Singapore: Cybersecurity
This is an Insight article, written by a selected partner as part of GDR's co-published content. Read more on Insight
Key statutes, regulations and adopted international standards
The Cybersecurity Act
The Cybersecurity Act 2018 (the Cybersecurity Act) is the principal legislation dedicated to cybersecurity in Singapore. The primary objective of the Cybersecurity Act is to provide the necessary legislative framework to better protect critical information infrastructure (CII), and to give the Cybersecurity Agency of Singapore (CSA) the powers required to act on cybersecurity incidents that impact Singapore.
The Commissioner of Cybersecurity (the Commissioner) may designate a computer or computer system a CII if he or she is satisfied that:
- it is a computer or a computer system necessary for the continuous delivery of an essential service, the loss or compromise of which will have a debilitating effect on the availability of essential services in Singapore; and
- the computer or computer system is located wholly or partly in Singapore.
The essential services identified under the First Schedule of the Cybersecurity Act are services relating to the following sectors: energy; info-communications; water; healthcare; banking and finance; security and emergency services; aviation; land transport; maritime; government; and media.
The Cybersecurity Act is accompanied by the Cybersecurity (Critical Information Infrastructure) Regulations 2018 (the CII Regulations), the Cybersecurity (Confidential Treatment of Information) Regulations 2018 (the Confidentiality Regulations), the Cybersecurity (Cybersecurity Service Providers) Regulations 2022 and the Cybersecurity (Composition of Offences) Regulations 2022.
The Commissioner has also issued a second edition of the Cybersecurity Code of Practice for Critical Information Infrastructure (the Cybersecurity Code), with effect from 4 July 2022. The Cybersecurity Code is intended to specify the minimum protection policies that a CII owner shall implement to ensure the cybersecurity of its CII. Subject to exceptions, a CII owner must comply with the Cybersecurity Code under section 11(6) of the Cybersecurity Act. Some of the obligations in the Cybersecurity Code include the requirement for the CII owner to establish, in writing, a cybersecurity risk management framework, as well as a cybersecurity incident response plan and crisis communication plan. CII owners must also develop a Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) to ensure that the CII can continue to deliver essential services in the event of disruptions due to a cybersecurity incident.
Other legislation
Aside from the Cybersecurity Act, other key legislation includes the Personal Data Protection Act 2012 (PDPA) and the Computer Misuse Act 1993 (CMA).
Under the PDPA, organisations are required to make reasonable security arrangements to protect personal data in their possession or under their control to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks and to prevent the loss of any storage medium or device on which personal data is stored (the protection obligation).[1]
Under the CMA, certain cyber activities are criminalised. These include hacking, denial-of-service attacks or infecting computer systems with malware, as well as the possession or use of hardware, software or other tools to commit offences, and other acts preparatory to or in furtherance of the commission of any offence.
In addition to the PDPA and CMA, existing sector-specific frameworks have been put in place by the relevant regulators that address cybersecurity issues. For example:
- The telecommunications and media regulator, the Info-communications Media Development Authority (IMDA), has issued the Telecommunications Cybersecurity Code of Practice (the Telecommunications Code), which internet service providers in Singapore are required to comply with. The Telecommunications Code includes requirements relating to security incident management, including the prevention, protection, detection of, and response to, cybersecurity threats. The Telecommunications Code was based on international standards and best practices, including ISO/IEC[2] 27011 and the IETF[3] Best Current Practices.
- Regarding the financial sector, the Monetary Authority of Singapore (MAS), Singapore’s central bank and financial regulatory authority, have issued data protection-related regulatory instruments such as the MAS Notices and Guidelines on Technology Risk Management, the Notices on Cyber Hygiene and the Guidelines on Outsourcing, which require financial institutions, among other things, to notify the MAS of breaches of security and confidentiality of customer information.
International standards
The Singapore Common Criteria Scheme (SCCS) is a certification scheme that provides a cost-effective regime for the info-communications industry to evaluate and certify their information technology (IT) products. The SCCS is based on the international standard ISO/IEC 15408, which is also known as the Common Criteria for Information Technology Security Evaluation, or Common Criteria.
Regulatory bodies
Enforcement of the Cybersecurity Act
The CSA is the regulatory body responsible for enforcing the Cybersecurity Act The CSA provides dedicated and centralised oversight of national cybersecurity functions to protect essential services. The CSA is also responsible for the holistic development of Singapore’s cybersecurity landscape. The CSA comes under the purview of the Prime Minister’s Office and the Ministry of Communications and Information.
The CSA is headed by the Commissioner, who is also the chief executive of the CSA. Assistant commissioners may also be appointed to assist the Commissioner. The CSA works closely with sector regulators as they are best placed to understand the unique context and complexity of their sectors and can provide advice on the necessary requirements.
The relevant powers prescribed to the Commissioner to aid him or her in the enforcement of the Cybersecurity Act include:
- the power to obtain information to ascertain if a computer or computer system fulfils the criteria or the cybersecurity obligations of CIIs;[4]
- the power to issue written directions to the CII owners to ensure the cybersecurity of the CII or the effective administration of the Cybersecurity Act;[5]
- the power to investigate cybersecurity threats or incidents, including those involving non-CII. The Commissioner may exercise powers with varying levels of intrusiveness, depending on the severity of the threat or incident;[6] and
- the power to authorise an officer to conduct investigations in relation to any offence under the Cybersecurity Act.[7]
As far as we are aware, at the time of writing, the CSA has not published any reports of significant enforcement actions under the Cybersecurity Act.
Enforcement of other legislation
The Singapore Police Force, working together with the Public Prosecutor, is generally responsible for investigating and prosecuting cybercrimes under the CMA.
The data protection authority, the Personal Data Protection Commission (PDPC), is responsible for enforcing the PDPA, and may impose a financial penalty of up to S$1 million on an organisation that fails to comply with the protection obligation. With effect from 1 October 2022, the maximum financial penalty that may be imposed by the PDPC will be increased to the higher of 10 per cent of an organisation’s annual turnover or S$1 million. The PDPC may also impose such directions as it thinks fit on the organisation under the circumstances to ensure compliance with the protection obligation.
