< Back

Share |

Data protection and cybersecurity in Singapore, 2016-2017

January 2017

There is a growing awareness in Singapore of the importance of being prepared for the threat of cyber attacks. With the increased connectivity flowing from the Smart Nation Initiative, comes the realisation of the importance of preserving a trusted and safe infrastructure.

This review provides a snapshot of some of the more significant events that happened in Singapore in data protection and cybsersecurity in 2016, and a glimpse of what to expect in 2017.

Cybersecurity strategy on a national/regional level

The significance and impact of cybersecurity threats were raised up a level in 2016. The Singapore Prime Minister launched the Cybersecurity Strategy of Singapore at GovWare 2016 in October 2016.

Four main pillars were identified:

  • creating resilient Critical Information Infrastructures;
  • creating a safer cyberspace;
  • developing a vibrant cybersecurity ecosystem; and
  • strengthening International Partnerships.

To achieve this, building up a body of trained professionals has been identified as a priority. The Cyber Security Agency of Singapore has been tasked to oversee this strategy.

At the same time, the ASEAN cybersecurity strategy was also announced, with several areas of focus being identified:

  • funds will be made available through the ASEAN Cyber Capacity Programme (ACCP) launched by Singapore to support efforts to deepen cyber capacities across ASEAN;
  • there will be closer cooperation amongst ASEAN Member States with a view to enhancing international law enforcement; and
  • there will be greater facilitation of exchanges on cyber norms on a regional basis to promote a deeper understanding of the cyber norms and arrive at an ASEAN position.

Data protection

It has been a busy year for the Personal Data Protection Commission (PDPC), the regulatory body entrusted to enforce privacy obligations under the Personal Data Protection Act (PDPA).

From April 2016, the PDPC started enforcing against organisations in contravention of their obligations under the PDPA. As at December 2016, there have been twenty two reported decisions issued by the PDPC, and of these, sixteen cases concerned organisations that were deemed to have failed to have reasonable security arrangements in place to protect personal data.

In July 2016, the PDPC's “Guide to Securing Personal Data in Electronic Medium”, first issued in May 2015, was updated to provide additional guidance on patching, ICT outsourcing and cloud computing.

In December 2016, the PDPC updated the chapter on Photography, Video and Audio Recordings in their “Advisory Guidelines on Selected Topics” on the PDPA. The revisions were focused on providing further clarity on photography, video or audio recording activities which capture personal data. The revised guidelines also provided some practical guidance on the use of closed-circuit television (CCTV) and included, for the very first time, considerations of issues relating to the use of drones.

Industry trends

Certain industries have been very active in taking precautionary measures against the risks of cybersecurity threats and data protection lapses.

In July 2016, the Monetary Authority of Singapore issued its latest guidelines on Technology Risk Management, and on Outsourcing arrangements for Banks and other Financial Institutions in Singapore (FIs). The Association of Banks in Singapore also issued an implementation guide for FIs to use when entering into cloud outsourcing arrangements in August 2016. This guide is intended to assist FIs to understand approaches to due diligence, vendor management and key controls that should be implemented in cloud outsourcing arrangements.

The aftermath of the cyber attack on the Bangladesh Central Bank in February 2016, has also precipitated a flurry of activity. That attack undermined the SWIFT banking system, and prompted Singapore banks, to accelerate the development and use of technology, such as blockchain, as an alternative protection measure.

We are also aware of interest and activity in this area in the Maritime industry.

Developments in cloud computing

In May 2016, the Infocomm Media Development Authority of Singapore (IMDA) and Singapore Ministry of Health set out cloud security standards for the private healthcare sector in Singapore under the Multi Tier Cloud Security (MTCS) Singapore Standard. The MTCS Singapore Standard was developed under Information Technology Standards Committee (ITSC) for Cloud Service Providers (CSPs) in Singapore to encourage adoption of sound risk management and security practices by CSPs through certification.

The MTCS Singapore Standard is intended to bring clarity to the private healthcare sector on how cloud computing can be used and applied for their enterprises, as well as trust through transparency of CSPs via certification.

The Internet of Things (IoT) remains unregulated for now

It is perhaps not surprising that the IoT is not specifically regulated, given the speed with which the application of the technology is moving. However, the consequences of cyber attacks on connected devices can be potentially devastating.

If regulations are forthcoming in this area, then we are of the view that a purposive approach should be adopted, and an emphasis on risk management should be preferred over prescriptive rules.

What to expect in 2017

Singapore can look forward to the eagerly anticipated Cyber Security Act in 2017. The Singapore Government has already outlined certain provisions that should be anticipated:

  • operators of Critical Information Infrastructure (CIIOs) will most likely be regulated;
  • CIIOs would most likely be required, amongst other things, to comply with policy and standards, and conduct audits and risk assessments; and
  • there would also likely be mandatory reporting of cybersecurity incidents.

One area of interest amongst service providers would be to determine who would be deemed a CIIO under the new law.

We are also beginning to see to a focus on protecting against but managing the aftermath and liability consequences of a cyber attack. We also foresee that remedial solutions, such as cybersecurity insurance, will play a bigger part.

The benefit of this increased awareness is that organisations in Singapore can look forward to more focus, attention and resources committed by the authorities to combat this threat, more opportunities for training and educating a professional body of technicians, and greater co-ordination and co-operation between different jurisdictions.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

Data protection and cybersecurity in Singapore, 2016-2017
Rizwi Wun

RHTLaw Taylor Wessing's
Rizwi Wun

Rizwi looks back at the main developments in data protection and cybersecurity in Singapore during 2016 and at what to expect in 2017.

"organisations in Singapore can look forward to more focus, attention and resources committed by the authorities to combat this threat, more opportunities for training and educating a professional body of technicians, and greater co-ordination and co-operation between different jurisdictions."