably to have known that the offence by the corporation would be or is being committed, and failed to take all reasonable steps to prevent or stop the commission of that offence.

In relation to offences committed by an unincorporated association or a partnership under the Cybersecurity Act, section 37 of the Cybersecurity Act imposes personal liability on officers of unincorporated associations and members of their governing bodies, partners in a partnership, and individuals involved in the management of the unincorporated association or partnership and who are in a position to influence its conduct, in circumstances similar to those set out under section 36 of the Cybersecurity Act.

See questions 23 and 24 for further details on offences under the Cybersecurity Act.

Under general company law, a director’s failure to adequately manage an organisation’s cybersecurity arrangements may amount to a breach of his or her directors’ duties, for example, under section 157 of the Companies Act (Chapter 50), which requires a director to use reasonable diligence in the discharge of the duties of his or her office.

The Code of Corporate Governance, which applies to listed companies in Singapore on a comply-or-explain basis, establishes the principle that the board of directors is responsible for the governance of risk and should ensure that management maintains a sound system of risk management and internal controls to safeguard the interests of the company and its shareholders.

How does your jurisdiction define cybersecurity and cybercrime?

‘Cybersecurity’ is defined under section 2 of the Cybersecurity Act to mean the state in which a computer or computer system is protected from unauthorised access or attack, and because of that state:

  • the computer or computer system continues to be available and operational;
  • the integrity of the computer or computer system is maintained; and
  • the integrity and confidentiality of information stored in, processed by or transmitted through the computer or computer system is maintained.

The Cybersecurity Act, which provides for the protection of CII and establishes powers for the investigation and prevention of cybersecurity threats and incidents, falls under the purview of the Commissioner as supported by the CSA.

There is no statutory definition of the term ‘cybercrime’. In general, cybercrime issues are dealt with under the CMA, which criminalises activities such as the unauthorised access to computer material and the unauthorised modification of computer material (see question 10). The enforcement and investigation of offences under the CMA falls under the purview of the police, which is supervised by the Ministry of Home Affairs.

The protection of personal data falls under the PDPA, which is administered and enforced by the PDPC.

What are the minimum protective measures that organisations must implement to protect data and information technology systems from cyberthreats?

The Cybersecurity Act does not prescribe detailed protective measures to be taken. Instead, it imposes a set of general duties on owners of CII, including:

  • a duty to comply with notices issued by the Commissioner for the CII owners to provide information (ie, to provide the Commissioner with information on the technical architecture of the CII (section 10));
  • a duty to comply with codes of practice, standards of performance or written directions in relation to the CII as may be issued by the Commissioner (sections 11 and 12);
  • a duty to notify the Commissioner of any change in ownership of the CII (section 13);
  • a duty to report prescribed cybersecurity incidents (ie, to notify the Commissioner of any prescribed cybersecurity incidents relating to the CII (section 14));
  • a duty to conduct audits (ie, to cause regular audits of the compliance of the CII with the Cybersecurity Act 2018), codes of practice and standards of performance, which are to be carried out by an auditor approved or appointed by the Commissioner (section 15);
  • a duty to conduct risk assessments (ie, to regularly conduct risk assessments of the CII as required by the Commissioner (section 15)); and
  • a duty to participate in cybersecurity exercises as required by the Commissioner (section 16).

More detailed measures for the protection of CII may be prescribed in codes of practice, standards of performance or directions issued directly to CII owners.

Organisations are also generally required under section 24 of the PDPA to protect personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.

Within the financial sector, the Notice on Technology Risk Management issued by MAS stipulates that financial institutions shall establish frameworks and processes for the identification of critical systems as defined in the Notice, and shall implement IT controls to protect customer information from unauthorised access or disclosure.

Scope and jurisdiction

Does your jurisdiction have any laws or regulations that specifically address cyberthreats to intellectual property?

Pursuant to the Copyright Act (Chapter 63), the circumvention of technological access control or protection measures applied to copyrighted work or other subject matter may constitute an offence under section 261C of the Copyright Act.

In addition, the provisions of the CMA, though not specifically targeted at addressing threats to intellectual property, may apply to cybercrime activities that involve threats to intellectual property. Please refer to question 10 for more details on the principal cyber activities that are criminalised.

Does your jurisdiction have any laws or regulations that specifically address cyberthreats to critical infrastructure or specific sectors?

Yes, see questions 1, 2 and 6.

Does your jurisdiction have any cybersecurity laws or regulations that specifically restrict sharing of cyberthreat information?

