Cybersecurity in Singapore: building resilience in the digital age
14 July 2022 | Applicable law: Singapore
In this age of digitalisation, the use of Internet and technology has permeated into our daily lives such that our economy, and even matters of national security, have become heavily reliant on the continuous availability of the Internet and technology. The recent COVID-19 pandemic further catalysed society’s reliance, impacting how we live, work and interact with one another.
As our society and economy becomes increasingly reliant on technology, we are faced with new kinds of security threats, in particular, threats against cybersecurity.
What is cybersecurity?
“Cybersecurity” is defined in the Cybersecurity Act 2018 (“Cybersecurity Act”) to mean the state in which a computer or computer system is protected from unauthorised access or attack, and because of that state
a) the computer or computer system continues to be available and operational;
b) the integrity of the computer or computer system is maintained; and
c) the integrity and confidentiality of information stored in, processed by or transmitted through the computer or computer system is maintained(1).
Accordingly, cyber threats arise where cybersecurity or the cybersecurity of another computer or computer system is adversely affected or jeopardised.
Common cybersecurity attacks include malware, phising scams, ransomware, website spoofing/defacement etc., which often result in data breaches, unauthorised access or unauthorised modifications to computer materials. A recent prominent example would be the phishing scams involving OCBC Bank, where hundreds of OCBC bank customers were affected, resulting in a reported loss of S$13.7 million(2).
In a report published by the Cyber Security Agency of Singapore on the Singapore cyber landscape(3), Singapore’s cyber landscape saw an increase in cybercrime in 2020. Cybercriminals capitalised on widespread panic and fear brought about by the COVID-19 pandemic to conduct phishing and ransomware attacks, which was evidenced by the spikes in both ransomware and COVID-19 relating phishing activities. Concurrently, the accelerated digitalisation to maintain business continuity during the Work from Home phases also came with increased cybersecurity challenges and threats.
Licensing and regulatory framework
The Cyber Security Agency of Singapore (“CSA”) was established in 2015 to keep Singapore’s cyberspace safe and secure, to underpin Singapore’s national security, power a digital economy, and protect a digital way of life. It is part of the Prime Minister’s Office and is managed by the Ministry of Communications and Information(4).
The Cybersecurity Act was introduced to provide a legal framework for the oversight and maintenance of national cybersecurity in Singapore. Its four key objectives are to:
- Strengthen the protection of critical information infrastructure(5) (“CII”) against cyberattacks;
- Authorise CSA to prevent and respond to cybersecurity threats and incidents;
- Establish a framework for sharing cybersecurity information; and
- Establish a licensing framework for cybersecurity service providers(6).
CSA has the authority to designate a computer system as a CII if it is satisfied that such computer system is necessary for the continuous delivery of an essential service, and the loss or compromise of it will have a debilitating effect on the availability of the essential service in Singapore, and such system is located wholly or partially in Singapore(7).
Once designated, owners of CII computer systems must put in place cybersecurity measures to ensure they cyber resilient to protect them against cyberattacks and comply with the Cybersecurity Code of Practice for Critical Information Infrastructure (“Code”)(8). The Code specifies minimum protection policies that a CII owner must implement to ensure the cybersecurity of its CII, and a CII owner is expected to take further measures beyond the minimum measure prescribed in the Code to strengthen the cybersecurity of its CII based on its risk profile.(9)
In addition, with effect from 11 April 2022(10), cybersecurity service providers who provide licensable cybersecurity services are required to be licensed under the Cybersecurity Act(11) which covers(12) (a) penetration testing service and (b) managed security operations centre monitoring service. Service providers who offer or intend to offer both licensable cybersecurity services are required to submit separate licence applications and obtain a licence for each licensable cybersecurity service(13). Unless exempted, existing cybersecurity service providers who are already engaged in the businesses of providing either or both licensable cybersecurity services are given a transition period of six months to apply for a licence, failing which, they will have to cease such operations until a licence is obtained. Available exemptions from the licensing regime include companies that provide licensable cybersecurity services solely to their related companies(14).
The CSA has set up the Cybersecurity Services Regulation Office (“CSRO”) on 11 April 2022 to administer the licensing framework for the cybersecurity service providers, and its functions would include the enforcement of the licensing framework(15).
On 4 March 2022, CSA embarked on 2 new initiatives to enhance the cyber resilience of CII sectors and better secure Singapore’s cyberspace, namely to (a) review the Cybersecurity Act to update it in line with the fast-changing digital world; and (b) update the Code for the CII sectors to deal with new and emerging threats(16).
Other relevant legislation
Computer Misuse Act
The Computer Misuse Act 1993 (“Computer Misuse Act”) was introduced to secure computer material against unauthorised access or modification. It governs the investigation and prosecution of cybercrime perpetrators. This is in contrast with the Cybersecurity Act which plays a protective function as compared to the Computer Misuse Act which plays an enforcement role instead(17). Generally, the Computer Misuse Act seeks to regulate and restrict certain illegal acts involving the use of computers and its contents and materials, such as unauthorised access or modification, access with intent to commit or facilitate commission of an offence, and unauthorised use, interception, obstruction and disclosure. Breaches of the Computer Misuse Act constitutes and offence which carries varying degrees of fines and imprisonment terms.
The Computer Misuse Act has an extra-territorial effect(18) in such that its provisions shall have effect on any person, regardless of the person’s nationality or citizenship, or whether the person is in Singapore. If an offence under the Computer Misuse Act was committed outside Singapore, the offender may be dealt with as if the offence had been committed within Singapore if:
a) the offender was in Singapore at the material time;
b) the offence in question(19), the computer, program or data was in Singapore at the material time; or
c) the offence causes, or creates a significant risk of serious harm in Singapore.
