Search
Close this search box.

A Tool-box for Singapore’s Updated Cybersecurity Laws

Mahdev Mohan, Shloka Vidyasagar

Since its enactment in 2018, the Cybersecurity Act has served as the main statutory framework for safeguarding the nation’s digital infrastructure. However, Singapore has also experienced a surge in significant data breaches due to attacks on cloud storage services and data centres operated by third-party vendors.

In October last year, an outage at an Equinix data centre used by DBS Bank led to financial chaos, with approximately 2.5 million transactions failing. The following month, the Monetary Authority of Singapore (MAS) directed DBS Bank to suspend all changes to the bank’s IT systems except for those related to security, regulatory compliance, and risk management for a 6-month period.

There have been amendments to the Cybersecurity law which all companies should be mindful of. Indeed, Cloud computing as a service (‘CAS’) is widely used, with approximately 60% of all businesses in Singapore now using some form of cloud computing technology in their operations.

With the adoption of new requirements, ‘tools and business models’ for threat detection amidst CAS, some note that the amendments are timely to ensure that Singapore’s cybersecurity laws remain fit for purpose.

The Opacity of Technology Tools

Technology tools – software applications, platforms or devices used to perform specific tasks- usually undergo a process of design and evaluation. While benefiting from them, many users are often unaware of their intricacies.

Speaking extrajudicially in April 2024, the Chief Justice of Singapore, Sundaresh Menon has observed that even judges may have difficulty appreciating the intricacies of AI-driven technology tools:

“[O]ur general lack of technical training and the opacity of the tools involved may impede our ability to properly interrogate these tools, and to understand, much less to precisely explain, why and how they have contributed to certain findings or conclusions.

As we navigate the age of AI, judges will also need to be armed with sufficient technical and domain knowledge to ensure that we understand the AI tools used and, more importantly, are conscious of their limitations.”

Absent domain knowledge and training on how to comply with the changes to the Cybersecurity law (and related tools, codes or standards), companies could be hard-pressed to detect and respond promptly to cyber threats that jeopardise data privacy and security. Instead, companies might choose to pay the ransom to cyber threat actors rather than sound the alarm. Recently, even a well-known Singapore law firm allegedly paid a ransom of S$1.89mn in Bitcoin to threat actors in order to regain access to sensitive client data.

Key Features of The Amendments

On May 7, 2024, the Cybersecurity (Amendment) Bill No. 15/2024 was passed by the Parliament of Singapore with the aim of updating the Cybersecurity Act 2018 to address changes in the cybersecurity operating context and strengthen the Act’s administration. In particular, the Bill, in amending the Cybersecurity Act of 2018, provides increased powers to the Cyber Security Agency of Singapore (CSA).

The Bill seeks to enhance the regulatory powers of the cybersecurity Commissioner, including authorising on-site inspections and expanding the types of incidents that should be reported to the authorities. Generally, the amendments may require reporting of incidents that occur to computers and computing systems integral to the delivery of a critical information infrastructure (CII) provider’s essential services, or under the control of a supplier to the regulated CII provider. Providers can be required to obtain legally binding commitments from these third parties.

In summary, once these amendments come into effect, the updated Cybersecurity Act of 2018 will regulate a broader subset of system providers and controllers:

  1. Providers of essential services, regardless of whether they are CII owners or providers who rely on third-party vendors for the CII. Securing the computers and computer systems that are necessary for the continuous delivery of essential services is treated as a matter of national security.
  2. Systems of Temporary Cybersecurity Concern (STCC)- Owners of systems that are temporarily critical to Singapore’s interests, but are at high risk of cyber-attacks during a limited and critical period, such as handlers of vaccine distribution during the Covid 19 Pandemic
  3. Entities of Special Cybersecurity Interest (ESCI) Entities of special cybersecurity interest; and Entities of Foundational Digital Infrastructure (FDI) providers of major foundational digital infrastructure services, are both subject to a “light-touch regulatory treatment”.

Fit for Purpose, But Fit for Every Vendor?

In a recent survey, one international law firm has found cybersecurity and data privacy as top concerns for corporate investigations. “The trend is likely to persist as the widening use of AI technologies will create a dynamic regulatory environment, where Singapore companies will find themselves having to navigate a patchwork of international regulations and emerging risks.”

We agree that it is important to keep Singapore’s cybersecurity laws “fit for purpose”, as the CSA suggests. However, the cybersecurity law’s extended application to new categories of stakeholders should be fully understood by all companies in the ecosystem, both large and small.

This expanded scope could well involve incident reporting and disclosure (and related auditing and risk assessments). Criminal or civil penalties would apply when there is wilful non-compliance with reporting requirements. Simply put, more is expected of CII providers of essential services and certain third parties, and it might be prudent for them to consult professional advisers.

They may also wish to consider taking insurance against direct financial loss from various cyber-fraud events, including computer crime, impersonation fraud, telephone fraud, and crypto-jacking. This is pertinent given that operators and users of data infrastructure deemed foundational to Singapore’s economy or way of life could be subject to incident reporting obligations.

Points To Be Considered In Future Regulations?

Globally, cyber-threat actors have also used generative artificial intelligence (Gen.AI) to create sophisticated phishing and ransomware communications to access and steal data or lock up companies and health and financial systems.