There is no general restriction against the sharing of cyberthreat information. However, section 43 of the Cybersecurity Act provides that persons who are or who have been the Commissioner, the Minister, and certain other specified officers must not, except in limited circumstances, disclose certain information that has come into such persons’ knowledge in the performance of their functions or discharge of their duties under the Cybersecurity Act. Such information includes matters relating to a computer or computer system.

Other general legislation aimed at preserving the confidentiality or secrecy of certain matters may also apply to prevent the sharing of cyberthreat information in certain circumstances. For example, the PDPA generally prohibits the sharing of information that includes personal data, unless consent has been obtained from the relevant individuals or an exception under the PDPA applies. Information that relates to official secrets may also be protected from communication under the Official Secrets Act (Chapter 213).

What are the principal cyberactivities that are criminalised by the law of your jurisdiction?

The following is a non-exhaustive list of cyberactivities that are criminalised in Singapore:

  • it is an offence for any person to knowingly cause a computer to perform any function for the purposes of securing unauthorised access to any program or data held in any computer (eg, by hacking or using another person’s login details without authority) (section 3 of the CMA);
  • it is an offence for any person to cause a computer to perform any function for the purpose of securing access to a computer (whether authorised or unauthorised) with the intent to commit or facilitate the commission of an offence involving property, fraud or dishonesty or which causes bodily harm (eg, identity theft or identity fraud) (section 4 of the CMA);
  • it is an offence for any person to do any act that the person knows will cause an unauthorised modification of the contents of any computer (eg, deliberately infecting computer systems with malware and viruses) (section 5 of the CMA);
  • it is an offence for any person to knowingly secure unauthorised access to any computer for the purpose of obtaining any computer service, or to perform unauthorised use or interception of any computer function (section 6 of the CMA);
  • it is an offence for any person to knowingly cause unauthorised interference or obstruction of the use of a computer or of the usefulness or effectiveness of any programme or data stored within a computer (eg, denial-of-service attacks) (section 7 of the CMA);
  • it is an offence for any person to disclose without authority access codes for wrongful gain, unlawful purposes or with the knowledge that it is likely to cause wrongful loss (section 8 of the CMA);
  • it is an offence for any person to illegally obtain, retain or supply personal information about another individual from a computer in contravention of certain provisions under the CMA (eg, selling identity card numbers or credit card information without legitimate purpose) (section 8A of the CMA);
  • it is an offence for any person to obtain or retain any item with the intent to using it to commit or facilitate the commission of an offence (eg, buying or dealing in hacking tools) (section 8B of the CMA); and
  • it is an offence for an organisation or individual to evade requests made by individuals to access or correct their personal data by disposing of, altering, falsifying, concealing or destroying records containing personal data or information about the collection, use or disclosure of personal data (section 51 of the PDPA). This may constitute a cyberactivity if the records were kept on a computer.

How has your jurisdiction addressed information security challenges associated with cloud computing?

Recognising the increasingly common cross-border nature of cybersecurity threats, Singaporean government has signed a number of memoranda of understanding (MOUs) with foreign countries, in order to promote information exchange and sharing, as well as to collaborate on cybersecurity capacity building. MOUs signed by Singapore include those with Australia, Canada, France, India, the Netherlands, the United Kingdom and the United States. In addition, Singapore has signed a Joint Declaration on Cybersecurity Cooperation with Germany, and a Memorandum of Cooperation on Cybersecurity with Japan.

Locally, the Singapore authorities have also introduced a number of initiatives to enhance the security standards of cloud service providers. Legislative initiatives include the recently introduced Cybersecurity Act, which aims to enhance cybersecurity among essential services in 11 critical sectors. Other initiatives include, for example, the Multi-Tier Cloud Security Standard for Singapore (SS 584) issued by the Information Technology Standards Committee for voluntary adoption by cloud service providers (CSPs). The SS 584 standard provides for three tiers of security certification (Tier 1 being the base level and Tier 3 being the most stringent). Although adoption of the SS 584 standard is voluntary, certification under the SS 584 standard may be a requirement to participate in government tenders for public cloud services.

The IMDA has also issued a set of Cloud Outage Incident Response Guidelines (COIR Guidelines) for voluntary adoption by CSPs. The COIR Guidelines guides CSPs in planning for and responding to cloud outages, with a focus on operational mistakes, infrastructure or system failure and environmental issues (eg, flooding, fire).

How do your jurisdiction’s cybersecurity laws affect foreign organisations doing business in your jurisdiction? Are the regulatory obligations the same for foreign organisations?