Personal Data Protection Act
The Personal Data Protection Act 2012 (“PDPA”) is Singapore’s seminal data protection legislation and governs the collection, use, disclosure and care of personal data. It protects the individual’s rights to their personal data, and at the same time recognises the needs of corporations to collect, use or disclose such data for legitimate and reasonable purposes. The PDPA requires all corporations that collect personal data to put in place measures for data protection, such as appointing a data protection officer and putting in place security arrangements to protect personal data from unauthorised access, collect, use or disclosure of personal data kept. The PDPA is administered by the Personal Data Protection Commission of Singapore(20).
Non-compliance may lead to financial penalties, civil liability or criminal liability. The PDPA is administered by Personal Data Protection Commission of Singapore, who has broad powers to order the organisations to comply with the provisions of the PDPA. If an organisation is found to be in breach of the PDPA, the Personal Data Protection Commission may require the organisation to (i) stop collecting, using or disclosing personal data in contravention of the PDPA; (ii) destroy personal data collected in contravention of the PDPA; (iii) provide access to or correct the personal data; and/or (iv) pay a financial penalty up to S$1 million.
With effect from 1 October 2022, the maximum financial penalty that may be imposed on an organisation shall be 10% of the annual turnover of the organisation in Singapore (if such organisation’s annual turnover in Singapore exceeds S$10 million) or S$1 million, whichever is higher.
MAS guidelines on outsourcing
Aside from the above, the Monetary Authority of Singapore (“MAS”) has also introduced the Guidelines on Outsourcing for financial institutions which outsource any of its functions or business activities to external service providers. While outsourcing functions and/or business activities may bring about costs benefits to an institution, such outsourcing arrangements also increase the risk profile of an institution due to reputation, compliance and operational risks arising from failure of a service provider in providing the service, breaches in security, or the institution’s inability to comply with legal and regulatory requirements.
As part of the due diligence and assessment of the external service providers, one of the areas of focus would be the physical and IT security controls the service provider has in place, so as to prevent an impact to the financial institution in the event of disruption of service or breach of security and confidentiality, resulting in the compromise of customer information.
These guidelines thus set out MAS’ expectations of a financial institution that has in place an outsourcing arrangement or is planning to outsource its business activities to a service provider, and sets out guidelines for risk management of such outsourcing arrangements(21).
The protection and maintenance of strong and robust cybersecurity systems are crucial not just towards national security and economic concerns, but also the everyday lives of individuals, especially in this digital age where so much of our lives and lived on the world wide web. Recognising this significance, the Singapore Government has and continues to put in place a comprehensive framework to protect its cyber landscape and deal with cybersecurity threats. However, the threat against cybersecurity is a never-ending endeavour, what with the increasing sophistication and evolution of these threats. Our legislations must remain reactive and adaptable in order to deal with such cyber threats and challenges in a timely manner. In addition, as a preventive measure, the overall improvement of cyber and digital literacy of the general population will also assist to combat threats against cybersecurity, so that as a whole, people become more aware of and are able to recognise and identify these threats and scams.
(1) Section 2 of the Cybersecurity Act
(3) Singapore Cyber Landscape (SCL) 2020 published by the Cyber Security Agency of Singapore
(4) Cyber Security Agency of Singapore, Who We Are, Our Organisation
(5) Critical information Infrastructure are computer systems directly involved in the provision of essential services as identified in the First Schedule of the Cybersecurity Act, and these include services relating to energy, infocommunications, water, healthcare, banking and finance, security and emergency, aviation, land transport, maritime, media and government.
(6) Cybersecurity Act, as well as Overview of Legislations on Cybersecurity, Personal Data Protection & Computer Misuse
(7) Section 7 of the Cybersecurity Act
(8) Section 11 of the Cybersecurity Act and the Cybersecurity Code of Practice for Critical Information Infrastructure (https://www.csa.gov.sg/Legislation/Codes-of-Practice)
(9) Section 1.3 (Purpose of this Code) of the Cybersecurity Code of Practice for Critical Information Infrastructure (https://www.csa.gov.sg/Legislation/Codes-of-Practice)
(10) Cybersecurity Services Regulation Office, Apply for Licence, Note 3 (https://www.csro.gov.sg/how-to/apply-for-licence)
(11) Section 24 of the Cybersecurity Act
(12) Second Schedule of the Cybersecurity Act
(13) Cybersecurity Services Regulation Office, Apply for Licence, Note 2 (https://www.csro.gov.sg/how-to/apply-for-licence)
(14) Section 24(3) of the Cybersecurity Act
(15) CSA Kicks Off Licensing Framework for Cybersecurity Service Providers, 11 April 2022 (https://www.csa.gov.sg/News/Press-Releases/csa-kicks-off-licensing-framework-for-cybersecurity-service-providers)
(16) Review of the Cybersecurity Act and Update to the Cybersecurity Code of Practice for CIIs (https://www.csa.gov.sg/News/Press-Releases/review-of-the-cybersecurity-act-and-update-to-the-cybersecurity-code-of-practice-for-ciis)
(17) Computer Misuse Act, as well as Overview of Legislations on Cybersecurity, Personal Data Protection & Computer Misuse (https://www.csa.gov.sg/News/Publications/overview-of-legislations)
(18) Section 13 of the Computer Misuse Act
(19) Being any offence under sections 3 to 8 of the Computer Misuse Act
(20) Personal Data Protection Act, as well as Overview of Legislations on Cybersecurity, Personal Data Protection & Computer Misuse (https://www.csa.gov.sg/News/Publications/overview-of-legislations)
(21) MAS Guidelines on Outsourcing (https://www.mas.gov.sg/regulation/guidelines/guidelines-on-outsourcing)