Key statutes, regulations and adopted international standards
The Cybersecurity Act
The Cybersecurity Act 2018 (No. 9 of 2018) (the Cybersecurity Act) is the principal legislation dedicated to cybersecurity in Singapore. With the exception of Part 5 and the Second Schedule, the Cybersecurity Act came into effect on 31 August 2018, creating a regulatory framework for the protection of critical information infrastructure (CII) against cybersecurity threats; the undertaking of measures to prevent, manage and respond to cybersecurity threats and incidents in Singapore; and the regulation of providers of licensable cybersecurity services.
The term ‘CII’ is defined as a computer or a computer system necessary for the continuous delivery of an essential service, the loss or compromise of which will have a debilitating effect on the availability of the essential services in Singapore. The essential services identified under the First Schedule of the Cybersecurity Act are services relating to the following sectors: energy; info-communications; water; healthcare; banking and finance; security and emergency services; aviation; land transport; maritime; government; and media.
The Cybersecurity Act is accompanied by the Cybersecurity (Critical Information Infrastructure) Regulations 2018 (the CII Regulations) and Cybersecurity (Confidential Treatment of Information) Regulations 2018 (the Confidentiality Regulations). The Commissioner of Cybersecurity has also issued the Cybersecurity Code of Practice for Critical Information Infrastructure (the Cybersecurity Code).
Aside from the Cybersecurity Act, other key legislation includes the Personal Data Protection Act 2012 (No. 26 of 2012) (PDPA) and the Computer Misuse Act (Chapter 50A) (CMA).
The PDPA requires organisations to make reasonable security arrangements to protect personal data in its possession or under its control to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks (the protection obligation).
Under the CMA, certain cyber activities, such as hacking, denial-of-service attacks or infecting computer systems with malware, are criminalised, as well as the possession or use of hardware, software or other tools to commit offences, and other acts preparatory to or in furtherance of the commission of any offence.
In addition to the PDPA and CMA, existing sector-specific frameworks have been put in place by the relevant regulators that address cybersecurity issues. For example, the telecommunications and media regulator, the Info-communications Media Development Authority (IMDA), has issued the Telecommunications Cybersecurity Code of Practice (Telecommunications Code), which internet service providers in Singapore are required to comply with. The Telecommunications Code includes requirements regarding security incident management, including the prevention, protection, detection of, and response to, cybersecurity threats. The Telecommunications Code was formed using international standards and best practices, including ISO/IEC 27011 and the IETF Best Current Practices.
Regarding the financial sector, the Monetary Authority of Singapore (MAS), Singapore’s central bank and financial regulatory authority, has issued data protection-related regulatory instruments such as the MAS Notices and Guidelines on Technology Risk Management and the MAS Guidelines on Outsourcing, which require financial institutions to notify the MAS of breaches of security and confidentiality of financial institutions’ customer information.
The Cybersecurity Act does not prevent regulators from setting more stringent cybersecurity requirements under their sectoral regulations to cater to the cybersecurity needs of the sector. In these cases, the standards in those sectoral regulations would take precedence over the standards in the Cybersecurity Act.
The Singapore Common Criteria Scheme (SCCS) is a certification scheme that provides a cost-effective regime for the info-communications industry to evaluate and certify their IT products. The SCCS is based on the international standard ISO/IEC 15408, which is also known as the Common Criteria for Information Technology Security Evaluation, or Common Criteria.
Enforcement of the Cybersecurity Act
The regulatory body responsible for enforcing the Cybersecurity Act is the Cybersecurity Agency of Singapore (CSA). The CSA provides dedicated and centralised oversight of national cybersecurity functions to protect essential services. The CSA is also responsible for the holistic development of Singapore’s cybersecurity landscape. The CSA comes under the purview of the Prime Minister’s Office and the Ministry of Communications and Information.
The CSA is headed by the Commissioner of Cybersecurity (the Commissioner), who is also the chief executive of the CSA. Assistant commissioners may also be appointed to assist the Commissioner. The CSA also works closely with sector regulators as they are best placed to understand the unique context and complexity of their sectors and can provide advice on the necessary requirements.