Legislation such as the Cybersecurity Act and the PDPA may be applicable to foreign organisations doing business in Singapore.

The framework for the protection of CII under the Cybersecurity Act applies to any CII located wholly or partly in Singapore, and section 4 of the Cybersecurity Act allows computers or computer systems that are located wholly or partly in Singapore to be designated as CII. Hence, owners of CII that are partly located in Singapore would need to comply with the requirements of the Cybersecurity Act (see further question 6).

The PDPA, which imposes the Protection Obligation on organisations that possess or control personal data (see question 1), applies to organisations in the private sector generally. Organisation is defined under the PDPA to include any individual, company, association or body of persons, corporate or unincorporated, whether or not formed or recognised under the law of Singapore, or resident, or having an office or a place of business, in Singapore.

These frameworks generally do not impose differing standards of regulatory obligations on the foreign organisations to which they apply, as compared with local organisations.

Best practice

Increased protection

Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?

Yes, the Singapore authorities have introduced various non-legislative initiatives aimed at enhancing cybersecurity standards. Some non-exhaustive examples are as follows.

For instance, the authorities have introduced standards and guidelines to promote security among cloud service providers (see question 11).

CSA has also published supplementary references to help owners of CII proactively secure and build resilience into their systems, such as its Security-by-Design Framework, which was developed to guide CII owners through the process of incorporating security into their systems development life-cycle process.

The Singapore Computer Emergency Response Team (SingCERT), which is part of the CSA, facilitates the detection, resolution and prevention of cybersecurity-related incidents on the internet. It occasionally publishes alerts, advisories and recommendations detailing procedures or mitigating measures for organisations to respond to new cyber threats.

How does the government incentivise organisations to improve their cybersecurity?

The government has publicly stated that it does not intend to provide funding to offset the costs of CII obligations that are regulatory requirements under the Cybersecurity Act. However, the government has established several schemes to enhance the cybersecurity capabilities of SMEs, as well as other corporations and organisations.

For instance, IMDA has established an SME Digital Tech Hub, a dedicated hub that provides specialist digital technology advice to SMEs on areas including, but not limited to, data analytics and cybersecurity. It also works with SME Centres and Trade Association & Chambers to provide assistance in connecting SMEs with digital technology vendors and consultants, as well as conducting workshops and seminars to improve the digital capabilities of SMEs. The CSA and the IMDA have also established partnerships with private organisations through the Critical Infocomm Technology Resource Programme Plus, Cybersecurity Professional Scheme, Cyber Security Associates and Technologists programme and the Tech Skills Accelerator initiative. These partnerships help to train and up-skill professionals with infocomm technology (ICT) or engineering disciplines, enabling them to take on cybersecurity job roles through company-led, on-the-job training.

CSA, through the Cyber Security Awareness Alliance, has also published guides and other resources on various topics such as securing company and tackling e-commerce fraud, and provided guides for SMEs such as the Employee Cyber Security Kit, which features an initial assessment of a company’s cybersecurity readiness and follows up with a recommended cybersecurity education programme. In the area of certifications and accreditations, the government has also announced that it will allow small service providers to apply for government funding to cover a proportion of the costs to become member companies of the Certfication Registry for Electronic Share Transfer (CREST). The CREST Singapore chapter has been established in collaboration and partnership with the CSA, the Association of Information Security Professionals, MAS, the Association of Banks in Singapore and the IMDA, and offers various certifications for cybersecurity services in Singapore.

Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?

See question 1 for a non-exhaustive list of existing industry standards and codes of practice related to cybersecurity, some of which are confidential and not published in the public domain.

The following publicly available industry standards and codes of practice may be accessed as follows:

  • MAS’s Technology Risk Management Guidelines and Notice on Technology Risk Management may be accessed on the MAS website at: www.mas.gov.sg;
  • PDPC’s guides (which apply across the private sector), including the Data Breach Guide, the Securing Personal Data Guide and the Guide to Building Websites for SMEs, may be accessed on the PDPC website at: www.pdpc.gov.sg; and
  • the Association of Banks in Singapore’s (ABS) industry guidelines on cybersecurity can be accessed on the ABS website at: www.abs.org.sg.

Are there generally recommended best practices and procedures for responding to breaches?

