Singapore Cybersecurity Act 2018

by JLT Asia

The Singapore Cybersecurity Act 2018, otherwise known as the Cybersecurity Bill was passed into law on 5th February The recent bill aims to strengthen the protections of .computer systems and create a new regulatory framework for preventing, responding to and reporting on cyber security threats
Rising Breaches
Singapore, with its high volume of internet-based transactions, has always been at risk of cyber-attacks In 2017 alone, universities, government agencies, financial institutions, large and small enterprises were victims of cyber-attacks and this threat continues to grow According to PWC’s Global State of Information Security Survey 2017, around four in 10 executives in Singapore reported that their organisations were victims of phishing attacks, making it the most pervasive cybersecurity and privacy threat faced by organisations in the country
Cyber threats show no sign of abating as both businesses and individuals increasingly rely on technology to perform a large array of tasks; while at the same time cybercriminals are be.coming ever more sophisticated and well resourced 
Cybersecurity Bill
Under this Bill, organisations with Critical Information Infrastructure “CII” are now under scrutiny by the Commissioner of the Cyber Security Agency of Singapore “CSA” with 11 sectors identified as likely to be under CSA remit: Energy, Water, Banking and Finance, Healthcare, Transport which includes Land, Maritime, and Aviation, Info.communications, Media, Security and Emergency Services, and Government organisations
The Bill requires owners of the CII to .comply with; 1 codes of practice and performance standards, 2 conduct cybersecurity audits and risk assessments, and 3 participate in cybersecurity exercises Non-.compliance could see offenders hit with a maximum penalty of SGP $100,000, two years in jail or in the worst case both out.comes
Apart from the above, CII owners will also be duty bound to inform the Commissioner of cybersecurity incidents that:

  • occurs in respect of the CII;
  • occurs in respect of any .computer or .computer system under the owner’s control that is interconnected with or .communicates with the CII; and
  • are prescribed by notification or as specified by the Commissioner

Failure to do so may lead to mandatory investigations and remedial actions enforced upon the non-.compliant organisation
Impact Study
With the new Bill in place, the costs of .compliance may be significant:

  • Businesses will need to bear and invest more to upgrade legacy management systems and systems capability
  • Non-.compliance or a cyber incident could expose organisations to regulatory actions, investigations and fines and penalties

With the increase in these associated costs in mind, it is important for organisations to consider purchasing cyber insurance to transfer their financial risks For an industry with paper thin margins, these expenses could be the deciding factor between a profit or loss making year
From an insurance perspective, regulatory coverage under a cyber policy pays defence and investigation costs for regulatory investigation and claims resulting for cyber events or failure to properly handle a cyber event Coverage for fines and penalties is also available though availability may be restricted by law in some areas Other available coverage that is insurable within a cyber policy includes breach response costs, forensic costs, data restoration and business interruption costs as a result of a regulatory investigation, cyber incident or system failure
It is also important for organisations to understand their target risk when assessing cyber coverage as the cyber insurance market in Asia has not promulgated standard forms Hence, policies differ in scope Seemingly minor differences in language can impact available coverage 

Source: https://www.asiajlt.com/our-insights/cyber-decoder/singapore-cybersecurity-act-2018