The relevant powers prescribed to the Commissioner to aid him or her in the enforcement of the Cybersecurity Act include:
- the power to obtain information to ascertain if a computer or computer system fulfils the criteria or the level of cybersecurity of CIIs;
- the power to issue written directions to the CII owner or class of owners to ensure the cybersecurity of the CII or the effective administration of the Cybersecurity Act;
- the power to investigate cybersecurity threats or incidents, including those involving non-CII. The Commissioner may exercise powers with varying levels of intrusiveness, depending on the severity of the threat or incident; and
- the power to authorise an officer to conduct investigations in relation to any offence under the Cybersecurity Act.
As far as we are aware, at the time of writing, the CSA had not published any reports of significant enforcement actions under the Cybersecurity Act.
Enforcement of other legislation
The Singapore Police Force, working together with the Public Prosecutor, would generally be responsible for investigating and prosecuting cyber crimes under the CMA.
The data protection authority, the Personal Data Protection Commission (PDPC), is responsible for enforcing the PDPA, and may impose on an organisation that fails to comply with the protection obligation a financial penalty of up to S$1 million. The PDPC may also impose on the organisation such directions as it thinks fit in the circumstances to ensure compliance with the protection obligation.
Sector regulators such as the IMDA and MAS are responsible for enforcing their individual sector-specific frameworks.
Relevant obligations for companies to protect against cyber threats
Under the Cybersecurity Act, owners of CII must comply with a number of general obligations, including:
- compliance with notices issued by the Commissioner to furnish information relating to the CII;
- compliance with codes of practice, standards of performance or written directions in relation to the CII as may be issued by the Commissioner, such as the Cybersecurity Code;
- notifying the Commissioner of any change in ownership of the CII;
- notifying the Commissioner of any prescribed cybersecurity incidents relating to the CII;
- regularly auditing the compliance of the CII with the Cybersecurity Act, codes of practice and standards of performance. Such audits are to be carried out by an auditor approved or appointed by the Commissioner;
- carrying out regular cybersecurity risk assessments of the CII; and
- participating in cybersecurity exercises as required by the Commissioner.
The details of such obligations may be provided for under the Cybersecurity Code. Although the Cybersecurity Code has not been made available in the public domain, the CSA will be periodically introducing supplementary references to help owners of CII comply with the Cybersecurity Code. This includes the Security-by-Design Framework, which was developed to guide CII owners through the process of incorporating security into their systems development life-cycle process. The Security-by-Design is an approach that addresses the cyber protection considerations throughout a system’s life cycle and it is one of the key components of the Cybersecurity Code.
With regard to the protection of personal data, unless an exception applies, organisations are required to comply with the protection obligation under the PDPA, as mentioned above.
To assist organisations with compliance with the protection obligation, and other data protection obligations in the PDPA, the PDPC has issued various advisory guidelines and guides. For example, the Advisory Guidelines on Key Concepts in the PDPA sets out a number of administrative, physical and technical security arrangements that organisations may consider adopting. Other relevant guides include the Guide to Securing Data in the Electronic Medium (revised 20 January 2017).
For the financial sector, the MAS Notice on Technology Risk Management imposes requirements on financial institutions to establish frameworks and processes for the identification of critical systems, and implement IT controls to protect customer information from unauthorised access or disclosure. Examples of critical systems include automated teller machine (ATM) systems, online banking systems, and systems that support payment, clearing or settlement functions.
The effect of local laws on foreign businesses
Under certain circumstances, the Cybersecurity Act and PDPA may be applicable to foreign businesses in Singapore.
The Cybersecurity Act’s CII protection framework applies to any CII located wholly or partly in Singapore. Further, a computer or computer system located wholly or partly in Singapore may be designated as a CII. As such, foreign businesses that are owners of such CII must comply with the relevant requirements of the Cybersecurity Act, as set out in the section above on ‘Relevant obligations for companies to protect IT systems and data from cyber threats’.
The PDPA applies to all organisations that are not a public agency or acting on behalf of a public agency, whether or not formed or recognised under the laws of Singapore; or resident or having an office or a place of business in Singapore. As such, the PDPA (including the protection obligation) may be applicable to foreign businesses that carry out activities involving personal data in Singapore.
In comparison, the CMA has extraterritorial effect. The CMA provides that the provisions of the CMA shall have effect, in relation to any person, whatever his nationality or citizenship, outside as well as within Singapore. Where an offence under the CMA is committed by any person in any place outside Singapore, he or she may be dealt with as if the offence had been committed within Singapore.