In the case of certain breaches, there may be a need to notify the authorities (see question 28). For data breaches involving personal data, the PDPC’s Data Breach Guide contains a number of recommendations that organisations may consider in responding to a data breach, including that an organisation should act as soon as it is aware of a data breach and consider the following measures, where applicable:

  • shutting down the compromised system that led to the data breach;
  • establishing whether steps can be taken to recover lost data and limit any damage caused by the data breach;
  • isolating causes of the data breach in the system, and where applicable, changing the access rights to the compromised system and removing external connections to the system;
  • preventing further unauthorised access to the system, and resetting passwords if accounts and passwords have been compromised;
  • notifying the police if criminal activity is suspected and preserving evidence for investigation;
  • putting a stop to practices that led to the data breach; and
  • addressing lapses in processes that led to the data breach.

The Data Breach Guide also sets out recommendations on notifying affected individuals and other third parties such as banks, credit companies or the police.

Information sharing

Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?

Section 45 of the Cybersecurity Act protects the identities of informers of certain offences relating to CII. Generally, no witness in any proceedings for an offence under Part 3 of the Cybersecurity Act is obliged or permitted to:

  • disclose the name, address or other particulars of an informer who has given information with respect to that offence, or the substance of the information received; or
  • answer any question if the answer would lead, or tend to lead, to the discovery of the name, address or other particulars of the informer.

In addition, the court must also order any entries containing the informer’s name or descriptions, which may lead to the discovery of the informer’s identity, to be concealed from documents in evidence, or those available for inspection in such proceedings as mentioned in section 45(1) of the Cybersecurity Act.

Beyond the Cybersecurity Act, the Ministry of Communications and Information and CSA have stated that they intend to explore implementing administrative arrangements and partnerships to facilitate and encourage information sharing.

In the telecommunications sector, IMDA has also published a Cyber Security Vulnerability Reporting Guide to facilitate and encourage the reporting of cybersecurity vulnerabilities that the cybersecurity researcher community has detected in the public-facing applications and networks of telecommunication service providers, such as internet access, mobile and fixed-line voice or data service providers, broadcast, print (newspaper) and postal service providers.

In the financial sector, MAS has partnered with the Financial Services Information Sharing and Analysis Center to set up a regional centre in Singapore to share information on cybersecurity threats among financial institutions.

How do the government and private sector cooperate to develop cybersecurity standards and procedures?

In practice, the government typically consults relevant parties in developing legislative and regulatory standards. For instance, prior to the introduction of the Cybersecurity Act, the government had conducted several rounds of consultations with potential CII owners, industry associations and cybersecurity professionals. The government has also announced its intent to continue working with the industry and professional association partners to establish accreditation regimes for cybersecurity professionals.

The government has actively promoted cybersecurity through research and development (R&D) collaborations between government, academia and industry. In 2013, the government launched the National Cybersecurity R&D Programme to promote such research collaboration, with a total of S$190 million in funding having been made available to support the programme until 2020. The government has also kickstarted other initiatives such as the Cybersecurity Consortium with S$1.5 million in funding over three years from 2016, and the National Cybersecurity R&D Laboratory.

Grant schemes such as the Co-Innovation and Development Proof-of-Concept Funding Scheme are also available to Singapore-registered companies or overseas firms that partner with Singapore-registered companies. The scheme aims to support the co-development of innovative cybersecurity solutions that help to meet national cybersecurity needs, with potential for commercial application.

The Computer Emergency Response Teams (CERTs) overseeing specific sectors also issue advisories to the operators in their respective sectors. For example, the Infocommunications Singapore CERT, (ISGCERT) issues alerts to operators in the telecommunications and media sector to enhance their cyber readiness, and advisories on cybersecurity vulnerabilities pertaining to this sector.

SingCERT also works with the sectoral CERTs, where necessary, to inform local companies and affected customers on cybersecurity threats and incidents.

Insurance

Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?

Yes, various insurance solutions covering cyber risks are offered by several insurers in the Singapore market. Such insurance solutions remain relatively new to the Singapore market, with AXA being reported to be the first insurer to commence such an offering in 2014.

Enforcement

Regulation

Which regulatory authorities are primarily responsible for enforcing cybersecurity rules?

The Commissioner is responsible for the enforcement of the Cybersecurity Act. At present, the Chief Executive of the CSA has been appointed as the Commissioner. The Cybersecurity Act also provides for the appointment of a Deputy Commissioner and Assistant Commissioners to assist the Commissioner. The government has publicly stated that Assistant Commissioners will be appointed from officers of sector regulators, as they understand the unique contexts and complexities in their sectors.

The Singaporean police force, which is overseen by the Ministry of Home Affairs, working together with the Public Prosecutor, is generally responsible for investigating and prosecuting criminal offences, such as those under the CMA.

In relation to data protection, the PDPC is the authority responsible for administering and enforcing the PDPA.

