Contributed By Drew & Napier LLC
Cybersecurity in Singapore is broadly regulated by a set of overlapping legislation that addresses the issues of national cybersecurity, cybercrimes and personal data protection and management. In addition, certain sectoral regulators are empowered to directly address cybersecurity issues in their respective sectors through the issuance of regulatory codes, guidelines, notices, and instruments.
Cybersecurity Act 2018 (Cybersecurity Act)
The Cybersecurity Act is the dedicated cybersecurity law which sets out the overarching framework for the oversight of national cybersecurity issues in Singapore, including the designation of computer systems as critical information infrastructure (CII) in essential sectors and co-ordinating the national response to cybersecurity incidents, amongst other things.
The Cybersecurity Act requires owners of critical information infrastructure to notify the Commissioner of Cybersecurity in the event of the occurrence of certain cybersecurity incidents related to their critical information infrastructure. In this regard, a cybersecurity incident refers to an act or activity carried out without lawful authority on or through a computer or computer system that jeopardises or adversely affects its cybersecurity or the cybersecurity of another computer or computer system.
Since 2022, the Cybersecurity Act provides for the licensing of certain cybersecurity service providers (CSPs). At present, this includes CSPs that provide penetration testing and managed SOC services.
Computer Misuse Act 1993 (CMA)
The CMA sets out the enforcement and penalty framework against perpetrators of cyber-related offences, such as the unauthorised access to and modification of computer material, unauthorised use or interception of a computer service, unauthorised obstruction of use of a computer and unauthorised disclosure of a password or access code. The CMA empowers the police and other government authorities to investigate and prosecute perpetrators of cybercrimes.
Personal Data Protection Act 2012 (PDPA)
The PDPA applies to all private sector organisations that collect, use, disclose or otherwise process personal data (both electronic and non-electronic data). Personal data is defined as data about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access.
As part of complying with the PDPA, organisations are required to make reasonable security arrangements (which may include technical and cybersecurity measures) to protect personal data in their possession or under their control to prevent (i) unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks; or (ii) the loss of any storage device or medium on which personal data is stored.
The PDPA also includes notification requirements in the event of a data breach, that is (i) the occurrence of unauthorised access, collection, use, disclosure, copying, modification or disposal of personal data; or (ii) loss of any storage device or medium on which personal data is stored where unauthorised access, collection, use, disclosure, copying, modification or disposal of personal data is likely to occur.
Public Sector (Governance) Act 2018 (PSGA)
Aside from the confidentiality and secrecy provisions found across various legislation, data protection and management in the public sector is also governed under the PSGA. The PSGA, which aims to strengthen public sector data governance, imposes criminal penalties on public officers who recklessly or intentionally disclose data without authorisation, misuse data for a gain or re-identify anonymised data. Specific data security policies are further set out in the Government Instruction Manual on IT Management.
Other Sectoral Frameworks
Two notable examples are in the telecommunications and banking and finance sectors.
Telecommunications
First, in the area of telecommunications, the telecoms and media regulator, the Info-communications Media Development Authority (IMDA), has published a Telecommunications Cybersecurity Code of Practice to enhance cybersecurity preparedness of designated telecommunication licensees such as internet service providers in Singapore. This Telecommunications Cybersecurity Code of Practice, which was formulated in line with international standards and best practices, including the ISO/IEC 27011 and IETF Best Current Practices, sets out requirements on security incident management and other controls to help licensees prevent, protect, detect and respond to cybersecurity threats.
Banking and finance
Second, the Singapore financial regulatory authority, the Monetary Authority of Singapore (MAS), has issued its Technology Risk Management (TRM) Guidelines (TRM Guidelines), which set out risk management principles and best practices to guide financial institutions (FIs) in establishing sound and robust technology risk governance and oversight, as well as in maintaining IT and cyber-resilience. In conjunction, the MAS has also issued legally binding Notices on TRM and Cyber Hygiene which give effect to some of the requirements in the TRM Guidelines. Please also see 2.5 Financial or Other Sectoral Regulators for further details.
Enforcement of the Cybersecurity Act
The regulatory authority responsible for the administration and enforcement of the Cybersecurity Act is the Cyber Security Agency of Singapore (CSA). The CSA is led by the Commissioner of Cybersecurity (Commissioner). The Minister for Communications and Information (as the Minister-in-charge of cybersecurity) may appoint Assistant Commissioners from sectoral regulators who understand the unique context and complexity of their respective sectors to advise and assist the Commissioner on the co-ordination of cybersecurity efforts.
Under the Cybersecurity Act, the Commissioner’s functions and duties include, but are not limited to:
In general, the Cybersecurity Act applies to any computer or computer system located wholly or partly in Singapore which may be designated as CII. The Commissioner may confer such a designation when they are satisfied that the computer or computer systems are necessary for the continuous delivery of an essential service, and the loss or compromise of such systems will have a debilitating effect on the availability of the essential service in Singapore.
A new Cybersecurity Services Regulation Office was set up within the CSA in 2022 to administer the framework for licensing of CSPs under the Cybersecurity Act.
