Standalone Cybersecurity Bill to be Tabled Next Year

Similar documents
Recognition of Foreign Liquidators - Universalism in Singapore Insolvency Law

When Is A Statutory Demand Deemed Invalid?

Examining the Parity Principle in Criminal Sentencing

China s New Anti-Terrorism Law: Implications for Firms Dealing with Data in China

The Singapore Government s Intellectual Property Hub Master Plan

Determining the Beneficial Ownership of Property

Court of Appeal Decides On Liability For Workplace Accident

First Grounds of Decision on Data Protection Breaches in Singapore issued by the Personal Data Protection Commission

Infocomm Security Masterplan 2

ASEAN s Cooperation on Cybersecurity and against Cybercrime

Drafting Restrictive Covenants In Employment Contracts

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

INTRODUCTION TO THE EUROPEAN PARLIAMENT DELEGATION FOR RELATIONS WITH THE COUNTRIES OF SOUTHEAST ASIA AND THE ASSOCIATION OF SOUTHEAST NATIONS

JOINT MEDIA STATEMENT

Viewpoint: Implementing Japan s New Cyber Security Strategy*

Towards closer EU-ASEAN collaboration in cybersecurity

ASECRO COMPANY PROFILE. Web & App design Hosting Domain Cloud Encryption CDN SNS Software Development

Who s next after TalkTalk?

ASEAN AGREEMENT ON TRANSBOUNDARY HAZE POLLUTION

ASEAN Regional Forum Cyber Incident Response Workshop Republic of Singapore 6-7 September Co-Chair s Summary Report

Cambodia Tax Profile. kpmg.com.kh

Establishing a business

CSCAP MEMORANDUM NO. 24 Safety and Security of Vital Undersea Communications Infrastructure

How To Prepare A Cyber Security Workshop In Asean

12 th -16 th May Country Progress Report

The Role and Function of a Data Protection Officer in the European Commission s Proposed General Data Protection Regulation. Initial Discussion Paper

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Credit: Nasa, Visible Earth MYANMAR

The Strategic Trade Act (STA) 2010: Malaysia s Experience in the Implementation of Strategic Trade Management. Yangon, Myanmar 24 June 2015

The Japan Council of Local Authorities for International Relations (CLAIR), Singapore

World Cities Summit 2012

Thailand and ASEAN. 1. ASEAN: Forty Five Years of Achievements

Defending yesterday. Financial Services. Key findings from The Global State of Information Security Survey 2014

CO-CHAIRS SUMMARY REPORT ARF CYBERCRIME CAPACITY-BUILDING CONFERENCE BANDAR SERI BEGAWAN, BRUNEI DARUSSALAM APRIL 27-28, 2010

ESKISP Conduct security testing, under supervision

The Danish Cyber and Information Security Strategy

Information Technology Consulting Services

GEN 3.6 SEARCH AND RESCUE

ITU GLOBAL CYBERSECURITY AGENDA AND CHILD ONLINE PROTECTION. International Telecommunication Union

85% of business networks identified with bot infections 63% of business networks identified to have downloaded malware files 89% of business networks

KONRAD ADENAUR STIFTUNG

COMPUTER MISUSE AND CYBERSECURITY ACT (CHAPTER 50A)

Guidance on data security breach management

Securing Internet Payments across Europe. Guidelines for Detecting and Preventing Fraud

PROFESSIONAL ACCOUNTANTS TO STRENGTHEN MEASURES AGAINST MONEY LAUNDERING AND FINANCING OF TERRORISM

NOMURA SINGAPORE LIMITED

Declaration Form for EP Online/ WP Online User Agreement

PRIORITIZING CYBERSECURITY

Integrated Water Resources Management. Dong Nai Pilot Project, Vietnam Nam Ngum Pilot Project, Lao PDR Stung Sen Pilot Project, Cambodia

How To Comply With The New Ppa

Asian Payment Card Forum Growing the Business: Launching Successful Consumer Payments Products

The Cloud and Cross-Border Risks - Singapore

Guidance on data security breach management

Patrick Fair Partner, ITC and Data Security Specialist Baker & McKenzie. Developments in Security Regulation

Cybersecurity: The changing role of audit committee and internal audit

Cybersecurity Strategy of the Republic of Cyprus

Cyber Security Strategy

Cybersecurity: Thailand s and ASEAN s priorities. Soranun Jiwasurat

South East Asia: Data Protection Update

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

Business Plan 2012/13

Online security. Defeating cybercriminals. Protecting online banking clients in a rapidly evolving online environment. The threat.