Sector regulators such as the IMDA and MAS are responsible for enforcing their individual sector-specific frameworks.
Relevant obligations for companies to protect against cyber threats
Under the Cybersecurity Act, owners of CII must comply with a number of general obligations, including:
- compliance with notices issued by the Commissioner to furnish information relating to the CII;[8]
- compliance with codes of practice, standards of performance and written directions in relation to the CII as may be issued by the Commissioner, such as the Cybersecurity Code;[9]
- notifying the Commissioner of any change in ownership of the CII;[10]
- notifying the Commissioner of any prescribed cybersecurity incidents relating to the CII;[11]
- regularly auditing the compliance of the CII with the Cybersecurity Act, codes of practice and standards of performance. Such audits are to be carried out by an auditor approved or appointed by the Commissioner;[12]
- carrying out regular cybersecurity risk assessments of the CII;[13] and
- participating in cybersecurity exercises as required by the Commissioner.[14]
The details of such obligations may be specified under the Cybersecurity Code. The CSA will periodically introduce supplementary references to help owners of CII comply with the Cybersecurity Code. This includes the Security-by-Design Framework, which was developed to guide CII owners through the process of incorporating security into their systems development life cycle. Security-by-Design is an approach that addresses the cyber protection considerations throughout a system’s life cycle, and is one of the key components of the Cybersecurity Code.
With regard to the protection of personal data, organisations are required to comply with the protection obligation under the PDPA in respect of the personal data in their possession or control, as mentioned above.
The PDPC has issued various advisory guidelines and guides. For example, the Advisory Guidelines on Key Concepts in the PDPA sets out a number of administrative, physical and technical security arrangements that organisations may consider adopting. The PDPC also released the Guide to Data Protection by Design for ICT Systems, which recommends basic and enhanced practices that organisations can incorporate into their technology policies, systems and processes.
For the financial sector, the MAS Notice on Technology Risk Management imposes requirements on financial institutions to establish frameworks and processes for the identification of critical systems, and implement IT controls to protect customer information from unauthorised access or disclosure. Examples of critical systems include automated teller machine (ATM) systems, online banking systems, and systems that support payment, clearing or settlement functions.
The effect of local laws on foreign businesses
Under certain circumstances, the Cybersecurity Act and PDPA may be applicable to foreign businesses in Singapore.
The Cybersecurity Act’s CII protection framework applies to any CII located wholly or partly in Singapore.[15] In addition, as mentioned above, a computer or computer system located wholly or partly in Singapore may be designated as a CII.[16] As such, foreign businesses that are owners of such CII must comply with the relevant requirements of the Cybersecurity Act, as set out in the section above on ‘Relevant obligations for companies to protect against cyber threats’.
Subject to its detailed scope (for more detail see the chapter on ‘Singapore: Privacy’), the data protection provisions under the PDPA apply to all organisations (and persons) that are not public agencies (including those not formed or recognised under the laws of Singapore or without residency, an office or a place of business in Singapore).[17] As such, the data protection provisions under the PDPA (including the protection obligation) may be applicable to foreign businesses that carry out activities involving personal data in Singapore.
In comparison, the CMA provides that the provisions of the CMA shall have effect, in relation to any person, whatever his or her nationality or citizenship, outside as well as within Singapore. Where an offence under the CMA is committed by any person in any place outside Singapore, he or she may be dealt with as if the offence had been committed within Singapore.[18]
Subject to certain circumstances, the CMA will apply if (1) the accused was in Singapore at the material time; (2) the computer, program or data was in Singapore at the material time; or (3) the offence causes, or creates a significant risk of, serious harm in Singapore.[19] Examples of acts that seriously diminish or create a significant risk of seriously diminishing public confidence in the provision of an essential service include:
- publication to the public of the medical records of patients of a hospital in Singapore; and
- providing public access to the account numbers of customers of a bank in Singapore.
Directors’ responsibilities
Under the Cybersecurity Act, personal liability is imposed on officers, members (if the members of a corporation manage its affairs) and individuals involved in a corporation’s management and in a position to influence its conduct for offences committed by the corporation under the Cybersecurity Act, if they:
- consented, connived or conspired with others to bring about the offence;
- were knowingly concerned or party to the commission of the offence; or
- knew or ought reasonably to have known that the offence by the corporation would be or is being committed, and failed to take all reasonable steps to prevent or stop the commission of that offence.[20]
Regarding offences committed by an unincorporated association or a partnership under the Cybersecurity Act, personal liability is imposed on officers of unincorporated associations and members of their governing bodies, partners in a partnership, and individuals involved in the management of the unincorporated association or partnership and who are in a position to influence its conduct, in circumstances similar to those set out in the preceding paragraph.[21]
Moreover, a director’s failure to adequately manage an organisation’s cybersecurity arrangements may amount to a breach of their directors’ duties, for example, under section 157 of the Companies Act 1967, which requires a director to use reasonable diligence in the discharge of the duties of their office.
Best practices for responding to data breaches
Cybersecurity incidents
The owner of CII must notify the Commissioner of:
- a prescribed cybersecurity incident in respect of the CII;
- a prescribed cybersecurity incident in respect of any computer or computer system under the owner’s control that is interconnected with or that communicates with CII; and
- any other type of cybersecurity incident in respect of CII that the Commissioner has specified by written direction to the owner.[22]
Details of the cybersecurity incident must be notified to the Commissioner within two hours after becoming aware of the occurrence and, within 14 days after the initial notification, the following supplementary details must be provided:
- the cause of the cybersecurity incident and its impact on the CII, or any interconnected computer or computer system; and
- what remedial measures have been taken.[23]
The prescribed cybersecurity incidents mentioned above are:
- the unauthorised hacking of CII;
- the installation or execution of unauthorised software or computer code of a malicious nature on CII;
- any man-in-the-middle attack, session hijack or other unauthorised interception of communication between CII and an authorised user; and
- any denial-of-service attacks that adversely affect the availability or operability of CII.[24]
Further, the Singapore Computer Emergency Response Team (SingCert) publishes alerts, advisories and recommendations detailing procedures or mitigation measures for organisations to respond to new cybersecurity threats. SingCert is set up by the CSA and facilitates the detection, resolution and prevention of cybersecurity-related incidents on the internet.
