Part 2 of 2

Author: Eric Lip (a trainee at OTP Law Corporation)

Part 1 of this article discussed how the cyber threats are captured under offence-creating laws, especially that under the Computer misuse Act.

In Part 2, we turn to look at legislation that touches on the protection against such cyber threats, and the key legislations that businesses and organisations have to navigate: the Cybersecurity Act, the Personal Data Protection Act (the “PDPA”) and various sectoral regulations such as the regulation for banks by the Monetary Authority of Singapore (“MAS”).

1. Cybersecurity Act

The Cybersecurity Act was passed on 5 February 2018 and there are four key objectives of the Cybersecurity Act:

• To provide a framework for the regulation of Critical Information Infrastructure (“CII”). The owners of these CII will be subject to certain duties, including complying with codes of practice, reporting cybersecurity incidents and performing audits and risk assessments. Non-compliance with such duties will result in criminal and civil penalties.;
• To provide the Cyber Security Agency of Singapore (“CSA”) with powers to manage and respond to cybersecurity threats and incidents;
• To establish a framework for the sharing of cybersecurity information with and by CSA, and the protection of such information; and
• To establish a light-touch licensing framework for cybersecurity service providers.

Although a significant portion of the Cybersecurity Act only directly addresses CII owners, it is expected that the obligations to comply with the cybersecurity standards will trickle down the supply chain and increase the cybersecurity standard in general.

More importantly, the CSA has broad powers of investigation in the event of a serious cybersecurity threat or incident that goes beyond regulating CII owners.

These powers include seizure of a computer without consent, requiring the owner of a computer to scan the computer for cybersecurity vulnerabilities and directing persons to carry out remedial measures such as removing viruses, installing software updates and redirecting malicious traffic to designated computer servers.

Such investigative powers complements the offence-creating legislation explored in Part 1 of this article by ensuring that swift and effective investigation can be carried out in the event of a cybersecurity incident.

1. Personal Data Protection Act

Organisations have 9 main obligations under the PDPA, viz, the Consent Obligation, Purpose Limitation Obligation, Notification Obligation, Access and Correction Obligation, Accuracy Obligation, Protection Obligation, Retention Limitation Obligation, Transfer Limitation Obligation and Openness Obligation.

Amongst these obligations, the Protection Obligation is the most pertinent for our current discussion. Under the Protection Obligation of the PDPA, an organisation is required to make reasonable security arrangements to protect personal data in its possession or under its control in order to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.

Cybersecurity breaches often leads to, or are even motivated by, personal data breaches or leakages. As such, there is a considerable overlap between cybersecurity and personal data protection.

Nevertheless, the PDPA and the Cybersecurity Act are separate and distinct. The PDPA relates to personal data that an organisation possesses or control while the Cybersecurity Act covers all types of information and the computer/computer systems that handle such information.

A failure to uphold the standards set out in the PDPA puts individuals’ personal data at risk of being exposed and can result in penalties for the non-compliant organisation.

Take, for example, the 2018 SingHealth data breach where the personal particulars of 1.5 million patients were stolen. This was dubbed as the worst cyber attack Singapore has suffered, and surely remains fresh in many Singaporeans’ minds since as many as 2 million SMS messages were sent out to those affected by the breach.

After being notified of the attack, the CSA was involved in an early stage and carried out investigations and remediation of the attack. A Public Committee of Inquiry (“Public COI”) was also appointed to inquire to the events, establish a response and recommend measures to reduce the risk of such attacks. 

Soon after the announcement of the data breach, the Personal Data Protection Commission (“PDPC”) also received complaints from members of the public regarding the breach, and commenced its investigations.

In a decision based on representations by Integrated Health Information Systems (“IHiS”) and SingHealth and also incorporating references to relevant section of the Public COI Report (“COI Report”), the PDPC found that both IHiS and SingHealth were in breach of the PDPA. As the nominated agency to deal with IT matters and data controller respectively, they had failed to comply with section 24. They did not protect the personal data under their control with reasonable security arrangements. Instead, multiple simple failings led to the breach: staff unawareness of phishing, weak passwords, amongst others. The PDPC thus imposed a total financial penalty of S$1 million, comprising S$750,000 and S$250,000 on IHiS and SingHealth respectively.

The SingHealth data breach demonstrates how a typical data breach involving a CII may play out.

While both the PDPC and the CSA can initiate investigation, it is more appropriate in this case for the CSA to be the authority carrying out the investigation as the matter is of national interest and SingHealth is CII owner. The obligations of a CII owner under the Cybersecurity Act, such as complying with the relevant codes of practice, standards of performance and written directions of the Commissioner of Cybersecurity (“Commissioner”) and conducting cybersecurity risk assessments and audits, would run parallel to the Protection obligations under the PDPA. The PDPC and the CSA may also both impose financial penalties for failure to meet the respective obligations as well as issue possibly similar directions for remedial or preventive measures.

Moving forward, the PDPC also has plans to amend the PDPA to create a mandatory data breach notification regime.^[1]A new “Guide to Managing Data Breaches 2.0”  has also been recently released to provide further guidance to organisations on data breach management and reporting. As CII owners already have an obligation to report cybersecurity incidents to the CSA under s 14 of the Cybersecurity Act, this means that a CII owner  may be required to notify both the PDPC and the Commissioner upon the occurrence of such cybersecurity breaches.  