Cambodia Tax Profile. Produced in conjunction with the KPMG Asia Pacific Tax Centre. Updated: August 2013

ASEAN IPR SME Helpdesk Guide: Protecting your IP at Trade Fairs in Southeast Asia. Contents. 1. Protecting your IP at trade fairs. 2.

Cyber Security & Data Analytics October - November 2015

RESPONSIBLE CARE SECURITY CODE OF MANAGEMENT PRACTICES

How To Write An Article On The European Cyberspace Policy And Security Strategy

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

THE MORAY COUNCIL. Guidance on data security breach management DRAFT. Information Assurance Group. Evidence Element 9 appendix 31

OPENING SPEECH WORKSHOP ON STUDENT MOBILITY, JOINT DEGREE PROGRAMMES AND INSTITUTIONAL DEVELOPMENT. Distinguished Guests, Ladies and gentlemen

BUSINESS INTELLIGENCE & TARGET MARKETING. Copyright CNCData. All Rights Reserved.

Cyber security Time for a new paradigm. Stéphane Hurtaud Partner Information & Technology Risk Deloitte

Principles of model for the University Library in Thailand to ASEAN Community

BSA GLOBAL CYBERSECURITY FRAMEWORK

New York State Department of Financial Services. Report on Cyber Security in the Insurance Sector

Global Corporate IT Security Risks: 2013

ASEAN Cooperation Initiative in Quality Assurance Assoc. Prof. Dr. Nantana Gajaseni Deputy Executive Director, ASEAN University Network

Mainstreaming Disaster Risk Reduction into National and Sectoral Development Process

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature

INFORMATION SECURITY GUIDE. Cloud Computing Outsourcing. Information Security Unit. Information Technology Services (ITS) July 2013

For Discussion Paper No. 9/2011 on 3 November 2011 DIGITAL 21 STRATEGY ADVISORY COMMITTEE. Cyber Security

Legislative Council Panel on Information Technology and Broadcasting. Information Security

Transcription:

Standalone Cybersecurity Bill to be Tabled Next Year Introduction A standalone Cybersecurity Bill ( Bill ) will be tabled in Parliament in 2017. The new Bill will ensure that the operators of Singapore s critical information infrastructure ( CII ) take proactive steps to secure such CIIs and report incidents of cybersecurity breaches. The new Bill will empower the Cyber Security Agency ( CSA ) to manage cyber incidents and raise the standards of cybersecurity providers. All businesses (not just CII) are recommended to adopt a cybersecurity-by-design approach to their operations. CII operators (and potentially other businesses that deal with them) need to establish additional policies and procedures (if they have not already done so) to deal with cyber incidents, and comply with the new reporting obligation. A standalone Cybersecurity Bill will be tabled in Parliament next year to keep pace with the evolving cyber security landscape in Singapore and beyond. This was revealed by Dr Yaacob Ibrahim, Minister for Communications and Information, at the Committee of Supply Debate on 11 April 2016. In his speech, Dr Yaacob said that the Ministry of Communications and Information ( MCI ) will review the country s policy and legislative framework for cybersecurity as the Government moves towards building Singapore as a Smart Nation. The introduction of the Bill is subsumed in the vision outlined in the National Cyber Security Masterplan 2018 ( NCSM 2018 ) to make Singapore a Trusted and Robust Infocomm Hub by 2018. Taking its cue from two previous infocomm security masterplans, NCSM2018 aims to reinforce Singapore s cybersecurity by intensifying efforts in the Government and critical information infrastructure ( CII ), as well as the wider infocomm ecosystem which includes businesses and individuals. It intends to engender a secure and resilient infocomm environment and a vibrant cybersecurity ecosystem. What is the current legislation Currently, the primary legislation on cybersecurity is the Computer Misuse and Cybersecurity Act ( CMCA ). The CMCA criminalises certain activities including the unauthorised access, use, interception and modification of computers, data and computer services. Amendments introduced to the CMCA in 2013 empower the Minister of Home Affairs to act against cybersecurity threats. For instance, the Minister of Home Affairs can, through the issuance of a certificate, authorise, direct or compel a person or entity to take such steps or to comply with certain obligations as are necessary for the detection and prevention of cybersecurity threats to the national security, defence, foreign relations and essential services of Singapore. The definition of essential services (also known as CII) as set out in the CMCA is limited to the specified sectors of communications infrastructure, banking and finance, public utilities (eg, energy, water), public transportation, land transport infrastructure, aviation, shipping, public key infrastructure and emergency services such as police, civil defence or health services. 1 Rajah & Tann Singapore LLP