Sector regulators, such as MAS, which regulates the finance sector and IMDA, which regulates the info-communications sector, are responsible for enforcing their individual sector-specific frameworks.

Describe the authorities’ powers to monitor compliance, conduct investigations and prosecute infringements.

The Commissioner has broad powers under the Cybersecurity Act to require CII owners to furnish information relating to CII, including information to ascertain the level of cybersecurity of CII. The Commissioner also has broad powers to investigate cybersecurity threats or incidents generally, including those that involve non-CII, by requiring the production of documents and examining relevant persons.

Section 15 of the Cybersecurity Act requires CII owners to conduct cybersecurity risk assessments of CII and cybersecurity audits of the compliance of the CII with the statute and the applicable codes of practices and standards of performance, and to furnish reports to the Commissioner.

With respect to investigations of cybersecurity threats or incidents, section 19 of the Cybersecurity Act sets out the powers of the Commissioner and authorised officers, which include powers to investigate cybersecurity threats or incidents for the purposes of: (i) assessing the impact or potential impact of the cybersecurity threat or incident; (ii) preventing any or further harm arising from the cybersecurity incident; or (iii) preventing a further cybersecurity incident from arising from that cybersecurity threat or incident.

Section 20 of the Cybersecurity Act is similar to section 19 of the Cybersecurity Act, save that it sets out the powers of the Commissioner with respect to ‘serious’ cybersecurity threats or incidents (ie, those that satisfy the severity threshold specified in section 20(3) of the Cybersecurity Act). Under section 19(2) of the Cybersecurity Act, the powers that are to be exercised against persons affected by the cybersecurity threat or incident include:

  • require the person to attend at a specified place and time to answer questions or to provide a signed statement concerning the cybersecurity threat or incident;
  • require the person to produce any record or document, or provide any relevant information;
  • inspect, copy or take extracts from such records or documents; and
  • examine orally the person who appears to be acquainted with the facts and circumstances relating to the cybersecurity threat or incident.

Under section 20 of the Cybersecurity Act, the powers that may be exercised against persons affected by the cybersecurity threat or incident that satisfies the severity threshold include:

  • any power mentioned above in section 19(2) of the Cybersecurity Act;
  • direct the person to carry out such remedial measures, or to cease carrying on such activities, in relation to the affected computer or computer system, in order to minimise cybersecurity vulnerabilities;
  • require the person to take any action to assist with the investigation, including but not limited to: (i) preserving the state of the affected computer or computer system by not using it; (ii) monitoring the affected computer or computer system; (iii) performing a scan of the affected computer or computer system to detect cybersecurity vulnerabilities and to assess the impact of the cybersecurity incident; and (iv) allowing the incident response officer to connect any equipment to, or install any computer program on, the affected computer or computer system as necessary;
  • after giving reasonable notice, enter the premises where the affected computer or computer system is reasonably suspected to be located;
  • access, inspect and check the operation of the affected computer or computer system, or use the computer or computer system to search any data contained in or available to such computer or computer system;
  • perform a scan of the affected computer or computer system to detect cybersecurity vulnerabilities;
  • take a copy of or extracts from any electronic record or computer program affected by the cybersecurity incident; and
  • with the consent of the owner, take possession of any computer or other equipment for the purpose of carrying out further examination or analysis.

See questions 23 and 24 for details on the punishable offences under the Cybersecurity Act. In addition, section 40 of the Cybersecurity Act provides that, notwithstanding any provision to the contrary in the Criminal Procedure Code (Chapter 68), a district court of Singapore has jurisdiction to try any offence under the statute and has power to impose the full penalty or punishment in respect of the offence.

What are the most common enforcement issues and how have regulators and the private sector addressed them?

The Cybersecurity Act is relatively novel and there have yet to be any published reports of significant enforcement actions thereunder.

In relation to data breaches involving personal data, enforcement action under the PDPA has been instituted by the PDPC in a number of cases against private sector organisations for breaches of the Protection Obligation (see question 1). For instance, 16 of the PDPC’s 22 enforcement decisions released in 2016, and 15 of the PDPC’s 19 enforcement decisions released in 2017, involved a breach of the obligation to implement reasonable security arrangements to protect personal data.

In one case, on 21 April 2016, the PDPC imposed financial penalties of S$50,000 and S$10,000 on K Box Entertainment Group (K Box) and its data intermediary, Finantech Holdings, for failing to implement proper and adequate protective measures to secure its IT system, resulting in the unauthorised disclosure of the personal data of 317,000 K Box members. Details such as their contact number, email address, National Registration Identity Card number and date of birth were leaked on a publicly accessible website after the company’s database was hacked.

