Boardroom Technology

Singapore’s New Cyber Security Law (Part 2)

This is the second part of a two-part series about the state of cyber security in Singapore, the new cyber security law, and the need for companies to take action.

Singapore’s new cyber security law will be effective

On 5 February 2018, the Singapore Parliament passed the Cybersecurity Bill. The government intends that the new Act will complement the existing Computer Misuse and Cybersecurity Act, which will continue to govern cybercrime investigation.

Most observers felt that the new law did not impose an unreasonable burden on Singapore companies, while taking the necessary steps to increase security. “The Cybersecurity Act reflects the Singapore Government’s calibrated and balanced approach towards countenancing cybersecurity threats. The included amendments have attempted to strike a balance between the need for regulatory authorities to expeditiously designate, investigate, and receive information on critical information infrastructure and cybersecurity threats vis-à-vis the burdens imposed on companies and private individuals in the IT industry,” comments the Singapore office of law firm Baker & Mackenzie.

Most observers feel the law will be effective, to some extent, at shoring up defences at the most important and mission-critical organisations. It does fall short of the EU’s GDPR in scope and application, but local experts feel that such prescriptions would not work in the country’s legal climate.

There are concerns, however, about the lack of checks and balances in the role of the Commissioner of Cybersecurity, a new position that the law creates, and in its use of criminal law to punish non-compliance in certain cases.

The new cyber security law

The new Act applies only to so-called “critical information infrastructure” (CII) in the country, and the Ministry for Communications and Information has made clear that companies classified as CII that comply with their obligations will not be held responsible for data breaches – although they have the obligation to report them promptly, as a report by the Singapore office of the law firm Pinsent Masons explains.

Terms of the new law include:

  • A new Commissioner of Cybersecurity in Singapore who will be tasked with selecting the specific organisations to designate as CII owners – companies have the right to appeal the selection;
  • CII owners will have the duty of reporting cyber security incidents to the Commissioner of Cybersecurity, and to disclose certain information to the commissioner regarding the “design, configuration and security” of the company;
  • Where there is suspicion of non-compliance by CIIs, Singapore authorities will have the right to investigate cyber security threats and incidents, and will take remedial action where necessary as well as inflicting fines and other punishment where applicable;
  • CII owners will also need to undertake periodic cybersecurity audits and risk tests.
  • Disclosing information in an unauthorised manner about breaches may lead to punishment under criminal law.

In terms of reporting cyber security incidents, the key definition is that of prescribed” events – these will be determined by the Commissioner.

Licensing for Cyber Security firms

A new licensing framework for providers of cybersecurity services will also be established under the new law, as the Singapore office of the law firm Baker & Mackenzie explains in an article.

The number of licensing schemes has been reduced to one; the distinction between “investigative” and “non-investigative” cybersecurity services has been removed and replaced with a narrower concept of licensable services. Under the Cybersecurity Act, penetration testing and managed security operations centres (“SOC”) monitoring services now require licences to operate.

The Cybersecurity Act now clarifies that employees who are hired to provide cybersecurity services are no longer subject to licensing requirements. In other words, licensing is only compulsory for those in the business of providing cybersecurity services, whether they are individuals or corporate entities.

A company does not require a separate license if a related company already has such a license. “Related company” in the Act has the same meaning as the term in the Companies Act.

A licensee must now keep records for three years.

Industry concerns about the new law

Some Singapore experts do express concern about two aspects of the new law:

It seems unfair to single out specific workers in imposing punishment for breaches.

Criminal sanctions for offenses may be misdirected, comments Malwarebytes researcher William Tsing. No one should eschew responsibility, but breaches are rarely due to a single individual’s malfeasance, and much more often the end result of a sick corporate process. Fines imposed at the corporate level make more sense, and Singapore is able to impose the largest fines in Asia under the new legislation.   It seems wrong to add an additional punishment for specific individuals as well. An ineffective company would feel the loss of profit much more acutely.

Then there is the issue of secrecy, Tsing continues.  Many sections within the bill contain provisions for non-disclosure and corresponding fines and imprisonment for anyone speaking out about a breach in a non-approved way. In the past, however, transparency and sharing information has been important in joint efforts to control cyber crime.

“From a governance perspective, this makes sense. Singapore derives its authority to monitor critical infrastructure by classifying breaches as a security threat, and a classic belief of governments is that one does not speak publicly of security threats. Network threats are different. Configurations and applications used by a shipping company can have significant overlap with those used at non-critical corporations. Transparency and information sharing not only pressure a breached company to demonstrate an adequate remediation but also offer lessons learned that can keep hundreds of less critical organizations safe. Sunlight and sharing are proven methods for defenders to propagate best solutions to everyone,” he adds.

Diligent Governance Cloud provides support for company-wide security

Clearly, having a robust governance practice is the best way for Singapore companies to ensure they can both protect themselves from data breaches and can manage those that occur.

By managing cyber risk at the top, Diligent Governance Cloud enables the board to set an example across the organisation.

Governance Cloud is Diligent’s ecosystem of cloud-based governance tools that provides a complete solution to enable leading bodies of organizations to mitigate risk and collectively govern at the highest level.

Seasoned in the governance space, Diligent has been in the leading position in the market for more than 15 years, offering the industry’s leading, most secure and intuitive board management technology. Our deep customer insights and heavy investment in R&D has allowed us to expand our offering to support the full governance journey.

Whether you choose to start with only Diligent Boards™ or multiple, integrated tools, we are the only partner in the market you can grow with as your governance needs evolve.

Board Portal Buyer’s Guide

With the right Board Portal software, a board can improve corporate governance and efficiency while collaborating in a secure environment. With lots of board portal vendors to choose from, the whitepaper contains the most important questions to ask during your search, divided into five essential categories.

Featured Blog