Recent trends in the cybersecurity landscape Through the years, the cybersecurity landscape has seen increased sophistication in cyber attacks, and faster and bolder attackers. As demonstrated by recent incidents, attacks may be launched by well trained and resourced nation states, organized crime, terror groups, hacktivists, or even insiders. Dr Yaacob noted in his speech that it is inevitable that Singapore s critical information infrastructure will at some point be targets. The interconnectivity in our networks also means that the effects of cyber attacks can be contagious. As such, attacks on CII could spread to other connected infrastructure, thereby affecting organisations in sectors not specified as essential services, and vice versa. This year, there have been alarming cybersecurity incidents in both the private and public sectors which call for more vigilant measures. In January 2016, hackers used the credit card details of an individual, including the one-time password issued to authenticate online transactions using his credit card, to make purchases amounting to $12,327 for flight tickets in Europe. The credit card details were ostensibly stolen through the malware that was residing in his smartphone, while the bank asserted that its security systems were not compromised. It was reported that the individual was engaged in a dispute with the bank as to which party should bear the costs of the aforementioned fraudulent transactions. What is the intended change and effect In his speech, Dr Yaacob gave a glimpse of the scope of the new Bill. The Bill is intended to provide the Cyber Security Agency of Singapore, the national agency overseeing the country s cybersecurity strategy, with wider powers to enable it to prevent and cope with cybersecurity threats to Singapore s CII. Dr Yaacob cited examples of other countries that have recently strengthened their cybersecurity legislation. Germany passed a law last year to raise cybersecurity standards for CII operators and mandate reporting of significant security incidents. The United States also enacted a law to facilitate sharing of information on cyber threats. The Singapore government intends to follow suit. Securing critical information infrastructure; Reporting obligation The new Bill will ensure that the operators of Singapore s CII take proactive steps to secure such CIIs and report incidents of cybersecurity breaches. The reporting obligation is not presently mandated under the CMCA unless the Minister for Home Affairs specifically requires a person to do so. Dr Yaacob did not elaborate on the extent of measures that the CII operators should take to secure Singapore s CII, and the thresholds beyond which the reporting obligation will be triggered. We anticipate that more details will be provided when the MCI consults the stakeholders in due course. The Bill could potentially adopt the approach taken by the Monetary Authority of Singapore ( MAS ) viza-viz financial institutions. Under the MAS Notice on Technology Risk Management, financial institutions regulated by the MAS are required to notify the MAS of, inter alia, any security breaches to their IT systems. Timelines have also been stipulated such that an initial notification must be made within an hour of the discovery of such an incident, with a detailed report to follow within fourteen (14) days of the incident. CSA to manage cyber incidents; raise the standards of cybersecurity providers Along with the objective of securing Singapore s CII, the new Bill will also empower the CSA to manage cyber incidents and raise the standards of cybersecurity providers here. Potentially, the Bill could grant the CSA the authority to take actions or direct other persons or entities to take actions, so as to effectively manage and coordinate multi-sector responses to cyber incidents. 2 Rajah & Tann Singapore LLP

In this regard, it was highlighted that the CSA advocates a multi-faceted approach to cybersecurity, including risk-based mitigation, early detection and robust response. The CSA has already been involved in coordination with other sectors to mitigate widespread cyber attacks, by assessing critical infrastructure for vulnerabilities, and simulating cyber attacks. It is understood that this aspect of the new Bill will also be the subject of MCI s consultation with the stakeholders. What is the potential impact on organisations The new Bill can potentially impact businesses beyond those in the CII sector. As Dr Yaacob mentioned, cyber attacks can be contagious. Attackers may find that the weak link may not lie with the CII operators, but in other businesses dealing with the CII operators, such as their service providers. As such, the requirements imposed by the new Bill on CII operators could directly or indirectly affect those other businesses dealing with CII operators. All businesses should bear in mind that, in line with the NCSM2018, the authorities have broadened their attention to businesses and individuals, beyond just the government and CII sectors. As stated by Dr Yaacob, businesses need to come round to the fact that cyber threats can hurt bottom lines. What should organisations do at this time All businesses are recommended to adopt a cybersecurity-by-design approach to their operations. This should be based on the multi-faceted approach advocated by the CSA risk-based mitigation, early detection and robust response. In particular, CII operators (and businesses dealing with CII operators) should be prepared to take more proactive actions to secure their information infrastructure. They will also need to prepare for compliance with the reporting obligation, which will likely involve establishing additional policies and procedures (if they have not already done so) to deal with cyber incidents. An important element of such policies is training employees to deal effectively with cyber incidents, which would involve regular cyber breach simulations (akin to fire drills), among others. CII operators may also need to ensure that their service providers, which are connected through information infrastructure (which may provide technology or cloud services), are well-equipped to handle cyber incidents. In any case, it is necessary for businesses to keep apprised of any developments relating to the new Bill, given its potential to have significant implications, from an operational and compliance standpoint, for businesses in every industry, especially those in the CII sector as cited above. Businesses should also conduct cybersecurity breach readiness training and simulation, as well as secure the necessary resources for cybersecurity breach management, so as to be well-prepared to manage any breach that may occur. Concluding Remarks In light of the severe damage and harm that cyber attacks can cause, the introduction of a standalone Cybersecurity Bill represents the government s intention to address cybersecurity threats decisively, which could involve a multi-sector response managed by the CSA. Businesses should also note the possibility that personal data (eg, of clients and employees) could be disclosed as a result of a cybersecurity breach. In such a case, the Personal Data Protection Commission could be involved to investigate if there is a breach of the Personal Data Protection Act. 3 Rajah & Tann Singapore LLP