Subject to certain circumstances, the CMA will apply if (1) the accused was in Singapore at the material time; (2) the computer, program or data was in Singapore at the material time; or (3) the offence causes, or creates a significant risk of, serious harm in Singapore. Examples of acts that seriously diminish or create a significant risk of seriously diminishing public confidence in the provision of an essential service include publication to the public of the medical records of patients of a hospital in Singapore or providing to the public access to the account numbers of customers of a bank in Singapore.
Under the Cybersecurity Act, personal liability is imposed on officers, members (if the members of a corporation manage its affairs) and individuals involved in a corporation’s management and in a position to influence its conduct for offences committed by the corporation under the Cybersecurity Act, if they:
- consented, connived or conspired with others to bring about the offence;
- were knowingly concerned or party to the commission of the offence; or
- knew or ought reasonably to have known that the offence by the corporation would be or is being committed, and failed to take all reasonable steps to prevent or stop the commission of that offence.
Regarding offences committed by an unincorporated association or a partnership under the Cybersecurity Act, personal liability is imposed on officers of unincorporated associations and members of their governing bodies, partners in a partnership, and individuals involved in the management of the unincorporated association or partnership and who are in a position to influence its conduct, in circumstances similar to those set out under section 36 of the Cybersecurity Act.
Moreover, a director’s failure to adequately manage an organisation’s cybersecurity arrangements may amount to a breach of his directors’ duties, for example, under section 157 of the Companies Act (Chapter 50), which requires a director to use reasonable diligence in the discharge of the duties of his or her office.
Best practices for responding to data breaches
The owner of CII must notify the Commissioner of:
- a prescribed cybersecurity incident in respect of the CII;
- a prescribed cybersecurity incident in respect of any computer or computer system under the owner’s control that is interconnected with or that communicates with CII; and
- any other type of cybersecurity incident in respect of CII that the Commissioner has specified by written direction to the owner.
Details of the cybersecurity incident must be notified to the Commissioner within two hours after becoming aware of the occurrence and, within 14 days after the initial notification, the following supplementary details must be provided:
- the cause of the cybersecurity incident and its impact on the CII, or any interconnected computer or computer system; and
- what remedial measures have been taken.
The prescribed cybersecurity incidents mentioned above are:
- the unauthorised hacking of CII;
- installation or execution of unauthorised software or computer code of a malicious nature on CII;
- any man-in-the-middle attack, session hijack or other unauthorised interception of communication between CII and an authorised user; and
- denial of service attacks that adversely affect the availability or operability of CII.
Further, the Singapore Computer Emergency Response Team (SingCert) publishes alerts, advisories and recommendations detailing procedures or mitigating measures for organisations to respond to new cybersecurity threats. SingCert is set up by the CSA and facilitates the detection, resolution and prevention of cybersecurity-related incidents on the internet.
There is currently no mandatory requirement or procedure under the PDPA for organisations to report data breaches to the PDPC.
However, the PDPC has publicly announced its intentions to introduce a mandatory breach notification requirement as part of its proposed amendments to the PDPA. In particular, the PDPC has issued a public consultation on Approaches to Managing Personal Data in the Digital Economy (27 July 2017) and a response to the feedback received in February 2018. Moreover, in the recently issued Guide to Managing Data Breaches 2.0 (22 May 2019), organisations are encouraged to notify the PDPC when ‘significant harm or impact is likely’ or where ‘500 or more individuals are affected’. The time frame for notification is ‘as soon as practicable, no later than 72 hours from the time the organisation has made its assessment’.
In terms of best practices in a data breach scenario, the Guide to Managing Data Breaches 2.0 recommends that organisations carry out their assessment of the data breach within 30 days from when they first become aware of a potential data breach. The details of the data breach and post-breach responses should be recorded in an incident record log to allow follow-up investigations or reviews.
If upon assessment, the organisation is of the view that the breach is likely to result in significant harm or impact to the individual to whom the information relates, or is of a significant scale (involving personal data of 500 or more individuals), the organisation should notify the PDPC of the breach as soon as practicable, no later within 72 hours. Organisations may also wish to notify the affected individuals as soon as practicable where significant harm or impact to the individual is likely.
