Data Breach Reporting Mandate Included in New Singapore LawOwners of CII Must Report Incidents or Face Penalties
Singapore's new cybersecurity law passed earlier this week by the Parliament includes a mandate that owners of critical information and infrastructure, local or foreign, must report all cybersecurity incidents to the Cyber Security Agency. Penalties for noncompliance are up to $100,000 or two years' imprisonment or both.
The law also calls for appointing a commissioner of cybersecurity to obtain confidential information from owners of CII on their security postures (see: The Challenges Posed by Singapore's New Cybersecurity Law).
Some security experts contend that many CII owners in the nation lack adequate security processes as well as the resources to establish a threat detection mechanism.
"Organizations affected by the cybersecurity bill often have inadequate security processes in place today; for them, complying with the new requirement will be expensive," says Singapore-based Tom Wills, director of On-Track Advisory, a cybersecurity consultancy. "Most organizations believe that deploying security processes may mean diverting resources from other functions, thus compromising profitability."
Presenting the bill to the Parliament, Dr. Yaacob Ibrahim, minister for communications and IT, said: "Making the reporting of cybersecurity incidents a requirement under the bill will be both resource-intensive for CSA as well as companies in Singapore, especially our SMEs [small and medium enterprises]."
He explained that a cybersecurity incident on CII is defined in the new law as "an act or activity carried out without lawful authority on or through the CII that jeopardizes or adversely affects its cybersecurity."
To provide further clarification, Ibrahim said, "CSA will provide further details to guide CII owners in incident reporting, such as relevant forms and guidelines and being empowered to investigate cybersecurity threats and incidents pertaining to computer systems in Singapore; this includes computer systems that are not CII."
In the current structure, all companies can voluntarily report cybersecurity incidents to CSA through SingCERT.
The new law provides CSA with powers to investigate cybersecurity threats and incidents pertaining to computer systems in Singapore, including computer systems that are not used to support CII, Ibrahim said.
Breach Reporting Challenges
Reporting breaches and other security incidents could prove challenging, says Kumar Ritesh, executive vice president at Antuit, a cybersecurity firm.
"For practitioners, the biggest concern would be working out a mechanism to share incidents, be it data breach or cybersecurity, as there is no incidence response framework in place in these organizations," he notes. "While the bill doesn't prescribe best practices for breach prevention ... imposing a penalty for noncompliance would pose a big cost to practitioners in order to establish an information sharing framework."
Wills says that many owners of CII see security as overhead, "and any additional investment made to establish an incidence response framework of posture would be considered to affect profitability."
The most expensive proposition is building a threat detection capability, because it requires software, hardware, training and program management," says Kumar.
To assist CII owners and their staff get ready for the implementation of the Bill, CSA has developed a Cybersecurity Legislation Initialization Program for Sector Leads, also known CLIPS, to prepare CII owners for their new obligations.
Ibrahim notes that CLIPS will focus on establishing clarity on the roles and responsibilities of the sector regulators and the CII owners and identifying and resolving any operational issue pertaining to the respective sectors. These include harmonizing policies and streamlining audits and incident reporting processes.
Wills suggests practitioners prioritize their budgets in building skills in cybersecurity operations, information security and cyber forensics to analyze and report breaches.
CII owners need policies that are not prohibitive to business functionality, allowing them to flourish while controlling the risk of cyberattacks, Kumar recommends.
Where necessary, CSA will give CII owners time to undertake preparations and planning, prior to issuing the cybersecurity codes of practice or standards of performance for each sector, Ibrahim says.
The new law is part of the Ibrahim's five-year plan announced last year.
"Our national cybersecurity strategy to strengthen Singapore's information infrastructure will give priority to critical sectors of energy, water, transport, health, government, infocomm, media, security and emergency services, and banking and finance," he said.