While further details on the Bill have yet to be released, businesses can start taking action. The mandatory notification requirement is especially important, given that CII operators (and potentially, businesses dealing with CII operators) will need to establish compliance measures, including but not limited to additional policies and procedures to deal with cyber incidents. CII operators may also need to ensure that their service providers are well-equipped to handle cyber incidents. Businesses need to adopt a proactive, instead of reactive, cybersecurity stance and ensure that personnel are trained and ready to manage any cybersecurity breach that occurs. Businesses should also adopt the attitude that cybersecurity breaches are most probably inevitable, and take proactive steps to mitigate such risk. The necessary training, protocols and policies for cybersecurity breach readiness should be put in place, and we will be happy to assist on this front. 4 Rajah & Tann Singapore LLP

Contacts Rajesh Sreenivasan Head, Technology, Media & Telecommunication D (65) 6232 0751 F (65) 6428 2204 rajesh@rajahtann.com Steve Tan Deputy Head, Technology, Media & Telecommunication D (65) 6232 0786 F (65) 6428 2216 steve.tan@rajahtann.com Lionel Tan D (65) 6232 0752 F (65) 6428 2119 lionel.tan@rajahtann.com Benjamin Cheong D (65) 6232 0738 F (65) 6428 2233 benjamin.cheong @rajahtann.com Tanya Tang Chief Economic and Policy Advisor Competition & Antitrust and Trade Technology, Media & Telecommunication Jocelyn Chan D (65) 6232 0581 F (65) 6428 2109 jocelyn.x.chan@rajahtann.com D (65) 6232 0298 F (65) 6225 0747 tanya.tang@rajahtann.com Please feel free to also contact Knowledge and Risk Management at eoasis@rajahtann.com ASEAN Economic Community Portal With the launch of the ASEAN Economic Community ( AEC ) in December 2015, businesses looking to tap the opportunities presented by the integrated markets of the AEC can now get help a click away. Rajah & Tann Asia, United Overseas Bank and RSM Chio Lim Stone Forest, have teamed up to launch Business in ASEAN, a portal that provides companies with a single platform that helps businesses navigate the complexities of setting up operations in ASEAN. By tapping into the professional knowledge and resources of the three organisations through this portal, small- and medium-sized enterprises across the 10-member economic grouping can equip themselves with the tools and knowhow to navigate ASEAN s business landscape. Of particular interest to businesses is the "Ask a Question" feature of the portal which enables companies to pose questions to the three organisations which have an extensive network in the region. The portal can be accessed at http://www.businessinasean.com/. 5 Rajah & Tann Singapore LLP

Our regional presence Our regional contacts RAJAH & TANN Singapore RAJAH & TANN REPRESENTATIVE OFFICE China Rajah & Tann Singapore LLP 9 Battery Road #25-01 Straits Trading Building Singapore 049910 T +65 6535 3600 F +65 6225 9630 sg.rajahtannasia.com Rajah & Tann Singapore LLP Shanghai Representative Office Unit 1905-1906, Shui On Plaza, 333 Huai Hai Middle Road Shanghai 200021, People's Republic of China T +86 21 6120 8818 F +86 21 6120 8820 cn.rajahtannasia.com R&T SOK & HENG Cambodia RAJAH & TANN NK LEGAL Myanmar R&T Sok & Heng Law Office Vattanac Capital Office Tower, Level 17, No. 66 Preah Monivong Boulevard, Sangkat Wat Phnom Khan Daun Penh, 12202 Phnom Penh, Cambodia T +855 23 963 112 / 113 F +855 963 116 kh.rajahtannasia.com *in association with Rajah & Tann Singapore LLP Rajah & Tann NK Legal Myanmar Company Limited Myanmar Centre Tower 1, Floor 07, Unit 08, 192 Kaba Aye Pagoda Road, Bahan Township, Yangon, Myanmar T +95 9 73040763 / +95 1 657902 / +95 1 657903 F +95 1 9665537 mm.rajahtannasia.com 6 Rajah & Tann Singapore LLP