As best practices, the notification to the PDPC should include the following information:
- extent of the data breach;
- type and volume of personal data involved;
- cause or suspected cause of the breach;
- whether the breach has been rectified;
- measures and processes that the organisation had put in place at the time of the breach;
- information on whether affected individuals of the data breach were notified and, if not, when the organisation intends to do so; and
- contact details of persons the PDPC can contact for further information or clarification.
Where criminal activity is suspected, the PDPC recommends that organisations notify the police so that they may offer assistance in containing the breach and preserve evidence for investigation
Further, according to the PDPC’s Advisory Guidelines on Enforcement of Data Protection Provisions, the fact that an organisation has voluntarily notified the PDPC of a data breach as soon as it learned of the breach and cooperated with the PDPC in its investigations may be mitigating factors that the PDPC will take into account when calculating, if applicable, the financial penalty to be imposed.
Breaches in the financial sector
With respect to the financial sector, the MAS Notice on Technology Risk Management (TRM Notice) requires financial institutions to notify MAS as soon as possible, within an hour, upon the discovery of a relevant IT incident. The TRM Notice also requires financial institutions to submit a root cause and impact analysis report to MAS within 14 days, or such longer period as MAS may allow, from the discovery of the relevant IT incident.
Private redress options for unauthorised cyber activity
The Cybersecurity Act does not provide for parties to seek private redress for unauthorised cyber activity or failure to adequately protect systems and data.
In contrast, under the PDPA, any individual who suffers loss or damage directly as a result of an organisation’s breach of the PDPA has a right of private action for relief in civil proceedings in court. This right is only exercisable after the PDPC has made a decision under the PDPA in respect of a breach, and the decision has become final as a result of all avenues of appeal being exhausted.
Individuals may also bring private claims under common law, such as the laws of contract or the tort of negligence.
Updates and trends
On 19 September 2018, it was announced at the Association of Southeast Asian Nations (ASEAN) Ministerial Conference on Cybersecurity that the ASEAN member states had agreed to subscribe in-principle to the 11 voluntary norms recommended in the 2015 Report of the United Nations Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security. Singapore intends to propose a mechanism to enhance ASEAN cyber coordination and decide on interrelated cyber diplomacy, policy and operational issues. The proposal will be tabled to the ASEAN leaders for consideration.
To strengthen Singapore’s operational cybersecurity capabilities, the Singapore government has signed a number of memorandums of understanding (MOUs) with other countries to increase cybersecurity cooperation in key areas such as information exchange and sharing on cyber threats and cyber attacks and development of cybersecurity standards, as well as to collaborate on regional cybersecurity capacity building. Singapore has signed MOUs with Australia, Canada, France, India, the Netherlands, the United Kingdom and the United States. In addition, Singapore has signed a Joint Declaration on Cybersecurity Cooperation with Germany and a memorandum of cooperation on Cybersecurity with Japan.
Singapore and the United States have also signed a declaration of intent to collaborate on a Singapore–US Cybersecurity Technical Assistance Programme for ASEAN member states to further strengthen partnerships in regional cybersecurity capacity building. The programme will build on the existing MOU between the two countries signed in August 2016. It aims to deliver three cybersecurity training workshops on various aspects of technical cybersecurity capacity building annually, with the involvement of key industry partners.
Singapore also has in effect an MOU with the Financial Services Information Sharing and Analysis Centre, a non-profit member-driven organisation to advance security threat intelligence sharing and conduct joint exercises to protect the financial services sector.
Part 5 and the Second Schedule of the Cybersecurity Act, which relate to the licensing framework for cybersecurity services providers comprising managed security operations centre monitoring services and penetration testing services, have not yet come into effect. The relevant provisions are expected to be brought into effect in the second half of 2019.
As mentioned above, the PDPC has also stated that it intends to introduce a mandatory data breach notification regime, under which organisations will be required to notify the PDPC and affected individuals of data breaches that are likely to result in significant harm or impact to the individuals to whom the information relates. At the time of writing, the mandatory data breach notification requirement is not yet in effect, though it is expected to be implemented in due course.
On 14 January 2019, the PDPC imposed its highest financial penalties to date of S$250,000 and S$750,000 respectively on Singapore Health Services Pte Ltd (SingHealth) and Integrated Health Information Systems Pte Ltd, for breaching their data protection obligations under the PDPA. This unprecedented data breach, which arose from a cyber attack on SingHealth’s patient database system, caused the personal data of some 1.5 million patients and the outpatient prescriptions of nearly 160,000 patients to be compromised.