Data breaches
Recent amendments to the PDPA introduced a mandatory data breach notification regime. Under the new data breach notification obligation (Part 6A of the PDPA), in the event of a data breach, organisations are required to conduct, in a reasonable and expeditious manner, an assessment of whether the data breach is notifiable.
A data breach is a ‘notifiable data breach’ if it:
- results in, or is likely to result in, significant harm to any individual to whom any personal data affected by a data breach relates; or
- is, or is likely to be, of a significant scale (ie, 500 or more individuals).
The organisation must notify the PDPC of the notifiable data breach as soon as practicable, but in any case, no later than three calendar days after making the determination that a data breach is a notifiable data breach. A data intermediary must, without undue delay, notify the primary organisation (or public agency) on whose behalf it is processing personal data when it has reason to believe that a data breach has occurred in relation to personal data that it is processing on the latter’s behalf.
Subject to certain prescribed exceptions, on or after notifying the PDPC, organisations must also notify affected individuals if the data breach is likely to result in significant harm or impact to the individuals.
The Personal Data Protection (Notification of Data Breaches) Regulations 2021 set out further prescribed requirements relating to the Data Breach Notification Obligation, including the contents of the notification to the PDPC as well as the categories of prescribed personal data that are deemed to result in significant harm to the affected individual.
Where criminal activity is suspected, the PDPC recommends that organisations notify the police so that they may offer assistance in containing the breach and preserve evidence for investigation.
Organisations must also notify affected individuals if the data breach is likely to result in significant harm or impact to the individuals to whom the information relates. There are two exceptions to this requirement to notify affected individuals, namely:
- where organisations have taken actions in accordance with any prescribed requirements that render it unlikely that the breach will result in significant harm to affected individuals; and
- where the personal data that was compromised by the data breach is subject to technological protection (eg, encryption) such that the data breach is unlikely to result in significant harm to the affected individuals.
Organisations must also not notify affected individuals if instructed by a prescribed law enforcement agency or directed as such by PDPC, for example, in circumstances where the notification may compromise investigations or prejudice enforcement efforts.
For more information, organisations may refer to the PDPC’s Guide on Managing and Notifying Data Breaches under the PDPA.
Breaches in the financial sector
With respect to the financial sector, the MAS Notice on Technology Risk Management (TRM Notice) requires financial institutions to notify MAS as soon as possible, but no later than an hour, upon the discovery of a relevant IT incident.[25] The TRM Notice also requires financial institutions to submit a root cause and impact analysis report to MAS within 14 days, or such longer period as MAS may allow, from the discovery of the relevant IT incident.[26]
Private redress options for unauthorised cyber activity
The Cybersecurity Act does not provide for parties to seek private redress for unauthorised cyber activity or failure to adequately protect systems and data.
In contrast, under the PDPA, any individual who suffers loss or damage directly as a result of an organisation’s breach of the PDPA has a right of private action for relief in civil proceedings in court.[27] If the PDPC has made a decision under the PDPA in respect of the same breach, this right is only exercisable after the PDPC’s decision has become final as a result of there being no further right of appeal.
The Criminal Procedure Code 2010 provides that, if a person is convicted of any offence, the court may make an order for the payment of compensation to the person injured (in respect of his or her person, character or property) by the relevant offences.[28] Thus, should an individual be convicted of a cybercrime under the CMA, the court may also order compensation to any other person who has suffered injury as a result of that offence.
Individuals may also bring private claims under common law, such as the laws of contract or the tort of negligence.
Updates and trends
Singapore has been increasingly paying more attention to cybersecurity issues over the past few years.
To strengthen Singapore’s operational cybersecurity capabilities, the Singapore government has signed a number of memorandums of understanding (MOUs) with other countries to increase cybersecurity cooperation in key areas such as information exchange and sharing on cyber threats and cyberattacks and development of cybersecurity standards, as well as to collaborate on regional cybersecurity capacity building. Singapore has signed MOUs with Australia, Canada, France, India, the Netherlands, the UK and the US. In addition, Singapore has signed a Joint Declaration on Cybersecurity Cooperation with Germany and a memorandum of cooperation on Cybersecurity with Japan.
In addition, on 17 May 2019, the CSA and The National Cyber Policy Office (NCPO) of New Zealand signed a formal arrangement to strengthen cybersecurity cooperation. Singapore and New Zealand will undertake cybersecurity cooperation in key areas including regular information exchange on cybersecurity incidents and threats and sharing of best practices on the protection of CII and cyber ecosystem development. Both countries will also conduct cybersecurity exercises and collaborate on capacity building activities in the region.
On 23 November 2019, Singapore and the Republic of Korea signed an MOU to enhance cooperation and information sharing on cybersecurity. This MOU will facilitate more exchanges and information-sharing across the strategic, policy, and technical domains, including in the areas of protection of CII, the promotion of the cybersecurity ecosystem, as well as human resource development, so as to strengthen the ability of both states to address and tackle the transboundary challenge of cybersecurity.
On 23 March 2020, Singapore renewed its 2017 MOU on cybersecurity cooperation with Australia, to further strengthen and expand cooperation and information sharing. The MOU will promote cooperation in information exchange and sharing; joint cybersecurity exercises; training to develop awareness and skills; sharing of best practices and promoting innovation; regional confidence-building measures; and regional capacity building.
On 23 August 2021, Singapore and the US signed a new MOU to expand their cooperation on cybersecurity. Beyond strengthening information sharing, fostering cybersecurity exchanges between Singapore and the US, and cooperation through joint exercises, the MOU will expand into new areas of cooperation such as critical technologies, and research and development. Following the signing of this MOU, the United States–Singapore Cyber Dialogue was established in March 2022. Senior government officials from the cyber-operational, technical and policy units of various agencies will come together to discuss areas such as the protection of CII, cybersecurity related to critical technologies, countering ransomware and managing supply chain security.