Penalties

What penalties may be imposed for failure to comply with regulations aimed at preventing cybersecurity breaches?

The Cybersecurity Act provides for a number of offences, including the following:

  • an owner of a CII who fails, without reasonable excuse, to comply with the duty to furnish information relating to the CII pursuant to a notice by the Commissioner, shall be liable upon conviction to a fine not exceeding S$100,000 or to imprisonment for a term not exceeding two years or to both, and in the case of a continuing offence, to a further fine not exceeding S$5,000 for every day or part of a day during which the offence continues after conviction (section 10(2));
  • an owner of a CII who fails, without reasonable excuse, to comply with the duty to notify the Commissioner within 30 days of making a material change to the design, configuration, security or operation of the CII after any information has been furnished to the Commissioner pursuant to a notice given, shall be liable on conviction to a fine not exceeding S$25,000 or to imprisonment for a term not exceeding 12 months or to both (section 10(7));
  • any person who, without reasonable excuse, fails to comply with the duty to comply with a direction issued by the Commissioner, shall be liable upon conviction to a fine not exceeding S$100,000 or to imprisonment for a term not exceeding two years or to both, and to a further fine not exceeding S$5,000 for every day or part of a day during which the offence continues after conviction (section 12(6));
  • any owner of a CII who fails, without reasonable excuse, to comply with the duty to conduct cybersecurity risk assessments and cause an audit of the compliance of the CII by an auditor approved or appointed by the Commissioner, and other requirements under the same provision (such as to comply with the Commissioner’s directions under subsections (3), (5)(a) or (6), or obstructs or prevents an audit mentioned in subsection (4) or a cybersecurity risk assessment under subsection (5)(b) from being carried out), shall be liable upon conviction to a fine not exceeding S$100,000 or to imprisonment for a term not exceeding two years or to both, and in the case of a continuing offence, to a further fine not exceeding S$5,000 for every day or part of a day during which the offence continues after conviction (section 15(7));
  • any owner of a CII who, without reasonable excuse, fails to furnish a copy of the report of the audit or cybersecurity risk assessment within 30 days of completion of such audit or assessment, shall be liable upon conviction to a fine not exceeding S$25,000 or to imprisonment for a term not exceeding 12 months or to both, and in the case of a continuing offence, to a further fine not exceeding S$2,500 for every day or part of a day during which the offence continues after conviction (section 15(8));
  • any person who, without reasonable excuse, fails to comply with the duty to participate in a cybersecurity exercise if directed to do so by the Commissioner, shall be liable on conviction to a fine not exceeding S$100,000 (section 16(3));
  • any person who, without reasonable excuse, fails to comply with a Magistrate’s order under section 19(5), or who willfully misstates or without reasonable excuse refuses to give any information, provide any statement or produce any record, document or copy required by an incident response officer under section 19(2) in the investigation of a cybersecurity incident, shall be liable on conviction to a fine not exceeding S$5,000 or to imprisonment for a term not exceeding six months or to both (section 19(8)); and
  • in the case of an investigation into serious cybersecurity incidents, any person who, without reasonable excuse, fails to comply with sections 19(2) or 19(5) as mentioned above, or who fails to comply with a direction, requirement or lawful demand of an incident response officer made in the discharge of the officer’s duties under section 20, shall be liable on conviction to a fine not exceeding S$25,000 or to imprisonment for a term not exceeding two years or to both (section 20(7)).

In the case of a breach of the PDPA, the PDPC is empowered to issue such remedial directions as it thinks fit in the circumstances, including the imposition of a financial penalty of up to S$1 million.

What penalties may be imposed for failure to comply with the rules on reporting threats and breaches?

Section 14 of the Cybersecurity Act provides that an owner of a CII who, without reasonable excuse, fails to comply with the duty to report any prescribed cybersecurity incident within the prescribed period (see questions 28 and 29) shall be liable on conviction to a fine not exceeding S$100,000, or to imprisonment for a term not exceeding two years, or to both.

How can parties seek private redress for unauthorised cyberactivity or failure to adequately protect systems and data?

The Cybersecurity Act does not confer any private rights on parties to seek redress for unauthorised cyberactivity or failure to adequately protect systems and data.