Currently, the Singapore Government has gazetted a list of 11 sectors in which there may be essential services (ie, services that are essential to national security, defence, foreign relations, the economy, public health, public safety or the public order of Singapore). The 11 sectors include: energy; info-communications; media; water; healthcare; banking and finance; security and emergency services; aviation; land transport; maritime; and services relating to the functioning of the government.
Generally, owners of CII are required to comply with a set of general duties, such as:
In addition to the above, the Commissioner has broad powers to investigate and prevent cybersecurity threats or incidents, including making requests for information to be provided or, in serious cases, direct remedial measures to be taken by any person (including those who are not owners of CII).
Enforcement of the PDPA
The Personal Data Protection Commission (PDPC) is Singapore’s data protection authority. The PDPC, which is under the purview of the Ministry of Communications and Information (MCI), was established in January 2013 and tasked with enforcing and administering the PDPA. With effect from 1 October 2016, the PDPC was merged into the then newly formed IMDA and IMDA was designated as the PDPC. The PDPC is led by the Commissioner for Personal Data Protection.
The PDPA broadly applies to private sector organisations, whether or not formed or recognised under the laws of Singapore or resident or having an office or a place of business in Singapore. As such, foreign businesses that carry out activities involving personal data in Singapore may be subject to the data protection provisions under the PDPA. In terms of notable exclusions, the PDPA does not apply to individuals acting in a personal or domestic capacity, employees acting in the course of their employment with an organisation, and public agencies.
The PDPA confers powers on the PDPC to enforce the PDPA, which include powers relating to:
Please refer to 1.3 Administration and Enforcement Process for further details.
Investigations Under the PDPA
The PDPC is empowered to carry out an investigation to determine whether an organisation or person is complying with the PDPA and to direct that organisation or person to take the appropriate action to ensure its compliance, or to pay a financial penalty. The PDPC may commence an investigation if it believes that one is warranted based on the information it has obtained, whether through a complaint or from any other source. While the PDPC generally has regard to a wide range of factors in deciding whether to conduct an investigation, investigations are typically warranted for incidents with high impact and where facilitation or mediation is inappropriate in the circumstances (eg, for a data breach on a large scale or where there has been significant harm caused to individuals).
The PDPC’s powers of investigation are set out in the Ninth Schedule to the PDPA. Broadly speaking, these powers enable the PDPC to:
Where the PDPC is satisfied that there has been a contravention of the PDPA, it is empowered to issue such remedial directions as it thinks fit to the offending organisation, including directions requiring the organisation to pay a financial penalty.
Under Section 48J of the PDPA, the PDPC is empowered to impose a financial penalty on organisations in breach of the data protection provisions in the PDPA of (i) up to a maximum of 10% of the organisation’s annual turnover in Singapore (where the annual turnover exceeds SGD10 million), or (ii) up to SGD1 million, in any other case.
Appeal process
Any organisation or individual who is aggrieved by the PDPC’s decision or direction may submit an application to the PDPC to reconsider its decision or direction. Thereafter, such organisation or individual may submit an appeal following the reconsideration application to the Data Protection Appeal Panel. Alternatively, an aggrieved organisation or individual may, instead of submitting a reconsideration request, appeal directly to the Data Protection Appeal Panel. Reconsideration applications and appeal requests must be made within 28 days after the PDPC has issued the relevant direction or decision.
Decisions by the Data Protection Appeal Panel can only be appealed to the High Court on limited grounds, namely, on a point of law or as to the amount of a financial penalty, and any further appeal of a decision of the High Court must be made in accordance with the Rules of Court.
Criminal penalties
In addition, criminal penalties may also be attracted where individuals or organisations obstruct or impede the PDPC, its inspectors or other authorised officers in the exercise of their powers or performance of their duties under the PDPA, or if they knowingly or recklessly make false or misleading statements to the PDPC, or knowingly mislead or attempt to mislead the PDPC, in the course of the performance of the duties or powers of the PDPC under the PDPA.
Undertaking
Section 48L of the PDPA allows the PDPC to accept, at its discretion, an undertaking from an organisation where the PDPC has reasonable grounds to believe that the organisation has not complied with the data protection requirements of the PDPA. Such undertakings typically include one or more undertakings by the organisation to take the specified action (or refrain from taking the specified action) in order to comply with the PDPA. The PDPC may accept such an undertaking in lieu of further investigations or enforcement action in respect of the organisation’s contravention of the PDPA. However, if the organisation subsequently fails to comply with its undertaking to the PDPC, the PDPC may investigate and take enforcement action under the PDPA in respect of such non-compliance.
Investigations Under the Cybersecurity Act
The Commissioner has broad powers under Sections 19 and 20 of the Cybersecurity Act to investigate and prevent cybersecurity incidents and “serious” cybersecurity incidents respectively. Broadly, these include powers to require persons to attend interviews, require the production of relevant information (such as physical or electronic records, or documents that are in the possession of that person), carry out questioning, give directions to carry out remedial measures or cease activities, require assistance with investigations, enter premises, access and inspect computer systems, among others.
It is an offence for any person to fail to co-operate with the CSA without reasonable excuse and such persons shall be liable on conviction to be punished in accordance with the fines, terms of imprisonment or both, as set out in the relevant statutory provisions.