On 6 October 2020, Singapore’s Deputy Prime Minister launched Singapore’s Safe Cyberspace Masterplan 2020, which outlines a blueprint for the creation of a safer and more secure cyberspace in Singapore. It was developed in consultation with industry and academic partners, and aims to raise the general level of cybersecurity for individuals, communities, enterprises and organisations. It comprises three strategic thrusts:
- securing Singapore’s core digital infrastructure;
- safeguarding Singapore’s cyberspace activities; and
- empowering Singapore’s cyber-savvy population.
In addition, Singapore has also sought to build strategic partnerships with the industry. On 3 October 2019, CSA and FireEye, Inc announced their anticipated expanded scope of their strategic partnership within areas of cybersecurity capability development and research and development. In an MOU signed by the two parties, the organisations articulated their intention to extend the framework of their cybersecurity cooperation to include capability building and the sharing of threat information.
Separately, in August 2021, the Government Technology Agency (GovTech) launched a new Vulnerability Rewards Programme (VRP) on top of the existing Government Bug Bounty Programme and the Vulnerability Disclosure Programme. The VRP offers monetary rewards ranging from US$250 to US$5,000 to registered and authorised hackers, depending on the severity of the vulnerabilities discovered.
More recently, the CSA launched a new cybersecurity certification programme on 29 March 2022 to recognise enterprises that have adopted and implemented good cybersecurity practices, comprising two cybersecurity marks: Cyber Essentials and Cyber Trust. Cyber Essentials recognises enterprises that have put in place cyber hygiene measures, while Cyber Trust is a mark of distinction that recognises enterprises with comprehensive cybersecurity measures and practices.
On 29 April 2022, CSA published the Guidelines for CII Owners to Enhance Cyber Security for 5G Use Cases (Guidelines for 5G Use Cases) to address challenges in the 5G era. Although not binding, the Guidelines for 5G Use Cases provides insightful guidance to CII owners on identifying potential risks and threats. Additionally, the guidelines provide recommendations on how the potential risks of such threats can be mitigated.
Legislative updates
Part 5 and the Second Schedule of the Cybersecurity Act, which relate to the licensing framework for cybersecurity services providers comprising managed security operations centre monitoring services and penetration testing services, came into effect on 11 April 2022. The Cybersecurity (Cybersecurity Service Providers) Regulations 2022 and the Cybersecurity (Composition of Offences) Regulations 2022 also became operative from 11 April 2022.
Under the new framework, existing cybersecurity service providers who are already engaged in the businesses of providing licensable cybersecurity services have until 11 October 2022 to apply for a licence. Currently, only penetration testing services and managed security operations centre monitoring services are prescribed as licensable cybersecurity services under the Cybersecurity Act. Any person who engages in the business of providing any licensable cybersecurity services to another person without a licence after 11 October 2022 shall be guilty of an offence and liable on conviction to a fine not exceeding S$50,000 or to imprisonment for a term not exceeding two years.[29]
On 11 April 2022, the CSA also set up the Cybersecurity Services Regulation Office (CSRO). The functions of the CSRO include:
- enforcing the licensing framework, for example, managing licensing processes, imposing and enforcing licence conditions;
- responding to queries and feedback from licensees, businesses and the public; and
- developing and sharing resources on licensable cybersecurity services with consumers such as the list of licensees.
The published list of licensed service providers may be accessed on the CSRO’s website.[30]
The Cybersecurity Act is currently under review. In particular, the CSA is looking to expand the Cybersecurity Act to improve awareness of threats over Singapore’s cyberspace and protect virtual assets (eg, systems hosted on the cloud) as CII if they support essential services. Beyond the CIIs, the review will also cover foundational digital infrastructure and key digital services, such as apps, that are important to sustain Singapore’s reliance on digital infrastructure and services. A public consultation on the amendments to the Cybersecurity Act is expected to happen in early 2023.
On 4 July 2022, the revised Cybersecurity Code came into effect. The Cybersecurity Code was revised to:
- improve the odds of defenders against threat actors’ sophisticated tactics, techniques and procedures and impede the attacks;
- enhance agility in addressing emerging risks in specific domains (eg, Cloud, 5G, AI); and
- enable coordinated defences between the government and private sectors to identify, discover and respond to cybersecurity threats and attacks on a timely basis.
Separately, as mentioned above, the Personal Data Protection (Amendment) Act 2020 was passed by the Singapore parliament as law on 14 November 2020, and most of the amendments to the PDPA came into effect on 1 February 2021. The enhanced financial penalty provisions will come into effect on 1 October 2022.
Case study
On 14 January 2019, the PDPC imposed its highest financial penalties to date of S$250,000 and S$750,000 respectively on Singapore Health Services Pte Ltd (SingHealth) and Integrated Health Information Systems Pte Ltd, for breaching their data protection obligations under the PDPA. This unprecedented data breach, which arose from a cyberattack on SingHealth’s patient database system, caused the personal data of some 1.5 million patients and the outpatient prescriptions of nearly 160,000 patients to be compromised.
Key statutes, regulations and adopted international standards
The Cybersecurity Act
The Cybersecurity Act 2018 (the Cybersecurity Act) is the principal legislation dedicated to cybersecurity in Singapore. The primary objective of the Cybersecurity Act is to provide the necessary legislative framework to better protect critical information infrastructure (CII), and to give the Cybersecurity Agency of Singapore (CSA) the powers required to act on cybersecurity incidents that impact Singapore.
The Commissioner of Cybersecurity (the Commissioner) may designate a computer or computer system a CII if he or she is satisfied that:
- it is a computer or a computer system necessary for the continuous delivery of an essential service, the loss or compromise of which will have a debilitating effect on the availability of essential services in Singapore; and
- the computer or computer system is located wholly or partly in Singapore.