1. Sectoral Regulations

The CII sectors under the Cybersecurity Act are: Energy, Water, Banking and Finance, Healthcare, Transport, Infocomm, Media, Security and Emergency Services, and Government. Naturally, the wide array of sectors caught under the Cybersecurity Act makes it difficult for a blanket legislation to adequately address each of the sector’s specific cybersecurity concerns. There may also be existing codes and standards such as sectoral regulations that the relevant organisations must comply with.

As such, the Cybersecurity Act provides for the appointment of Assistant Commissioners to oversee CIIs in each sector and ensure that the Cybersecurity Act requirements are sensible for each sector. Such Assistant Commissioners would mostly come from the Sector Leads, which are the government lead agencies in charge of each sector.

An entity may thus be regulated under both the Cybersecurity Act as well as the sector’s own existing framework on cybersecurity. In the event of a breach, if the directions are issued based on the powers from the Cybersecurity Act, the Assistant Commissioner should take enforcement actions for non-compliance in consultation with the Commissioner and in accordance with the penalty framework in the Cybersecurity Act.

The sectoral regulations may set more stringent requirements than those required under the Cybersecurity Act. In such a case, the sectoral regulations would take precedence over the Cybersecurity Act in the event of non-compliance.

Sectors such as the Banking and Finance already have regulatory levers to tackle cyber threats and incidents. For instance, the Monetary Authority of Singapore (“MAS”) Notice on Technology Risk Management issued by the Monetary Authority of Singapore (“MAS”) imposes obligations on various financial institutions such as notifying MAS of relevant incidents, preparation of root cause and impact analysis reports to MAS pertaining to relevant incidents, as well as implementation of IT controls to protect against unauthorised access or disclosure. In this respect the MAS’s powers are similar to the powers over CII owners in the Cybersecurity Act.

1. Implications

What does all of the above information mean?

While most organisations would not likely be designated as CII owners, the Cybersecurity Act needs to be taken into consideration in 2 ways.

First, the broad investigative powers provided to the Commissioner under the Cybersecurity Act extends beyond just CII owners to allow the Commissioner to require non-CII system owners to assist in the investigations.

Second, organisations who own systems that are interconnected with CIIs would also need to consider the trickle-down effect of such obligations. Even if such organisations are not directly regulated under the Cybersecurity Act, they would likely be subject to contractual obligations imposed by CII owners reflecting similar obligations.

An organisation’s obligations under the PDPA would thus be generally more pertinent. Indeed, the substantial fines to IHiS and SingHealth clearly demonstrate the high stakes involved in non-compliance.

To this end, we suggest some key takeaways below derived from SingHealth Public COI.

Staff awareness and competence

Even the best technological measures would not be sufficient without competent and aware employees at the front line of the cybersecurity defences. In the case of the SingHealth breach, the most likely method through which the attacker had gained initial access to the network was by way of phishing attacks. Given that phishing attacks prey precisely on human vulnerabilities, promulgating basic security practices, such as increasing awareness on signs of phishing and practicing good cyber hygiene, can greatly improve the level of cybersecurity in the organisation.

While the awareness, training and resources of IT staff are crucial to ensuring adequate levels of cybersecurity, the training must not be limited to the IT staff. A strong cybersecurity culture organisation-wide is necessary.

Security structure and processes

From a technical standpoint, vulnerability assessments must be conducted regularly and a robust patch management process must be implemented to address such vulnerabilities. The COI Report highlighted that although a patch, which could have prevented exploitation of a vulnerability, was available at the material time, the patch was not installed. This allowed the attacker to exploit such a vulnerability.

It is also essential to sort out organisational matters, such as structures, policies and processes when forming a holistic risk management cybersecurity strategy. This includes effective incident response processes, such as an incident reporting framework, as well as policies to prevent such security incidents, such as a software upgrading policy.

In addition, organisations should take special notice to avoid being overly dependant on their vendors in handling cybersecurity. In the SingHealth scenario, although work was being delegated to IHiS as a data intermediary and IHiS was thus liable as a data intermediary, SingHealth as the data controller was still rapped for their over-reliance on IHiS in relation to the personal data collected. It is thus critical to examine existing and future partnerships to ensure compliance with regulations.

• Conclusion

Organisations managing their cyber risk may now need to consider 4 sets of regulations: (1) the Cybersecurity Act; (2) the PDPA; (3) the Computer Misuse Act; and (4) sectoral regulations. This has raised concerns of increased cost of compliance amongst businesses and organisations. For instance, in the event of a breach, there may be a risk of duplicated reporting to the Commissioner and various sector regulators. 

To this end, the CSA has promised that efforts will be made to harmonise the cybersecurity obligations under the Cybersecurity Act with those under the respective sectoral regulations as far as possible.

Given the nascent Cybersecurity Act and the different laws governing similar and even overlapping areas, navigating the regulatory landscape of cybersecurity is not a simple or straightforward task. While the regulatory framework and the interaction between the laws would likely receive greater clarity with the passage of time, businesses and organisations need to be remain cognisant of their obligations under each of the respective laws to avoid falling foul of any legislation.

[1] Personal Data Protection Commission website <https://www.pdpc.gov.sg/news/press-room/2019/03/plan-to-make-data-breach-notification-regime-mandatory> (1 March 2019)