Separately, the Singapore Police Force and the Ministry of Home Affairs are empowered under the CMA to investigate and prosecute perpetrators of cybercrime. Under the CMA, law enforcement authorities have extraterritorial jurisdiction to collaborate with foreign enforcement authorities to initiate investigations against cybercrimes committed by offenders located overseas if such offences caused, or create a significant risk of, serious harm to Singapore.
In terms of co-ordination on cybersecurity issues at the multilateral level, Singapore works closely with INTERPOL, the Association of Southeast Asian Nations (ASEAN) Cybercrime Operations Desk, and the Asia Pacific Computer Emergency Response Team (APCERT) to address the growing cyberthreats in the region.
The sharing of information helps improve cybersecurity as timely information assists in the identification of vulnerabilities and cybersecurity threats. The Cybersecurity Act allows the Commissioner to request specific information from CII owners both outside and during investigations of cybersecurity threats and incidents. The CSA may also share information on cybersecurity threats and vulnerabilities (eg, technical indicators or signatures of the cyberthreat and contextual cyberthreat assessments) with the owners of CII so that appropriate action may be taken. Please refer to 7.1 Required or Authorised Sharing of Cybersecurity Information.
Beyond the Cybersecurity Act, government authorities are making efforts to implement administrative arrangements and partnerships to facilitate and encourage information sharing. For example, the MAS has collaborated with the Financial Services Information Sharing and Analysis Center (FS-ISAC), a global cyber-intelligence sharing industry consortium for FIs, to set up the FS-ISAC Asia Pacific Regional Analysis Centre in Singapore for the purpose of sharing information on cybersecurity threats and incidents among FIs.
In terms of sharing information with the public, the Singapore Computer Emergency Response Team (SingCERT), which is part of the CSA, routinely issues cybersecurity and cyberhygiene advisories and alerts. SingCERT also works with the sectoral regulators to issue relevant alerts and advisories to industry players and to inform companies and affected individuals on cybersecurity threats and incidents.
In terms of the regulatory landscape, cybersecurity in Singapore is primarily regulated by an overlapping set of baseline laws, which are supplemented by sector-specific laws and regulations (eg, in the areas of telecommunications and banking and finance).
With regard to the features of the main legislation, while the Cybersecurity Act does not expressly provide for emergency or crisis powers or specific provisions concerning international conduct (eg, harmonisation with other countries’ laws or a mandate for international engagement), it comprehensively addresses three main cybersecurity areas (ie, standards setting, information sharing and incident management). The new licensing framework for CSPs is currently unique to Singapore.
2020/2021 Amendments to the PDPA
On 2 November 2020, the Singapore Parliament passed the Personal Data Protection (Amendment) Act (the “Amendment Act”), following the first comprehensive review of the PDPA since its enactment in 2012. Most of the provisions of the Amendment Act, including data breach notification requirements under Part 6A of the PDPA, came into effect on 1 February 2021.
On 1 October 2022, the Amendment Act’s provisions increasing the maximum financial penalty payable under the PDPA came into effect. From that date, the maximum financial penalty which may be imposed on an organisation for a contravention of the PDPA (which does not amount to a criminal offence) is 10% of the annual turnover of the organisation in Singapore. As of 1 February 2024, the Amendment Act’s provisions relating to a new data portability obligation under the PDPA have yet to come into force.
Launch of Cloud Security Companion Guides for Organisations
On 17 October 2023, the CSA and Cloud Security Alliance launched two Cloud Security Companion Guides to support Cyber Essentials and Cyber Trust, which are national cybersecurity standards developed by the CSA. The companion guides address one of the common areas of confusion when organisations use the cloud – the division of responsibility between themselves as cloud users and that of their cloud providers. As such, the guides provide advisories for cloud customers, including small and medium-sized enterprises (SMEs), to better understand their cloud-specific risks and responsibilities, as well as the necessary steps to take.
The companion guide for Cyber Essentials, targeted at SMEs, uses a shared responsibility model to help organisations to understand what they and their providers each need to take care of to secure the cloud environment.
The companion guide for Cyber Trust, targeted at larger or more digitalised organisations, maps each of the cybersecurity preparedness domains in the Cyber Trust mark, such as cyber governance and oversight and cyber education, to the framework published by the Cloud Security Alliance.
Online Criminal Harms Act 2023 (OCHA)
On 5 July 2023, the Online Criminal Harms Bill was passed in Parliament. Once in force, the OCHA will enable authorities to deal more effectively with online activities that are criminal in nature.
The OCHA will allow the government to issue directions to any online service through which criminal activities could be conducted, and will be applicable to criminal offences specified in the First Schedule of the Act, such as offences under the CMA. Directions that may be issued include directions to online service providers to stop an account on their service from communicating in Singapore, directions to block access to an online location from the view of people in Singapore and directions to app stores to remove an app from its Singapore storefront.
Additionally, the OCHA will allow directions to be issued when it is suspected that any website, online account, or online activity may be used for scams or malicious cyber activities.
The OCHA also creates a framework to strengthen partnerships with online services to counter scams and malicious cyber activities. Under this framework, the government can require designated online services to proactively disrupt scams and malicious cyber activities affecting people in Singapore.