The essential services identified under the First Schedule of the Cybersecurity Act are services relating to the following sectors: energy; info-communications; water; healthcare; banking and finance; security and emergency services; aviation; land transport; maritime; government; and media.
The Cybersecurity Act is accompanied by the Cybersecurity (Critical Information Infrastructure) Regulations 2018 (the CII Regulations), the Cybersecurity (Confidential Treatment of Information) Regulations 2018 (the Confidentiality Regulations), the Cybersecurity (Cybersecurity Service Providers) Regulations 2022 and the Cybersecurity (Composition of Offences) Regulations 2022.
The Commissioner has also issued a second edition of the Cybersecurity Code of Practice for Critical Information Infrastructure (the Cybersecurity Code), with effect from 4 July 2022. The Cybersecurity Code is intended to specify the minimum protection policies that a CII owner shall implement to ensure the cybersecurity of its CII. Subject to exceptions, a CII owner must comply with the Cybersecurity Code under section 11(6) of the Cybersecurity Act. Some of the obligations in the Cybersecurity Code include the requirement for the CII owner to establish, in writing, a cybersecurity risk management framework, as well as a cybersecurity incident response plan and crisis communication plan. CII owners must also develop a Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) to ensure that the CII can continue to deliver essential services in the event of disruptions due to a cybersecurity incident.
Other legislation
Aside from the Cybersecurity Act, other key legislation includes the Personal Data Protection Act 2012 (PDPA) and the Computer Misuse Act 1993 (CMA).
Under the PDPA, organisations are required to make reasonable security arrangements to protect personal data in their possession or under their control to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks and to prevent the loss of any storage medium or device on which personal data is stored (the protection obligation).[1]
Under the CMA, certain cyber activities are criminalised. These include hacking, denial-of-service attacks or infecting computer systems with malware, as well as the possession or use of hardware, software or other tools to commit offences, and other acts preparatory to or in furtherance of the commission of any offence.
In addition to the PDPA and CMA, existing sector-specific frameworks have been put in place by the relevant regulators that address cybersecurity issues. For example:
- The telecommunications and media regulator, the Info-communications Media Development Authority (IMDA), has issued the Telecommunications Cybersecurity Code of Practice (the Telecommunications Code), which internet service providers in Singapore are required to comply with. The Telecommunications Code includes requirements relating to security incident management, including the prevention, protection, detection of, and response to, cybersecurity threats. The Telecommunications Code was based on international standards and best practices, including ISO/IEC[2] 27011 and the IETF[3] Best Current Practices.
- Regarding the financial sector, the Monetary Authority of Singapore (MAS), Singapore’s central bank and financial regulatory authority, have issued data protection-related regulatory instruments such as the MAS Notices and Guidelines on Technology Risk Management, the Notices on Cyber Hygiene and the Guidelines on Outsourcing, which require financial institutions, among other things, to notify the MAS of breaches of security and confidentiality of customer information.
International standards
The Singapore Common Criteria Scheme (SCCS) is a certification scheme that provides a cost-effective regime for the info-communications industry to evaluate and certify their information technology (IT) products. The SCCS is based on the international standard ISO/IEC 15408, which is also known as the Common Criteria for Information Technology Security Evaluation, or Common Criteria.
Regulatory bodies
Enforcement of the Cybersecurity Act
The CSA is the regulatory body responsible for enforcing the Cybersecurity Act The CSA provides dedicated and centralised oversight of national cybersecurity functions to protect essential services. The CSA is also responsible for the holistic development of Singapore’s cybersecurity landscape. The CSA comes under the purview of the Prime Minister’s Office and the Ministry of Communications and Information.
The CSA is headed by the Commissioner, who is also the chief executive of the CSA. Assistant commissioners may also be appointed to assist the Commissioner. The CSA works closely with sector regulators as they are best placed to understand the unique context and complexity of their sectors and can provide advice on the necessary requirements.
The relevant powers prescribed to the Commissioner to aid him or her in the enforcement of the Cybersecurity Act include:
- the power to obtain information to ascertain if a computer or computer system fulfils the criteria or the cybersecurity obligations of CIIs;[4]
- the power to issue written directions to the CII owners to ensure the cybersecurity of the CII or the effective administration of the Cybersecurity Act;[5]
- the power to investigate cybersecurity threats or incidents, including those involving non-CII. The Commissioner may exercise powers with varying levels of intrusiveness, depending on the severity of the threat or incident;[6] and
- the power to authorise an officer to conduct investigations in relation to any offence under the Cybersecurity Act.[7]
As far as we are aware, at the time of writing, the CSA has not published any reports of significant enforcement actions under the Cybersecurity Act.
Enforcement of other legislation
The Singapore Police Force, working together with the Public Prosecutor, is generally responsible for investigating and prosecuting cybercrimes under the CMA.
The data protection authority, the Personal Data Protection Commission (PDPC), is responsible for enforcing the PDPA, and may impose a financial penalty of up to S$1 million on an organisation that fails to comply with the protection obligation. With effect from 1 October 2022, the maximum financial penalty that may be imposed by the PDPC will be increased to the higher of 10 per cent of an organisation’s annual turnover or S$1 million. The PDPC may also impose such directions as it thinks fit on the organisation under the circumstances to ensure compliance with the protection obligation.
Sector regulators such as the IMDA and MAS are responsible for enforcing their individual sector-specific frameworks.
Relevant obligations for companies to protect against cyber threats
Under the Cybersecurity Act, owners of CII must comply with a number of general obligations, including:
- compliance with notices issued by the Commissioner to furnish information relating to the CII;[8]
- compliance with codes of practice, standards of performance and written directions in relation to the CII as may be issued by the Commissioner, such as the Cybersecurity Code;[9]
- notifying the Commissioner of any change in ownership of the CII;[10]
- notifying the Commissioner of any prescribed cybersecurity incidents relating to the CII;[11]
- regularly auditing the compliance of the CII with the Cybersecurity Act, codes of practice and standards of performance. Such audits are to be carried out by an auditor approved or appointed by the Commissioner;[12]
- carrying out regular cybersecurity risk assessments of the CII;[13] and
- participating in cybersecurity exercises as required by the Commissioner.[14]
The details of such obligations may be specified under the Cybersecurity Code. The CSA will periodically introduce supplementary references to help owners of CII comply with the Cybersecurity Code. This includes the Security-by-Design Framework, which was developed to guide CII owners through the process of incorporating security into their systems development life cycle. Security-by-Design is an approach that addresses the cyber protection considerations throughout a system’s life cycle, and is one of the key components of the Cybersecurity Code.