We appreciate that reporting requirements are intended to address evolving tactics of Advanced Persistent Threat (APT) actors who exploit supply chains and other peripheral systems to attack CII and to disrupt the delivery of essential services, but companies should be aware of or advised on the legal changes and the further codes of practice, standards, and protocols that are rolled out in due course.

Indeed, at the Second reading of the Bill, the Senior Minister of State noted that further rules and standards will be developed:

“Matters relating to the technical or other standards that regulated entities must meet, and how CII owners should work with the providers of cloud services they use, will be designed to reflect current business realities and prevailing industry norms”.

Looking further afield, we note the framework that the US Cybersecurity and Infrastructure Security Agency (CISA) put in place that appears to keenly balance oversight and safety measures while still encouraging AI-driven research and innovation in vital sectors of the economy.

Similarly, the Network and Information Systems (NIS) Directive, which aims to achieve a common level of cybersecurity across the European Union (EU), offers valuable insights into proactive approaches to cybersecurity governance, including public-private partnerships and iterative risk assessment methodologies.

Singapore’s cybersecurity regulations might draw further inspiration from their counterparts.
Recognising the role of AI for its digital economy, the Singapore Government has launched the Singapore National AI Strategy 2.0 in 2023 to strengthen its AI ecosystem as the rise of sophisticated Gen. AI models spark worries about potential misuse ranging from malicious cyber attacks to misinformation.

Amplified Threats Require a Data Privacy & Cybersecurity Compliance Tool-Box

However, there is a role for well-deployed Gen. AI solutions. As NMP Mr Neil Parekh observed and acknowledged by the Senior Minister of State at the Bill’s Second reading, there can be efficiencies and opportunities for innovation while maintaining the cybersecurity of the CII. These include the use of commercial cloud solutions and demand-aggregated system infrastructure owned by a third party.

With proper assistance and guidance from law and technology experts, companies can use Gen.AI in red/purple team exercises to pre-empt zero-day vulnerabilities. In the event a breach does occur, Gen.AI could help businesses assess the nature and scope of cyberattacks, and respond in accordance with the updated legal requirements on data breach notification and disclosure.

Our threat assessment and response team at Advomi, along with our panel of law and technology experts, takes into account international best practices co-developed with private sector representatives and individual experts. Our team can offer assistance with and advice on the following:

  1. Understanding Singapore’s cybersecurity laws and regulations (e.g., Cybersecurity Act, POHA, PDPA)
  2. Implementation of cybersecurity measures (e.g., encryption, access controls)
  3. Best practices for data protection and privacy
  4. Cybersecurity compliance risk assessments
  5. Strategies for incident reporting and disclosure, crisis management, and strategic communications with authorities
  6. Cybersecurity governance and management frameworks (e.g., NIST, ISO 27001)
  7. Compliance with international standards and frameworks (e.g., GDPR, SOC 2)
  8. Cybersecurity awareness and training for employees

Conclusion

The proposed Cybersecurity amendments are an important strategic investment in Singapore’s position as a regional leader in cyber trust and cybersecurity resilience. Companies should be mindful of the beneficial uses of AI to enhance cybersecurity capabilities, ensure AI-driven systems are protected from cyber threats, and importantly deter and mitigate the malicious use of AI capabilities that could threaten the digital infrastructure Singapore’s residents rely on every day.

Mahdev Mohan is a former NMP and is Associate-General Counsel with ADVOMI;
Shloka Vidyasagar is a Counsel with ADVOMI

A version of this piece was first published by The Business Times on 7th May 2024 entitled ‘ Cybersecurity – Legal Tweaks essential, but so is a road map’, with contributions from Arjun Narayan, Global Head of Trust & Safety at Smart News.

More resources

FinTech

Tokenisation of real world assets (RWAs)

Introduction Tokenisation of real world assets refers to breaking down high-value properties, whether tangible (such as art pieces) or intangible (such as financial instruments and…

eugene-golovesov-b2mTG-5y6KA-unsplash

Gambling Control Act

Introduction The Gambling Control Act 2022 (GCA) is a consolidation and update of previous gambling legislation including the Betting Act 1960, the Common Gaming Houses…

jean-beller-4Hn4ulNcpJ4-unsplash

Retrenchment

Introduction Retrenchment refers to the termination of an employee’s employment due to redundancy, restructuring or for cost saving reasons, as opposed to termination for poor…

marten-bjork-6dW3xyQvcYE-unsplash

Restraint of Trade Clauses in Employment Contracts

When drafting an employment contract, employers often include a restraint of trade clause in order to restrict what an ex-employee may do post-employment. As defined…

patrick-konior-6ZTV8CflgcY-unsplash

Understanding Crypto Fraud, Investigations and Asset Tracing part 3

After exploring the diverse landscape of blockchain and cryptocurrency frauds in our first article, and delving into the array of disputes in our second installment,…

istockphoto-1471527204-1024x1024-transformed

Understanding Crypto Fraud, Investigations and Asset Tracing part 2

In continuation of our 3-part series unraveling the complexities of blockchain and cryptocurrency, our second installment will delve into the spectrum of Blockchain and Cryptocurrency…