The OCHA has yet to come into operation at the time of writing of this Guide.
Proposed Amendments to the Cybersecurity Act
On 15 December 2023, the CSA launched a public consultation to seek feedback on the Cybersecurity (Amendment) Bill. The bill seeks to introduce several key changes to the Cybersecurity Act.
Among the proposed changes is the introduction of the new category of “non-provider-owned CII”. Essential service providers who utilise CIIs not owned by them will be required to obtain legally binding commitments from their computing vendors to meet their obligations under the Cybersecurity Act.
For existing provider-owned CII, the bill seeks to widen incident reporting requirements. The types of incidents to be reported to the Commissioner include: (i) prescribed cybersecurity incidents in respect of any other computer or computer system under the owner’s control that does not fall within Section 14(1)(b) of the Cybersecurity Act; and (ii) prescribed cybersecurity incidents in respect of any computers or computer systems under the control of a supplier to the owner that is interconnected or communicates with the provider-owned CII.
The bill also increases the scope of the Cybersecurity Act by introducing three new categories of systems subject to the CSA’s powers: Foundational Digital Infrastructure (FDI), Entities of Special Cybersecurity Interest (ESCI), and Systems of Temporary Cybersecurity Concern (STCC).
FDI is digital infrastructure that provides infrastructural services of a foundational nature. Examples of FDI include cloud computing and data facility services that are integral to the functioning of Singapore’s technological stacks.
ESCI are entities that are particularly attractive targets of malicious threat actors seeking to compromise a state because of the sensitive data that they possess or the function that they perform. ESCI include systems that if compromised could have a significant detrimental effect on the defence, foreign relations, economy, public health, public safety, or public order of Singapore.
STCC are computer or computer systems that are critical to Singapore for a time-limited period, and for that period, are at high risk of cyber-attacks. Examples include systems that are set up specifically to support high-profile international events in Singapore (eg, the World Economic Forum), or systems set up to support the distribution of vaccines during the COVID-19 pandemic.
By introducing these new categories, the CSA aims to fulfil the policy objectives of enhancing the CSA’s situational awareness of the cybersecurity threats and incidents targeting these systems and ensuring that appropriate cybersecurity measures are taken to secure them.
These new categories of systems are generally required to comply with the same duties and obligations imposed on traditional CII providers. Such duties include duties to: (i) provide the Commissioner with information on the system; (ii) comply with such codes of practice, standards of performance or written directions in relation to the system as may be issued by the Commissioner; and (iii) notify the Commissioner of prescribed cybersecurity incidents.
The amendments to the Cybersecurity Act have not been enacted at the time of writing of this Guide.
Please refer to 1.1 Laws for further details.
Please refer to 1.2 Regulators for a discussion of the roles of the CSA and the PDPC.
Please refer to 1.2 Regulators, 1.3 Administration and Enforcement Process and 1.5 Information Sharing Organisations and Government Cybersecurity Assistance for a discussion of the role of the CSA.
Please refer to 1.2 Regulators and 1.3 Administration and Enforcement Process for a discussion of the role of the PDPC.
In the banking and finance sector, the MAS has issued a set of legally binding Notices on TRM and Cyber Hygiene which apply to FIs (eg, banks, insurers, capital markets services licence holders, operators, and settlement institutions of designated payment systems). These Notices impose obligations on FIs to enhance information security and mitigate the growing risks of cyberthreats.
The TRM Notices include requirements to:
The Notices on Cyber Hygiene include requirements to:
Please refer to 1.5 Information Sharing Organisations and Government Cybersecurity Assistance.
While there are no prescribed cybersecurity standards in the relevant legislation, there are several frameworks which touch on cybersecurity and data protection. For example, in the realm of data protection, the PDPC, in its Advisory Guidelines on the PDPA for Selected Topics (the “Selected Topics Guidelines”), refers to industry standards in the chapter on cloud services (see Chapter 8 of the Selected Topics Guidelines). Under the PDPA, cloud service providers in Singapore must put in place reasonable security arrangements when they process personal data for or on behalf of another organisation.
In this regard, the ISO/IEC 27001 and Tier 3 of the Multi-Tiered Cloud Security (MTCS) Certification Scheme could provide assurance of the cloud service providers’ ability to comply with the protection obligation under the PDPA. The MTCS Certification Scheme was established in conjunction with the MTCS Standard for Singapore, which covers multiple tiers of cloud security and is the de facto standard for the cloud industry in Singapore. Please see 11.1 Further Considerations Regarding Cybersecurity Regulation for more details.
In the realm of data protection, Singapore joined the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules System and Privacy Recognition for Processors System in 2019, which are accountability-based and enforceable certifications developed by APEC economies for cross-border transfers of personal data.
Please also refer to 4.5 Internet of Things (IoT), Software, Supply Chain, Other Data or Systems for the international benchmarks used for the Cybersecurity Labelling Scheme developed by the CSA.
Please refer to 3.3 Legal Requirements and Specific Security Practices for more details on technical security arrangements in the personal data context.