In contrast, under the PDPA, where any person has suffered loss or damage directly as a result of non-compliance by an organisation with the data protection provisions under Parts IV to VI of the PDPA, a right of action for relief in civil proceedings in a court may be available. In cases where the PDPC has made a decision under the PDPA in respect of such a contravention, this right is only exercisable after such a decision issued by the PDPC has become final as a result of all avenues of appeal being exhausted. Relief may be granted by the court as it sees fit, including without limitation, relief by way of injunction or declaration, or damages.

Private claims may also be available under general law, for example, under the laws of contract or the tort of negligence, depending on the circumstances of each case.

Threat detection and reporting

Policies and procedures

What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?

Sections 11 and 12 of the Cybersecurity Act 2018 impose duties on owners of CII to comply with the codes of practice or standards of performance, or directions either of a general or specific nature issued by the Commissioner, which may contain provisions with respect to the measures to be taken by them to ensure the cybersecurity of the CII. On 1 September 2018, the Commissioner of Cybersecurity issued the Cybersecurity Code of Practice for CII. Detailed requirements are not published in the public domain.

In relation to the Protection Obligation under the PDPA, the PDPC does not prescribe any ‘one-size-fits-all’ solution to compliance, as it recognises that each organisation will need to address its own unique circumstances. Instead, the PDPC has issued various guidelines to provide guidance to organisations. For instance, PDPC’s Advisory Guidelines on Key Concepts in the PDPA sets out security arrangements (including administrative, physical and technical measures) that organisations may use to protect personal data. The PDPC has also published the Securing Personal Data Guide to provide greater clarity on the obligation to provide reasonable security arrangements in respect of personal data held or controlled by organisations.

In particular, the Securing Personal Data Guide sets out a series of good practices that organisations should undertake, including but not limited to:

  • providing clear direction on ICT security goals and policies for personal data protection within the organisation;
  • establishing, enforcing, and periodically reviewing ICT security policies, standards and procedures;
  • instituting a risk management framework to identify security threats, assessing the risks involved and determining the controls to remove or reduce them; and
  • designing and implementing an internal network with multi-tier or network zones, segregating the internal network according to function, physical location, access type, etc.

The Securing Personal Data Guide also sets out a series of enhanced practices that organisations may consider, including but not limited to:

  • disabling unused network ports;
  • monitoring LAN/WiFi regularly and removing unauthorised clients and WiFi access points;
  • using network proxies to restrict employee access to known malicious websites;
  • using two-factor authentication and strong encryption for remote access;
  • disallowing remote network administration; and
  • logging database activities, such as any changes to the database and data access activities to track unauthorised activities or anomalies.

Describe any rules requiring organisations to keep records of cyberthreats or attacks.

There are currently no provisions in the Cybersecurity Act or the PDPA expressly requiring organisations to keep records of cyber threats or attacks. It may, however, be prudent for organisations to consider the need to keep records in order to ensure compliance with other regulatory requirements, for example, in the case of CII owners, to fulfil audit requirements.

Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.

Section 14 of the Cybersecurity Act provides that the owner of a CII must notify the Commissioner within the prescribed period in the prescribed form and manner upon becoming aware of the occurrence of any of the following events:

  • a prescribed cybersecurity incident in respect of a CII;
  • a prescribed cybersecurity incident in respect of any computer or computer system under the owner’s control that is interconnected with or that communicates with a CII; and
  • any other type of cybersecurity incident in respect of the CII that the Commissioner has specified by written direction to the owner.

For this purpose, the prescribed cybersecurity incidents are set out in the CII Regulations and include:

  • the unauthorised hacking of a CII;
  • the installation or execution of unauthorised software or code on a CII;
  • man-in-the-middle attacks, session hijacks or other unauthorised interception of communication between a CII and an authorised user; and
  • denial-of-service attacks.

Please see question 29 for further details.

There is currently no mandatory data breach reporting obligation under the PDPA. Instead, the Data Breach Guide issued by the PDPC recommends that organisations notify the PDPC of data breaches that might cause public concern, or where there is a risk of harm to a group of affected individuals. The notification should include the following information:

  • extent of the data breach;
  • type and volume of the personal data breached;
  • cause or suspected cause of the breach;
  • whether the breach has been rectified;
  • measures and processes that the organisation had put in place at the time of the breach;
  • information on whether affected individuals were notified or when the organisation intends to do so; and
  • contact details of persons with whom the PDPC may liaise for further information or clarification.

The PDPC’s Data Breach Guide also recommends that where criminal activity (eg, hacking, theft or unauthorised system access by an employee) is suspected, organisations should notify the police.