With regard to the protection of personal data, organisations are required to comply with the protection obligation under the PDPA in respect of the personal data in their possession or control, as mentioned above.
The PDPC has issued various advisory guidelines and guides. For example, the Advisory Guidelines on Key Concepts in the PDPA sets out a number of administrative, physical and technical security arrangements that organisations may consider adopting. The PDPC also released the Guide to Data Protection by Design for ICT Systems, which recommends basic and enhanced practices that organisations can incorporate into their technology policies, systems and processes.
For the financial sector, the MAS Notice on Technology Risk Management imposes requirements on financial institutions to establish frameworks and processes for the identification of critical systems, and implement IT controls to protect customer information from unauthorised access or disclosure. Examples of critical systems include automated teller machine (ATM) systems, online banking systems, and systems that support payment, clearing or settlement functions.
The effect of local laws on foreign businesses
Under certain circumstances, the Cybersecurity Act and PDPA may be applicable to foreign businesses in Singapore.
The Cybersecurity Act’s CII protection framework applies to any CII located wholly or partly in Singapore.[15] In addition, as mentioned above, a computer or computer system located wholly or partly in Singapore may be designated as a CII.[16] As such, foreign businesses that are owners of such CII must comply with the relevant requirements of the Cybersecurity Act, as set out in the section above on ‘Relevant obligations for companies to protect against cyber threats’.
Subject to its detailed scope (for more detail see the chapter on ‘Singapore: Privacy’), the data protection provisions under the PDPA apply to all organisations (and persons) that are not public agencies (including those not formed or recognised under the laws of Singapore or without residency, an office or a place of business in Singapore).[17] As such, the data protection provisions under the PDPA (including the protection obligation) may be applicable to foreign businesses that carry out activities involving personal data in Singapore.
In comparison, the CMA provides that the provisions of the CMA shall have effect, in relation to any person, whatever his or her nationality or citizenship, outside as well as within Singapore. Where an offence under the CMA is committed by any person in any place outside Singapore, he or she may be dealt with as if the offence had been committed within Singapore.[18]
Subject to certain circumstances, the CMA will apply if (1) the accused was in Singapore at the material time; (2) the computer, program or data was in Singapore at the material time; or (3) the offence causes, or creates a significant risk of, serious harm in Singapore.[19] Examples of acts that seriously diminish or create a significant risk of seriously diminishing public confidence in the provision of an essential service include:
- publication to the public of the medical records of patients of a hospital in Singapore; and
- providing public access to the account numbers of customers of a bank in Singapore.
Directors’ responsibilities
Under the Cybersecurity Act, personal liability is imposed on officers, members (if the members of a corporation manage its affairs) and individuals involved in a corporation’s management and in a position to influence its conduct for offences committed by the corporation under the Cybersecurity Act, if they:
- consented, connived or conspired with others to bring about the offence;
- were knowingly concerned or party to the commission of the offence; or
- knew or ought reasonably to have known that the offence by the corporation would be or is being committed, and failed to take all reasonable steps to prevent or stop the commission of that offence.[20]
Regarding offences committed by an unincorporated association or a partnership under the Cybersecurity Act, personal liability is imposed on officers of unincorporated associations and members of their governing bodies, partners in a partnership, and individuals involved in the management of the unincorporated association or partnership and who are in a position to influence its conduct, in circumstances similar to those set out in the preceding paragraph.[21]
Moreover, a director’s failure to adequately manage an organisation’s cybersecurity arrangements may amount to a breach of their directors’ duties, for example, under section 157 of the Companies Act 1967, which requires a director to use reasonable diligence in the discharge of the duties of their office.
Best practices for responding to data breaches
Cybersecurity incidents
The owner of CII must notify the Commissioner of:
- a prescribed cybersecurity incident in respect of the CII;
- a prescribed cybersecurity incident in respect of any computer or computer system under the owner’s control that is interconnected with or that communicates with CII; and
- any other type of cybersecurity incident in respect of CII that the Commissioner has specified by written direction to the owner.[22]
Details of the cybersecurity incident must be notified to the Commissioner within two hours after becoming aware of the occurrence and, within 14 days after the initial notification, the following supplementary details must be provided:
- the cause of the cybersecurity incident and its impact on the CII, or any interconnected computer or computer system; and
- what remedial measures have been taken.[23]
The prescribed cybersecurity incidents mentioned above are:
- the unauthorised hacking of CII;
- the installation or execution of unauthorised software or computer code of a malicious nature on CII;
- any man-in-the-middle attack, session hijack or other unauthorised interception of communication between CII and an authorised user; and
- any denial-of-service attacks that adversely affect the availability or operability of CII.[24]
Further, the Singapore Computer Emergency Response Team (SingCert) publishes alerts, advisories and recommendations detailing procedures or mitigation measures for organisations to respond to new cybersecurity threats. SingCert is set up by the CSA and facilitates the detection, resolution and prevention of cybersecurity-related incidents on the internet.
Data breaches
Recent amendments to the PDPA introduced a mandatory data breach notification regime. Under the new data breach notification obligation (Part 6A of the PDPA), in the event of a data breach, organisations are required to conduct, in a reasonable and expeditious manner, an assessment of whether the data breach is notifiable.
A data breach is a ‘notifiable data breach’ if it:
- results in, or is likely to result in, significant harm to any individual to whom any personal data affected by a data breach relates; or
- is, or is likely to be, of a significant scale (ie, 500 or more individuals).