PDPA Obligations
In the context of personal data protection, organisations are required to, amongst other things, put in place data protection policies and practices to ensure and demonstrate compliance with their obligations under the PDPA. Specifically, these requirements include:
Additionally, under the protection obligation (Section 24 of the PDPA), an organisation is required to make reasonable security arrangements to protect personal data in their possession or under their control in order to prevent (i) unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks; and (ii) the loss of any storage medium or device on which personal data is stored.
PDPC Recommendations
The PDPC has issued several guidelines and guides which provide details on technical security arrangements. For example, the PDPC’s Guide to Securing Personal Data in Electronic Medium provides a checklist of good practices in relation to areas such as:
Similarly, the PDPC’s Guide to Data Protection by Design for Information and Communications Technology (ICT) Systems also sets out a list of good practices including:
In mid-2021, the PDPC released a new handbook: How to Guard Against Common Types of Data Breaches. This handbook is based on past data breach cases handled by the PDPC and identifies the five most common gaps in ICT system management and processes. In 2022, the PDPC released an updated handbook: Guide to Basic Anonymisation. It updated the previous guide and established a new five-step process which focuses on k-anonymisation and was complemented with a free Excel-based, simple anonymisation tool. PDPC also launched a new web page on Data Protection Practices for ICT Systems, which brought together various guides and resources on guarding against data breaches and establishing good data protection practices for ICT systems.
Please also refer to 2.5 Financial or Other Sectoral Regulators for a summary of the cybersecurity frameworks applicable to FIs.
Singapore is a member of the Association of Southeast Asian Nations (ASEAN).
ASEAN Cyber Capacity Programme
In 2016, the ASEAN Cyber Capacity Programme (ACCP) was launched to enhance the regional ability to respond to the evolving cyberthreat landscape and to build a secure and resilient ASEAN cyberspace. The ACCP is supplemented by the ASEAN-Singapore Cybersecurity Centre of Excellence, which aims to build capacity for ASEAN senior policy and technical officials with decision-making responsibilities.
ASEAN Data Management Framework
In January 2021, the ASEAN Member States approved the ASEAN Data Management Framework (DMF), and the Model Contractual Clauses for Cross Border Data Flows (MCCs), which are resources and tools for ASEAN businesses to utilise in their data-related business operations. In summary, the DMF provides a common data protection framework for business on good data management practices and best practices, while the MCCs are a set of template contractual terms and conditions that may be included in the binding legal agreements between parties transferring personal data to each other across borders.
In May 2023, the Joint Guide to ASEAN MCCs and EU Standard Contractual Clauses (SCCs) was launched. The Joint Guide provides a comparison between ASEAN MCCs and SCCs for organisations looking to transfer or receive consumer data from overseas partners. Companies already familiar with the ASEAN MCCs can use the Joint Guide as a reference in their contractual negotiations on data transfers with their EU business partners.
Please refer to 3.3 Legal Requirements and Specific Security Practices.
Please refer to 2.5 Financial or Other Sectoral Regulators and 3.3 Legal Requirements and Specific Security Practices for more details on technical security arrangements.
CII is regulated under the Cybersecurity Act. Please see 1.2 Regulators for more details on designation of CII in essential sectors and the obligations imposed on CII owners. Amongst other things, owners of CII are required to conduct cybersecurity audits and risk assessments of their respective CII and adhere to codes of practice issued by the CSA.
The Cybersecurity Code of Practice for Critical Information Infrastructure (the “CII Cybersecurity Code”) requires owners of CII to put in place security baseline configuration standards for all operating systems, applications and network devices of a piece of CII that is commensurate with the cybersecurity risk profile of that CII. The security baseline configuration standards address the following security principles:
In November 2014, the CSA released a guidance note for organisations in response to the growing number of distributed-denial-of-service (DdoS) attacks. Some of the recommended mitigation strategies to prevent a DdoS attack are in relation to:
On 3 March 2020, the MCI introduced the Cybersecurity Labelling Scheme (CLS) as part of Singapore’s Safer Cyberspace Masterplan 2020. The CLS was formally launched on 7 October 2020, initially as a voluntary scheme for Wi-Fi routers and smart home hubs, and was subsequently expanded on 21 January 2021 to include all smart home devices.
The CLS provides different cybersecurity rating levels for registered IoT devices and other smart devices to help consumers easily assess the level of security offered and make informed choices in purchasing a device. A Level 1 certification indicates that the product meets basic security requirements such as ensuring unique default passwords and providing software updates, whilst a Level 4 certification indicates that the product has undergone structured penetration tests by approved third-party test labs and fulfilled the requirements of all lower levels (ie, Levels 1, 2 and 3).
Manufacturers applying for CLS are required to have an open vulnerability report and management channel, and to update their software in a timely manner. When a product is found to not satisfy the requirements declared, the CSA will request that the manufacturer undertake rectification measures, or have the label reviewed or removed.
The introduction of the CLS is part of the national drive to improve IoT security, raise overall cyber hygiene levels and better secure Singapore’s cyberspace. In terms of international benchmarks, the CLS takes reference from the ETSI EN 303 645 Cyber Security for Consumer Internet of Things: Baseline Requirements. Users seeking higher security assurance for industrial use (eg, enterprise, manufacturing, industrial or healthcare use) are strongly recommended to consider devices certified under formal evaluation and certification schemes such as the Singapore Common Criteria Scheme. Please see 11.1 Further Considerations Regarding Cybersecurity Regulation for more details.
