.jpg)
20 December 2016
Introduction
There is a growing awareness in Singapore on the importance of being prepared for the threat of cyber-attacks. With the increased connectivity flowing from the Smart Nation Initiative, comes the realisation of the importance of preserving a trusted and safe infrastructure.
This review is meant to provide a snapshot of some of the more significant events that happened in Singapore surrounding this area in 2016, and will seek to provide a glimpse of what to expect in 2017.
Cybersecurity strategy on a national/regional level
The significance and impact of cybersecurity threats was raised up a level in 2016. The Singapore Prime Minister launched the Cybersecurity strategy of Singapore at GovWare 2016 in October 2016.
Four main pillars were identified:
- Creating resilient Critical Information Infrastructures;
- Creating a safer cyberspace;
- Developing a vibrant cybersecurity ecosystem; and
- Strengthening International Partnerships
To achieve this, building up a body of trained professionals has been identified as a priority. The Cyber Security Agency
of Singapore has been tasked to oversee this strategy.
At the same time, the ASEAN cybersecurity strategy was also announced, with several areas of focus being identified:
- Funds would be made available through the ASEAN Cyber Capacity Programme (ACCP) launched by Singapore to support efforts to deepen cyber capacities across ASEAN;
- There would be closer cooperation amongst ASEAN Member States with a view to enhance international law enforcement; and
- There would be greater facilitation of exchanges on cyber norms on a regional basis to promote a deeper understanding of the cyber norms and arrive at an ASEAN position
Data Protection
It has been a busy year for the Personal Data Protection Commission (“PDPC”). This is the body entrusted to enforce privacy obligations under the Personal Data Protection Act (“PDPA”).
From April 2016, the PDPC started enforcement action against organisations for being in contravention of their obligations under the PDPA. As at November 2016, there have been twenty reported decisions issued by the PDPC, and of these, fourteen cases concerned organisations that were deemed to have failed to have reasonable security arrangements in place to protect personal data.
In July 2016, their “Guide to Securing Personal Data in Electronic Medium”, first issued in May 2015, was updated to
provide additional guidance on patching, ICT outsourcing and cloud computing.
Industry trends
Certain industries have been very active in taking precautionary measures against the risks of cybersecurity threats and data protection lapses.
In July 2016, the Monetary Authority of Singapore issued their latest guidelines on Technology Risk Management, and on Outsourcing arrangements for Banks and other Financial Institutions in Singapore (“FIs”). The Association of Banks in Singapore also issued in August 2016 an implementation guide for FIs to use when entering into Cloud outsourcing arrangements. This guide is intended to assist FIs to understand approaches to due diligence, vendor management and key controls that should be implemented in Cloud outsourcing arrangements.
The aftermath of the cyber-attack on the Bangladesh Central Bank in February 2016 has also precipitated a flurry of activity. That attack undermined the SWIFT banking system, and prompted Singapore banks, to accelerate the development and use of technology, such as block-chain, as an alternative protection measure.
We are also aware of interest and activity in this area in the Maritime industry as well.
Developments in Cloud Computing In May 2016, the Infocomm Media Development Authority of Singapore (“IMDA”) and Singapore Ministry of Health set out cloud security standards for the private healthcare sector in Singapore under the Multi Tier Cloud Security (MTCS) Singapore Standard. The MTCS Singapore Standard was developed under Information Technology Standards Committee (ITSC) for Cloud Service Providers (CSPs) in Singapore to encourage adoption of sound risk management and security practices by CSPs through certification.
The MTCS Singapore Standard is intended to bring clarity to the private healthcare sector on how cloud computing can be used and applied for their enterprises, as well as trust through transparency of CSPs via certification.
The Internet of Things (IoT) remains unregulated for now
There appears to be no widely accepted definition of the term “Internet of Things” or “IoT”. However, it can be agreed that the intended purposes of the IoT refers to how “things” such as devices, sensors, computers and other objects connect, communicate or transmit information with or between each other, or otherwise interact with one another and process data through the Internet. It is perhaps not surprising that the IoT is not specifically regulated, given the speed with which the application of the technology is moving. However, the consequences of cyber-attacks on connected devices can be potentially devastating.
If regulations are forthcoming in this area, then this writer is of the view that a purposive approach should be adopted, and an emphasis on risk management should be preferred over prescriptive rules.
What could happen in 2017
Singapore can look forward to the eagerly anticipated Cyber Security Act in 2017. The Singapore Government has already outlined certain provisions that should be anticipated.
- Operators of Critical Information Infrastructure (“CIIOs”) would most likely be regulated;
- CIIOs would most likely be required, amongst other things, to Complying with Policy and Standards, and
- Conducting Audits and Risk Assessments; and
- There would also likely be mandatory reporting of Cyber Security Incidents
One area of interest amongst service providers would be to determine who would be deemed as a CIIO under the new law.
We are also beginning to see a shift in outlook, from the inevitability of suffering a cyber-attack, to a focus on managing
the aftermath and liability consequences of a cyber-attack. We also foresee that remedial solutions, such as cyber-security insurance, would possibly play a bigger part.
The benefit from all of this increased awareness is that organisations can look forward to more focus, attention and
resources committed by the authorities to combat this threat, more opportunities for training and education a
professional body of technicians, and greater co-ordination and co-operation amongst nations.
rizwi.wun@rhtlawtaylorwessing.com