The organisation must notify the PDPC of the notifiable data breach as soon as practicable, but in any case, no later than three calendar days after making the determination that a data breach is a notifiable data breach. A data intermediary must, without undue delay, notify the primary organisation (or public agency) on whose behalf it is processing personal data when it has reason to believe that a data breach has occurred in relation to personal data that it is processing on the latter’s behalf.
Subject to certain prescribed exceptions, on or after notifying the PDPC, organisations must also notify affected individuals if the data breach is likely to result in significant harm or impact to the individuals.
The Personal Data Protection (Notification of Data Breaches) Regulations 2021 set out further prescribed requirements relating to the Data Breach Notification Obligation, including the contents of the notification to the PDPC as well as the categories of prescribed personal data that are deemed to result in significant harm to the affected individual.
Where criminal activity is suspected, the PDPC recommends that organisations notify the police so that they may offer assistance in containing the breach and preserve evidence for investigation.
Organisations must also notify affected individuals if the data breach is likely to result in significant harm or impact to the individuals to whom the information relates. There are two exceptions to this requirement to notify affected individuals, namely:
- where organisations have taken actions in accordance with any prescribed requirements that render it unlikely that the breach will result in significant harm to affected individuals; and
- where the personal data that was compromised by the data breach is subject to technological protection (eg, encryption) such that the data breach is unlikely to result in significant harm to the affected individuals.
Organisations must also not notify affected individuals if instructed by a prescribed law enforcement agency or directed as such by PDPC, for example, in circumstances where the notification may compromise investigations or prejudice enforcement efforts.
For more information, organisations may refer to the PDPC’s Guide on Managing and Notifying Data Breaches under the PDPA.
Breaches in the financial sector
With respect to the financial sector, the MAS Notice on Technology Risk Management (TRM Notice) requires financial institutions to notify MAS as soon as possible, but no later than an hour, upon the discovery of a relevant IT incident.[25] The TRM Notice also requires financial institutions to submit a root cause and impact analysis report to MAS within 14 days, or such longer period as MAS may allow, from the discovery of the relevant IT incident.[26]
Private redress options for unauthorised cyber activity
The Cybersecurity Act does not provide for parties to seek private redress for unauthorised cyber activity or failure to adequately protect systems and data.
In contrast, under the PDPA, any individual who suffers loss or damage directly as a result of an organisation’s breach of the PDPA has a right of private action for relief in civil proceedings in court.[27] If the PDPC has made a decision under the PDPA in respect of the same breach, this right is only exercisable after the PDPC’s decision has become final as a result of there being no further right of appeal.
The Criminal Procedure Code 2010 provides that, if a person is convicted of any offence, the court may make an order for the payment of compensation to the person injured (in respect of his or her person, character or property) by the relevant offences.[28] Thus, should an individual be convicted of a cybercrime under the CMA, the court may also order compensation to any other person who has suffered injury as a result of that offence.
Individuals may also bring private claims under common law, such as the laws of contract or the tort of negligence.
Updates and trends
Singapore has been increasingly paying more attention to cybersecurity issues over the past few years.
To strengthen Singapore’s operational cybersecurity capabilities, the Singapore government has signed a number of memorandums of understanding (MOUs) with other countries to increase cybersecurity cooperation in key areas such as information exchange and sharing on cyber threats and cyberattacks and development of cybersecurity standards, as well as to collaborate on regional cybersecurity capacity building. Singapore has signed MOUs with Australia, Canada, France, India, the Netherlands, the UK and the US. In addition, Singapore has signed a Joint Declaration on Cybersecurity Cooperation with Germany and a memorandum of cooperation on Cybersecurity with Japan.
In addition, on 17 May 2019, the CSA and The National Cyber Policy Office (NCPO) of New Zealand signed a formal arrangement to strengthen cybersecurity cooperation. Singapore and New Zealand will undertake cybersecurity cooperation in key areas including regular information exchange on cybersecurity incidents and threats and sharing of best practices on the protection of CII and cyber ecosystem development. Both countries will also conduct cybersecurity exercises and collaborate on capacity building activities in the region.
On 23 November 2019, Singapore and the Republic of Korea signed an MOU to enhance cooperation and information sharing on cybersecurity. This MOU will facilitate more exchanges and information-sharing across the strategic, policy, and technical domains, including in the areas of protection of CII, the promotion of the cybersecurity ecosystem, as well as human resource development, so as to strengthen the ability of both states to address and tackle the transboundary challenge of cybersecurity.
On 23 March 2020, Singapore renewed its 2017 MOU on cybersecurity cooperation with Australia, to further strengthen and expand cooperation and information sharing. The MOU will promote cooperation in information exchange and sharing; joint cybersecurity exercises; training to develop awareness and skills; sharing of best practices and promoting innovation; regional confidence-building measures; and regional capacity building.
On 23 August 2021, Singapore and the US signed a new MOU to expand their cooperation on cybersecurity. Beyond strengthening information sharing, fostering cybersecurity exchanges between Singapore and the US, and cooperation through joint exercises, the MOU will expand into new areas of cooperation such as critical technologies, and research and development. Following the signing of this MOU, the United States–Singapore Cyber Dialogue was established in March 2022. Senior government officials from the cyber-operational, technical and policy units of various agencies will come together to discuss areas such as the protection of CII, cybersecurity related to critical technologies, countering ransomware and managing supply chain security.
On 6 October 2020, Singapore’s Deputy Prime Minister launched Singapore’s Safe Cyberspace Masterplan 2020, which outlines a blueprint for the creation of a safer and more secure cyberspace in Singapore. It was developed in consultation with industry and academic partners, and aims to raise the general level of cybersecurity for individuals, communities, enterprises and organisations. It comprises three strategic thrusts:
- securing Singapore’s core digital infrastructure;
- safeguarding Singapore’s cyberspace activities; and
- empowering Singapore’s cyber-savvy population.
In addition, Singapore has also sought to build strategic partnerships with the industry. On 3 October 2019, CSA and FireEye, Inc announced their anticipated expanded scope of their strategic partnership within areas of cybersecurity capability development and research and development. In an MOU signed by the two parties, the organisations articulated their intention to extend the framework of their cybersecurity cooperation to include capability building and the sharing of threat information.