In 2022, the CLS scheme was expanded to include medical devices. Please see 5.4 Security Requirements for Medical Devices.
Additionally, where the IoT device involves the collection, use, disclosure, or processing of personal data, the relevant organisation must ensure it complies with the protection obligation under Section 24 of the PDPA.
To date, there are no legal or regulatory requirements specifically relating to ransomware attacks. As noted in 5. Data Breach or Cybersecurity Event Reporting and Notification, there are data breach notification requirements under the PDPA and the Cybersecurity Act. These may cover ransomware attacks leading to a data breach.
In October 2022, the Singapore government established an inter-agency Counter Ransomware Task Force (CRTF) to develop and make recommendations on possible policies, operational plans and capabilities to improve Singapore’s counter-ransomware efforts. The CRTF published its initial report in November 2022 on the growing ransomware threat in Singapore. In this report, the CRTF noted and concurred with the Singapore government’s national position that payment of ransoms to ransomware attackers is strongly discouraged. More generally, payment of a ransom may, depending on the circumstances, contravene other laws such as the Terrorism (Suppression of Financing) Act 2002.
Response and Management of Data Breach Incidents
A “data breach” in relation to personal data is defined in the PDPA to mean:
With effect from 1 February 2021, a mandatory data breach notification regime has been introduced into the PDPA.
Where an organisation has reason to believe that a data breach affecting personal data in its possession or control has occurred, it must conduct an assessment of whether the data breach is a “notifiable data breach” in a reasonable and expeditious manner.
A data breach is a “notifiable data breach” if the data breach (i) results in, or is likely to result in, significant harm to an affected individual; or (ii) is, or is likely to be, on a significant scale (ie, affecting at least 500 persons).
According to the Personal Data Protection (Notification of Data Breaches) Regulations 2021 (the “Data Breach Regulations”), a data breach is deemed to result in significant harm to an individual if the data breach relates to the following.
Notification to the PDPC
Upon assessing that the data breach is a “notifiable data breach”, the organisation must notify the PDPC in the prescribed form and manner as soon as practicable but no later than three calendar days after assessment. This notification to the PDPC must contain all the relevant information of the data breach to the best of the knowledge and belief of the organisation.
Notification to affected individuals
Upon notifying the PDPC, the organisation must also notify each individual affected by the data breach, unless an exception applies. An organisation does not need to notify affected individuals in two circumstances:
Notification to the primary organisation
Where a data intermediary processing personal data on behalf of another organisation has reason to believe a data breach has occurred, it must, without undue delay, notify the primary organisation.
Management of Cybersecurity Incidents
Under the Cybersecurity (Critical Information Infrastructure) Regulations 2018, cybersecurity incidents that must be reported to the Commissioner include:
Please refer to 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event for more details.
Please refer to 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event for more details.
Depending on the type of medical device, the relevant regulators may include the Health Sciences Authority, the National Environment Agency and the IMDA. Where applicable, healthcare providers must also comply with the National Telemedicine Guidelines, which include data protection and security requirements. In so far as a medical device is used by an organisation to collect personal data (eg, device test results are uploaded onto a server owned by the organisation), the organisation must comply with the protection obligation under the PDPA.
In October 2022, the Cybersecurity Labelling Scheme for Medical Devices (CLSMD) was launched. Under this voluntary scheme (which is in the sandbox phase at the time of writing of this Guide), medical devices are rated according to four levels of cybersecurity provisions and assessments, and the cybersecurity label for medical devices would provide an indication of the level of security in medical devices. The label aims to improve security awareness by making the cybersecurity provisions of medical devices more transparent to healthcare users, thereby empowering them to make more informed purchasing decisions.
The CLSMD applies to medical devices as described in the First Schedule of the Health Products Act 2007 that have any of the following characteristics:
The CSA has launched the Operational Technology (OT) Cybersecurity Masterplan 2019 to consolidate and guide the development of OT cybersecurity initiatives in Singapore to address key challenges faced by OT stakeholders from the public and private sectors and mitigate the emerging threat vectors. The OT Cybersecurity Masterplan 2019, which highlighted the security of Industrial Control Systems, acknowledged that, in order to effectively manage OT cybersecurity, there should be a team of skilled defenders comprised of both engineers and IT analysts, covering the entire system cycle of cyber protection, threat detection, incident response and system recovery.
All CII sectors with OT systems must develop or have in place sectoral security operations centres (SOCs) that are suited to their respective operating environments. In terms of incident detection and reporting, the SOCs oversee, monitor, and co-ordinate cybersecurity efforts between government agencies, the CSA and CII owners.
In October 2021, the CSA launched the Operational Technology Cybersecurity Competency Framework (OTCCF) to provide the foundation to attract and develop talent for the emerging OT cybersecurity sector in Singapore.
On 22 August 2023, the CSA announced the signing of a three-year Memorandum of Understanding (MOU) with Dragos, Inc. covering information-sharing, capacity and capability-building for Operational Technology cybersecurity to help Singapore defend against cyber-attacks. This MOU will also provide CII sectors with access to expert knowledge and opportunities for local cybersecurity companies to work collaboratively with Dragos, Inc.