ASSEGAF HAMZAH & PARTNERS Indonesia RAJAH & TANN Thailand Assegaf Hamzah & s Jakarta Office Menara Rajawali 16th Floor Jalan DR. Ide Anak Agung Gde Agung Lot #5.1 Kawasan Mega Kuningan, Jakarta 12950, Indonesia T +62 21 2555 7800 F +62 21 2555 7899 www.ahp.co.id Surabaya Office Pakuwon Center, Superblok Tunjungan City Lantai 11, Unit 08 Jalan Embong Malang No. 1, 3, 5, Surabaya 60261, Indonesia T +62 31 5116 4550 F +62 31 5116 4560 * Assegaf Hamzah & s is an independent law firm in Indonesia and a member of the Rajah & Tann Asia network. Rajah & Tann (Thailand) Limited 973 President Tower, 12th Floor, Units 12A-12F Ploenchit Road, Lumpini, Pathumwan Bangkok 10330, Thailand T +66 2 656 1991 F +66 2 656 0833 th.rajahtannasia.com RAJAH & TANN Lao PDR Rajah & Tann (Laos) Sole Co., Ltd. Phonexay Village, 23 Singha Road, House Number 046/2 Unit 4, Saysettha District, Vientiane Capital, Lao PDR T +856 21 454 239 F +856 21 285 261 la.rajahtannasia.com CHRISTOPHER & LEE ONG Malaysia RAJAH & TANN LCT LAWYERS Vietnam Christopher & Lee Ong Level 22, Axiata Tower, No. 9 Jalan Stesen Sentral 5, Kuala Lumpur Sentral, 50470 Kuala Lumpur, Malaysia T +60 3 2273 1919 F +60 3 2273 8310 www.christopherleeong.com *in association with Rajah & Tann Singapore LLP Rajah & Tann LCT Lawyers Ho Chi Minh City Office Saigon Centre, Level 13, Unit 2&3 65 Le Loi Boulevard, District 1, HCMC, Vietnam T +84 8 3821 2382 / +84 8 3821 2673 F +84 8 3520 8206 Hanoi Office Lotte Center Hanoi - East Tower, Level 30, Unit 3003, 54 Lieu Giai St., Ba Dinh Dist., Hanoi, Vietnam T +84 4 3267 6127 F +84 4 3267 6128 www.rajahtannlct.com Rajah & Tann Singapore LLP is one of the largest full service law firms in Singapore, providing high quality advice to an impressive list of clients. We place strong emphasis on promptness, accessibility and reliability in dealing with clients. At the same time, the firm strives towards a practical yet creative approach in dealing with business and commercial problems. As the Singapore member firm of the Lex Mundi Network, we are able to offer access to excellent legal expertise in more than 100 countries. Rajah & Tann Singapore LLP is part of Rajah & Tann Asia, a network of local law firms in Singapore, Cambodia, China, Indonesia, Lao PDR, Malaysia, Myanmar, Thailand and Vietnam. Our Asian network also includes Singapore-based regional desks focused on Japan and South Asia. The contents of this Update are owned by Rajah & Tann Singapore LLP and subject to copyright protection under the laws of Singapore and, through international treaties, other countries. No part of this Update may be reproduced, licensed, sold, published, transmitted, modified, adapted, publicly displayed, broadcast (including storage in any medium by electronic means whether or not transiently for any purpose save as permitted herein) without the prior written permission of Rajah & Tann Singapore LLP. Please note also that whilst the information in this Update is correct to the best of our knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as a substitute for specific professional advice for any particular course of action as such information may not suit your specific business and operational requirements. It is to your advantage to seek legal advice for your specific situation. In this regard, you may call the lawyer you normally deal with in Rajah & Tann Singapore LLP or e-mail Knowledge & Risk Management at eoasis@rajahtann.com. at eoasis@rajahtann.com. 7 Rajah & Tann Singapore LLP

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information