Separately, in August 2021, the Government Technology Agency (GovTech) launched a new Vulnerability Rewards Programme (VRP) on top of the existing Government Bug Bounty Programme and the Vulnerability Disclosure Programme. The VRP offers monetary rewards ranging from US$250 to US$5,000 to registered and authorised hackers, depending on the severity of the vulnerabilities discovered.
More recently, the CSA launched a new cybersecurity certification programme on 29 March 2022 to recognise enterprises that have adopted and implemented good cybersecurity practices, comprising two cybersecurity marks: Cyber Essentials and Cyber Trust. Cyber Essentials recognises enterprises that have put in place cyber hygiene measures, while Cyber Trust is a mark of distinction that recognises enterprises with comprehensive cybersecurity measures and practices.
On 29 April 2022, CSA published the Guidelines for CII Owners to Enhance Cyber Security for 5G Use Cases (Guidelines for 5G Use Cases) to address challenges in the 5G era. Although not binding, the Guidelines for 5G Use Cases provides insightful guidance to CII owners on identifying potential risks and threats. Additionally, the guidelines provide recommendations on how the potential risks of such threats can be mitigated.
Legislative updates
Part 5 and the Second Schedule of the Cybersecurity Act, which relate to the licensing framework for cybersecurity services providers comprising managed security operations centre monitoring services and penetration testing services, came into effect on 11 April 2022. The Cybersecurity (Cybersecurity Service Providers) Regulations 2022 and the Cybersecurity (Composition of Offences) Regulations 2022 also became operative from 11 April 2022.
Under the new framework, existing cybersecurity service providers who are already engaged in the businesses of providing licensable cybersecurity services have until 11 October 2022 to apply for a licence. Currently, only penetration testing services and managed security operations centre monitoring services are prescribed as licensable cybersecurity services under the Cybersecurity Act. Any person who engages in the business of providing any licensable cybersecurity services to another person without a licence after 11 October 2022 shall be guilty of an offence and liable on conviction to a fine not exceeding S$50,000 or to imprisonment for a term not exceeding two years.[29]
On 11 April 2022, the CSA also set up the Cybersecurity Services Regulation Office (CSRO). The functions of the CSRO include:
- enforcing the licensing framework, for example, managing licensing processes, imposing and enforcing licence conditions;
- responding to queries and feedback from licensees, businesses and the public; and
- developing and sharing resources on licensable cybersecurity services with consumers such as the list of licensees.
The published list of licensed service providers may be accessed on the CSRO’s website.[30]
The Cybersecurity Act is currently under review. In particular, the CSA is looking to expand the Cybersecurity Act to improve awareness of threats over Singapore’s cyberspace and protect virtual assets (eg, systems hosted on the cloud) as CII if they support essential services. Beyond the CIIs, the review will also cover foundational digital infrastructure and key digital services, such as apps, that are important to sustain Singapore’s reliance on digital infrastructure and services. A public consultation on the amendments to the Cybersecurity Act is expected to happen in early 2023.
On 4 July 2022, the revised Cybersecurity Code came into effect. The Cybersecurity Code was revised to:
- improve the odds of defenders against threat actors’ sophisticated tactics, techniques and procedures and impede the attacks;
- enhance agility in addressing emerging risks in specific domains (eg, Cloud, 5G, AI); and
- enable coordinated defences between the government and private sectors to identify, discover and respond to cybersecurity threats and attacks on a timely basis.
Separately, as mentioned above, the Personal Data Protection (Amendment) Act 2020 was passed by the Singapore parliament as law on 14 November 2020, and most of the amendments to the PDPA came into effect on 1 February 2021. The enhanced financial penalty provisions will come into effect on 1 October 2022.
Case study
On 14 January 2019, the PDPC imposed its highest financial penalties to date of S$250,000 and S$750,000 respectively on Singapore Health Services Pte Ltd (SingHealth) and Integrated Health Information Systems Pte Ltd, for breaching their data protection obligations under the PDPA. This unprecedented data breach, which arose from a cyberattack on SingHealth’s patient database system, caused the personal data of some 1.5 million patients and the outpatient prescriptions of nearly 160,000 patients to be compromised.
Notes
[1] Section 24 of the PDPA.
[2] International Organisation for Standardisation/International Electrotechnical Commission.
[3] Internet Engineering Task Force.
[4] Sections 8 and 10 of the Cybersecurity Act.
[5] Section 12 of the Cybersecurity Act.
[6] For more detail, see sections 19 and 20 of the Cybersecurity Act.
[7] Sections 38 and 39 of the Cybersecurity Act.
[8] Section 10 of the Cybersecurity Act.
[9] Sections 11 and 12 of the Cybersecurity Act.
[10] Section 13 of the Cybersecurity Act.
[11] Section 14 of the Cybersecurity Act.
[12] Section 15 of the Cybersecurity Act.
[13] Section 15 of the Cybersecurity Act.
[14] Section 16 of the Cybersecurity Act.
[15] Section 3 of the Cybersecurity Act.
[16] Section 7 of the Cybersecurity Act.
[17] Section 2(1) of the PDPA.
[18] Section 13(1)–(2) of the CMA.
[19] Section 13(3) of the CMA.
[20] Section 36 of the Cybersecurity Act.
[21] Section 37 of the Cybersecurity Act.
[22] Section 14 of the Cybersecurity Act.
[23] Regulation 5 of the CII Regulations.
[24] Regulation 5 of the CII Regulations.
[25] An IT security incident means an event that involves a security breach, such as hacking of, intrusion into, or denial of service attack, on a critical system, or a system, which compromise the security, integrity or confidentiality of customer information.
[26] A relevant incident generally means a system malfunction or IT security system, which has a severe and widespread impact on the financial institution’s operations or materially impacts its services to its customers.
[27] Section 48O of the PDPA.
[28] Section 359 of the Criminal Procedure Code 2010.
[29] Section 24(2) of the Cybersecurity Act.