Please refer to 4.5 Internet of Things (IoT), Software, Supply Chain, Other Data or Systems for more details on the CLS and the cybersecurity rating levels for IoT devices.
The CSA’s Security-by-Design Framework was established to guide systems developers, administrators and security professionals responsible for the planning, implementation, maintenance, monitoring and disposal of their organisations’ systems, and CII owners, among others, with incorporating security into their systems development life cycle (SDLC) processes through a structured approach. Security by design is an approach that seeks to minimise systems vulnerabilities and attack surfaces through designing and building security into each phase of the SDLC. It applies to both Waterfall and Agile SDLC models.
The CSA has published a Security-by-Design Framework Checklist to aid with the implementation of the Framework. It should be noted that under the Cybersecurity Code of Practice for Critical Information Infrastructure,CII owners are required to adopt the Security-by-Design Framework to the extent that it applies to the CII’s system development life cycle.
Although data protection by design is not expressly mandated under the PDPA, the PDPC has issued a Guide to Data Protection by Design for ICT Systems (updated on 14 September 2021). This guide sets out various good data protection by design principles for designing and building ICT systems. This guide also addresses the application of these principles in software development and has been a key component in the broader context of data protection practices for ICT systems since 2022.
The Monetary Authority of Singapore also published its Technology Risk Management Guidelines in January 2021 in which it stated that financial institutions should establish a security by design framework.
Please refer to 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event for more information on the reporting triggers.
Please refer to 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event for more information on the reporting thresholds.
The CII Cybersecurity Code sets out the following protection requirements that owners of CII need to put in place.
Please refer to 3.3 Legal Requirements and Specific Security Practices for more details on technical security arrangements in the personal data context.
In terms of broad focus and application, the Cybersecurity Act addresses national cybersecurity issues and protects computers and computer systems in Singapore by imposing obligations on owners of CII. In contrast, the PDPA seeks to protect consumers and individuals by imposing obligations on private sector organisations that collect, use, disclose or otherwise process personal data.
In terms of reach, the Cybersecurity Act empowers the Commissioner to conduct investigations into cybersecurity incidents in respect of computer systems, including those that are not CII. In comparison, the protection obligation under the PDPA is a general obligation imposed on organisations to implement reasonable security measures to protect personal data (both electronic and non-electronic) in their possession or under their control. This protection obligation extends beyond cybersecurity and technical measures to also encompass administrative, organisational and physical measures.
CII owners are required under the CII Cybersecurity Code to establish procedures to share information on any cybersecurity incidents and cybersecurity threats in respect of their CII, and any mitigation measures taken in response to such incidents or threats. This information should be shared with persons affected or potentially affected by the cybersecurity incident or cybersecurity threat (eg, users of the CII, contractors providing services to the CII and owners of computers or computer systems which are required to be connected to the CII) so that they can take the necessary protection measures.
In addition, Section 10 of the Cybersecurity Act confers broad powers on the Commissioner to issue notices requiring CII owners to furnish information including:
The Cybersecurity (Critical Information Infrastructure) Regulations 2018 elaborate further on the detailed categories of information that may be required. These include, amongst others, network diagrams, component details and types of data processed.
Please also refer to 1.3 Administration and Enforcement Process for further details on information sharing required in the context of investigations conducted by the CSA.
For entities operating in the telecommunications sector, the IMDA has published a Cyber Security Vulnerability Reporting Guide aimed at facilitating and encouraging the reporting of cybersecurity vulnerabilities detected by the cybersecurity research community in public-facing applications and networks of telecommunications service providers. These would include internet access and mobile and fixed-line voice/data service providers, amongst others. Please also refer to 1.5 Information Sharing Organisations and Government Cybersecurity Assistance for more details on information sharing.
As at the time of publication of this Guide, there are no published decisions on enforcement action taken against CII owners under the Cybersecurity Act. In contrast, the PDPC actively enforces the data protection provisions of the PDPA and has published over 200 decisions to date, with a significant percentage of these decisions relating to breaches of the protection obligation.
Notably, in 2018, Singapore experienced one of its most serious data breaches, which involved hackers infiltrating the databases of Singapore Health Services Pte Ltd (SingHealth), a major public healthcare group in Singapore. The data breach resulted in the personal data and medical records of some 1.5 million patients being compromised, including that of Singapore’s Prime Minister. The PDPC took enforcement action against Singhealth and its IT services provider, Integrated Health information Systems Pte Ltd (IHiS), for failing to put in place reasonable security measures to protect personal data under its possession and control (Re Singapore Health Services Pte Ltd & Ors [2019] SGPDPC 3). Financial penalties of SGD250,000 and SGD750,000 were imposed on SingHealth and IHiS respectively.
Please refer to 8.1 Regulatory Enforcement or Litigation.
The Cybersecurity Act provides for a range of offences and penalties relating to failure to comply with cybersecurity obligations. These include:
Generally, the above-mentioned offences are punishable upon conviction with a fine, imprisonment, or both.
Please refer to 1.3 Administration and Enforcement Process for details on the enforcement by the PDPC in the data protection context.