On 1 February 2018, the PDPC published its response to feedback following a public consultation exercise on proposed amendments to the PDPA. The PDPC has stated that it intends to introduce a mandatory data breach notification regime, under which organisations will be required to notify the PDPC and affected individuals of data breaches that are ‘likely to result in significant harm or impact to the individuals to whom the information relates’.

The PDPC has proposed to allow organisations an assessment period of up to 30 days to assess their eligibility for notification, from the day that they first become aware of a suspected breach. Once they determine that the breach is eligible for reporting, organisations will then need to notify the PDPC ‘as soon as practicable, no later than 72 hours’, and affected individuals ‘as soon as practicable’.

Presently, the proposed amendments to the PDPA have not been formally introduced in Parliament.

Within the financial sector, the Notice on Technology Risk Management issued by MAS requires financial institutions to notify MAS as soon as possible, but not later than one hour, upon the discovery of a relevant IT incident. The Notice also requires the financial institution to submit a root-cause and impact analysis report in respect of the IT incident to MAS within 14 days or such longer period as MAS may allow, from the discovery of the relevant IT incident.

Timeframes

What is the timeline for reporting to the authorities?

Section 14 of the Cybersecurity Act sets out that the owner of a CII must notify the Commissioner within the prescribed period upon becoming aware of the occurrence of the cybersecurity breaches described in question 28.

The prescribed period is set out in Regulation 5 of the CII Regulations, which sets out that a CII owner must notify the Commissioner of the occurrence of a prescribed cybersecurity incident in the required form within two hours after becoming aware of the occurrence, and provide, within 14 days of the initial submission, the following supplementary details:

  • the cause of the cybersecurity incident;
  • its impact on the CII, or any interconnected computer or computer system; and
  • what remedial measures have been taken.

See question 28 for more details on the reporting timeline as prescribed by the Notice on Technology Risk Management issued by MAS and the timeline for mandatory data breach notification as proposed by the PDPC.

Reporting

Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.

There are no provisions within the Cybersecurity Act that expressly require organisations to report threats or breaches to others in the industry, to customers or to the general public.

In addition, while there are currently no mandatory requirements under the PDPA to report threats or data breaches to others in the industry, to customers or to the general public, the PDPC’s Data Breach Guide recommends that organisations immediately notify the PDPC, affected individuals whose personal data was compromised, and other third parties such as banks, credit card companies and the police, where relevant, if the data breach involves sensitive personal data.

In addition, the PDPC has proposed to introduce a mandatory data breach notification regime, which would require organisations to notify individuals of data breaches that are ‘likely to result in significant harm or impact to the individuals to whom the information relates’. See question 28.

Update and trends

Update and trends

What are the principal challenges to developing cybersecurity regulations? How can companies help shape a favourable regulatory environment? How do you anticipate cybersecurity laws and policies will change over the next year in your jurisdiction?

2018 has seen the coming into force of most of the provisions of the Cybersecurity Act, which establishes a legal framework for the oversight and maintenance of national cybersecurity in Singapore. The Cybersecurity Act sets out a framework for the protection of CII against cyberattacks in particular, and provides the Commissioner with the powers to investigate and respond to cybersecurity threats and incidents.

The Cybersecurity Act also establishes a framework for the licensing of certain cybersecurity service providers, specifically, managed security operations centre monitoring services and penetration testing services. The provisions in the Cybersecurity Act that establish the licensing framework have yet to be brought into effect. The government has announced that it intends for these provisions to be brought into effect in the second half of 2019. Detailed licensing requirements may be published going forward.

In relation to data breaches involving personal data, the PDPC has announced that it intends to introduce a mandatory data breach notification regime under the PDPA. Currently, there is no mandatory requirement under the PDPA to notify the PDPC of data breaches, although the PDPC has issued guidance on when it may be appropriate for organisations to notify PDPC of data breaches. See question 28.

At a regional level, it was announced at the Association of Southeast Asian Nations (ASEAN) Ministerial Conference on Cybersecurity, on 19 September 2018, that member states had agreed to work towards a rules-based framework on cybersecurity, and to subscribe in principle to the 11 voluntary norms recommended in the 2015 Report of the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security. Singapore is developing the first draft of the proposal on the intended mechanism, with inputs from the ASEAN Secretariat and ASEAN member states.

The cross-border enforcement of cybercrime activities is likely to remain a predominant challenge to ensuring cybersecurity. In this regard, CSA has stated that it will seek to work closely with its foreign counterparts, such as through information-sharing arrangements to facilitate cybersecurity investigations. Examples of such cross-border cooperation include the signing of several MOUs and other agreements with foreign governments (see question 11).