Cyber-security breach: regulation and innovation in Singapore

Jai Nathwani

With cyber-security tipped as one of the top tech trends for 2014 a lot has already been written about the controversial data security breach proposals in Europe. But what is happening elsewhere in the world? We hear from one of Datonomy’s Asia correspondents, Olswang Partner Elle Todd

Datonomy was pleased to lead a discussion and mock cyber security breach scenario alongside the local chapter of the IAPP in Singapore last week where such issues are gaining a lot of attention and interest.

The engaging session, attended by a variety of practitioners, followed the unfortunate exploits of a fictitious international e-commerce company faced with an anonymous threat from an individual claiming that they had managed to obtain the customer database and would release it to the blogosphere. As the morning unfolded, more facts and problems emerged for the company and the audience discussed how best to respond to the potential disaster from PR, cyber risk management and legal perspectives.

Security breaches on the rise

Singapore has not been immune to cyber and other security breaches in real life in recent years. The most high profile recent incident occurred in November last year when the Singapore Prime Minister’s website was hacked by hactivist group Anonymous. Another concerned the theft of wealthy client data from Standard Chartered Bank in December 2013.

From this July there will be some new legal changes that companies will need to navigate in thinking through their response if they fall victim to such an incident.

New rules and regulations

As Datonomy has reported Singapore will get its first ever comprehensive data protection legislation with effect from 2 July this year. Containing many provisions and principles which will be familiar to those versed in European law, the new Act does contain requirements on organisations to “protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, medication, disposal or similar risks”. Beyond that, however, there are no obligations on notification in the event of a cyber or other security breach. A company will therefore need to ensure that its systems are adequate so that a breach does not give rise to regulatory fines or other censure but does not have a legal obligation to notify the regulator or customers.

The financial services industry in Singapore does not get off so lightly however since the Monetary Authority of Singapore (the financial services regulator) has published new rules which come into force just the day before this new personal data protection act. The MAS rules will require banks to “make all reasonable effort to maintain high availability for critical systems” and notify the Authority “as soon as possible but not later than 1 hour, upon the discovery of a relevant incident” being a system malfunction or IT security incident which has a severe and widespread impact on the bank’s operations or materially impacts the bank’s service to its customers.

A five year masterplan

Looking at the developments in Singapore is of interest internationally however not just because of developments in legislation but the significant resources it is fostering and investing in to support organisations in fighting cyber threats.

Last year the Singapore Government announced a ‘Five Year National Cyber-Security Masterplan’ which will focus on three key areas:

–       Enhancing security of critical infocomm infrastructure;

–       Increasing efforts to promote infocomm security adoption among end-users and businesses; and

–       Growing Singapore’s pool of security experts in collaboration with educational institutes and industry partners.

Another key related and exciting development is the scheduled opening of Interpol’s Global Complex for Innovation in Singapore later this year. This impressive new building will act as a cutting-edge research and development facility as well as providing innovative training, operational support and partnerships. This is Interpol’s first HQ outside of Lyon, France.

Datonomy will be watching the emergence of the results of such innovation with interest since they could well prove useful in Europe as the debates continue there.

Posted on behalf of Elle Todd, partner, Olswang Asia

Leave a Reply

Your email address will not be published. Required fields are marked *