The case of IP Investment Management Pte Ltd and others v Alex Bellingham [2019] SGDC 207 is notable for being Singapore’s first reported instance of private litigation initiated pursuant to the right of private action conferred under Section 48O of the PDPA. In that case, the first and second plaintiffs were related corporate entities engaged in a fund management business. The third plaintiff, a natural person, was an investor in a fund which was marketed to him by the defendant during the defendant’s former employment with the second plaintiff. After joining another investment company, the defendant sent emails to the third plaintiff’s personal email address soliciting business.
The District Court found in favour of the third plaintiff that the defendant had breached the consent obligation and purpose limitation obligation, and granted an order enjoining the defendant from using, disclosing or communicating the third plaintiff’s personal data, and also requiring the defendant to deliver up any copies thereof. Significantly, the court recognised that the third plaintiff had suffered loss and damage as a result of the misuse of his personal information (though it did not elaborate on the specific type of loss or damage required under the PDPA). Additionally, this case clarified that corporate entities have no standing to bring a claim in their own name pursuant to the right of private action in the PDPA.
The District Court’s decision was appealed by the defendant and the High Court initially found (in [2021] SGHC 125) in his favour, deciding that the third plaintiff had not suffered loss or damage within the meaning of the PDPA. This was appealed by the third plaintiff to the Court of Appeal, which allowed his appeal (in [2022] SGCA 60). In its decision, the Court of Appeal decided that, adopting a purposive interpretation, emotional distress can be the basis of a private action under the PDPA. As this point had not been disputed on the facts of the case, the court allowed the appellant’s (third plaintiff’s) appeal.
Generally, representative actions are a relatively rare occurrence in Singapore. In terms of the procedural framework, large group or collective actions may be brought through the representative action process under Order 4, Rule 6 of the Rules of Court 2021 in so far as all members of the class have been identified (ie, no unnamed claimants), have the “same interest” in the proceedings, and have agreed to the appointment of a representative.
Cybersecurity governance is increasingly of concern to companies’ boards of directors. While there are no general requirements that have been mandated for all companies’ boards in Singapore, requirements have been established under the Cybersecurity Act in relation to the boards of companies designated as providers of critical information infrastructure. In particular, such companies are required to comply with the CII Cybersecurity Code issued under the Cybersecurity Act. The CII Cybersecurity Code includes a section on governance requirements which provides for the following (amongst other requirements):
There is no prescribed due diligence framework for assessing cybersecurity risks. Nonetheless, cybersecurity risks should be carefully considered in any transaction in order to mitigate business, investor and consumer risks potentially arising from regulatory enforcement action, private litigation, reputational damage and loss of goodwill.
Some of the issues that merit a purchaser’s consideration in the conduct of cybersecurity due diligence include the following:
At present, non-cybersecurity-specific laws generally do not specifically mandate disclosure of an organisation’s cybersecurity risk profile or experience. However, it should be borne in mind that various sector-specific regulations may apply.
Cybersecurity and data protection concerns have continued to grow in importance and attract increasing scrutiny by regulators. The COVID-19 pandemic has further accelerated this trend, as companies increasingly shift to conducting business online and employees continue to work from home or shift to flexible working arrangements.
The highly interconnected nature of Singapore’s economy means that issues pertaining to the cross-border enforcement and prevention of cybercrime activities are likely to remain a significant challenge for some time. In this regard, the CSA has indicated its intention to work closely with its foreign counterparts through avenues such as information-sharing arrangements for the facilitation of cybersecurity investigations, and collaborations on cybersecurity capacity building. To this end, Singapore has signed various memorandums of understanding and other agreements with foreign governments to enhance cybersecurity co-operation. These countries include the USA, the UK, Australia, Canada, France, India, Korea, Japan, the Netherlands and Germany.
Safer Cyberspace Masterplan 2020
On the local front, the government has launched its Safer Cyberspace Masterplan 2020. This Masterplan was developed in consultation with industry and academic partners and aims to raise the general level of cybersecurity for individuals, communities, enterprises and organisations so as to create a safer and more secure cyberspace in Singapore.
Multi-Tier Cloud Security Standard for Singapore (SS 584)
The Information Technology Standards Committee under the IMDA has issued the MTCS Standard for Singapore for cloud service providers. This standard provides for three tiers of progressively stringent security certification. Although adoption is voluntary, certification under this standard may be a requirement for participation in government tenders for cloud services to be offered to the public.
Singapore Common Criteria Scheme
The Singapore Common Criteria Scheme is a scheme established by the CSA to provide a cost-effective regime for the info-communications industry to evaluate and certify their IT products in Singapore against the Common Criteria standard (ie, ISO/IEC 15408). The Common Criteria standard is a common standard developed through a collaboration among national security and standards organisations in Canada, France, Germany, the Netherlands, the UK and the USA. It harmonises the evaluation of IT products by defining a common set of security functions that product developers use, to establish the security requirements of their IT products in a standardised language.
10 Collyer Quay
10th Floor
Ocean Financial Centre
Singapore 049315
+65 6531 4110
+65 6535 4864
chongkin.lim@drewnapier.com www.drewnapier.com