Singapore: Cyber Security Bill
From hacking into international money transfer systems to phishing email accounts, cyber criminals have been gaining in notoriety and causing lots of financial and security issues for businesses. The sophistication and speed at which these attacks are carried out often make it difficult to trace the tracks of the hackers and to recover the stolen assets. An additional difficulty is the lack of regulation of cyber space, which crosses all national boundaries. In an effort to contain the problem, countries have been introducing or revising existing cyber security laws. In this article, we review Singapore’s proposed new Cyber Security Bill and the impact it will have on businesses.
Current state of the law
Singapore’s primary cyber security legislation is the Computer Misuse and Cybersecurity Act (Cap. 50A)(the “CMCA”). Under the CMCA, law enforcement agencies have the power to investigate and apprehend individuals or entities behind cybercrime. Offences captured by the CMCA include unauthorized access to computer material and unauthorized modification of computer material. However, the CMCA was enacted in 1993, long before the use of iPads, smart phones, emails and social media became common. Additionally, cyber attacks have increased in sophistication and attackers have become faster and bolder, causing some concern that the CMCA is not sufficient to respond to new, sophisticated attacks.
Speaking on his portion of the 2016 Budget, Dr. Yacoob Ibrahim, Minister for Communications and Information and Minister-in-charge of Cyber Security said “It is inevitable that Singapore’s critical information infrastructure will at some point be targets. The interconnectivity in our networks also means that the effects of cyberattacks can be contagious”.
The new Cyber Security Bill
Against this backdrop, Dr Yaacob Ibrahim announced the introduction of a new Cyber Security Bill. The purpose of the new legislation is to increase the standards of cybersecurity services providers in Singapore and to better manage cyber security incidents. Another feature of the proposal is the setting up of a new independent agency, the Cyber Security Agency of Singapore (“CSA”), to investigate cyber security related crimes. The CSA will be vested with wider powers to enable it to better prevent and cope with potential threats to Singapore’s Critical Information Infrastructure.[1]
As drafts of the Cyber Security Bill and related working papers have not as of the date of this article been released, the potential scope of this new bill is as good as anyone’s guess. Nonetheless, industry experts are of the view that the Cyber Security Bill will likely cover:-
1. Mandatory reporting of breaches in a timely fashion;
2. Compulsory adherence to minimum international cyber security standards; and
3. Compulsory cyber audit requirements as part of the regulatory framework.
Ince Compliance will continue to monitor the position and provide updates as the process develops.
Impact on business
If the new Cyber Security Bill is passed by Parliament, it will be a welcome development in the cyber security space. In the meantime, businesses should start taking steps to minimise exposure to cyber security threats and are well advised to put into place preparatory steps to achieve compliance with the new bill. Here are 5 simple steps which businesses can take to manage cyber security risks:-
- Assess your business risks by undertaking a review of your IT systems
- Educate your work force to raise awareness of cyber security risks
- Implement policies to manage these risks for example, by requiring a dual layer voice confirmation for any change in payment instructions from counterparts
- Implement a robust reporting policy so that incidents are reported to the board without delay.
- Monitor the effectiveness of your policies
Given the financial and reputational risks of cyber-attacks, business may want to consider obtaining the necessary cyber insurance to mitigate against these losses.
Cyber-attacks will not only result in short term pecuniary losses but also long lasting damage to a company’s reputation. Businesses should wake up to the realisation that cyber security is no longer solely the purview of the IT Department but of senior management and the organisation as a whole.
Our team at Ince & Co can assist you in devising a cyber security policy which responds to your business’ specific needs. For further information, please contact our Team or your usual Ince & Co contact.
[1] Critical Information Infrastructure has been identified as including energy, water, transport, health, government, infocomm, media, security and emergency services, and banking and finance sectors”.