Early this year, Singapore has passed the Cybersecurity Act that establishes a legal framework for the oversight and maintenance of national cybersecurity. Its key objectives are to strengthen the protection of Critical Information Infrastructure (CII) against cyber-attacks and to establish a framework for sharing cybersecurity information.
The reason why we raise the issue today is that Gemalto just pointed out how Singapore’s Cybersecurity Act impacts IT security professionals:
1. PDPC’s 72-hour reporting timeframe: The Personal Data Protection Commission (PDPC) plans to introduce a 72-hour timeframe for the reporting of security breaches. Organizations will have 30 days in which to assess if breaches are eligible for reporting.
2. Compliance by CII owners: Companies designated under the 11 Critical Information Infrastructure (CII) Sectors (aviation, healthcare, land transport, maritime, media, security and emergency, water, banking and finance, government, energy, and infocomm) have to comply with the Bill, potentially incurring additional costs to put in place a multi-layered security solution to protect their infrastructure, safeguard their sensitive data, and achieve local and global compliances.
3. Licensing of cyber security services: Third party cybersecurity and investigative work that involves security hacking and forensic examination, and non-investigative work such as managed security operations - must be licensed. It is in customers’ interests to select vendors already compliant with the various industry standards.
4. Submission of sensitive data: In the event of a security breach, companies may be required to submit sensitive data to the authorities for investigation.
5. Geographic segregation: Only CII owners whose computer systems physically located in Singapore are subject to the Cyber Security Bill. It is imperative for companies to know where their sensitive data is stored and conduct periodic cybersecurity audits and risk assessments. Data that are encrypted provides persistent protection of sensitive data at all critical points in its lifecycle.