Singapore is ramping up its already impressive level of cybersecurity protection with a proposed bill. But organisations must take their share of responsibility, too
Studying this technical article and answering the related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We'd suggest that you use this as a guide when allocating yourself CPD units.
This article was first published in the November/December 2017 Singapore edition of Accounting and Business magazine.
Despite being one of the world’s most digitally connected countries, Singapore emerged relatively unscathed from the recent WannaCry and Petya malware attacks. But that’s perhaps less surprising when you know that the small city-state topped the International Telecommunication Union’s Global Cybersecurity Index 2017, just ahead of the US.
Yet the Singaporean authorities are not resting on their laurels. Recognising the growing threat, the government is taking proactive steps to further strengthen the national cybersecurity strategy. In April, an operation by Interpol uncovered significant cyberthreats across the Association of Southeast Asian Nations (ASEAN), with nearly 9,000 command-and-control (C2) servers across the region and hundreds of compromised websites, including government portals that were laden with malware. That same month, amendments to Singapore’s Computer Misuse and Cybersecurity Act criminalised the use of hacked data and the act of obtaining but also dealing with hacking tools.
The country is now considering introducing a standalone Cybersecurity Bill that will mandate that critical information infrastructure (CII) facilities report any cybersecurity breach. The Personal Data Protection Commission has also announced that it will soon become mandatory for organisations to inform customers of personal data breaches immediately.
The proposed bill will establish a framework for the oversight and maintenance of national cybersecurity. It will also seek to minimise the risks of cyberthreats, by formalising the duties of CII owners in ensuring the security of facilities under their responsibility, even before an incident has occurred, while also providing the Cyber Security Agency of Singapore with stronger powers. And it sets out a framework for sharing information for the purpose of ‘preventing, detecting, countering or investigating any cybersecurity threat or incident.’
Importantly, CII owners will become liable if they fail to adhere and uphold good practices. ‘While traditionally fines have been effective, the likelihood of imprisonment, owing to the responsibilities that CII owners have to the civic society as a whole, would likely improve the effectiveness of the legislation,’ remarks Thio Tse Gan, cyber security leader at Deloitte Southeast Asia and Singapore.
But Thio also warns that such regulations are not a safeguard to mitigating the associated risk: ‘Organisations need to be accountable and be responsible for their cybersecurity posture,’ he says. ‘Awareness is good, risk appreciation is better, but mitigation is the only way to ensure businesses continue to operate during a crisis.’
Law and security experts have described the proposed Cybersecurity Bill as decisive and timely. Mark Shmulevich, a committee member of the talent and capabilities committee of Singapore Infocomm Technology Federation and chief strategy and operations officer of Acronis Asia, says the bill ‘aggressively promotes proactive measures that the CII owners must take in order to keep the business undisrupted. The penalty for cybersecurity vendors for not obtaining a licence required by the bill may seem harsh but, given the importance of the matter considered, it is justified.’
Healthcare, banking and finance sectors will be among the most affected and the bill will require additional compliance procedures for cybersecurity providers, some of which could be quite costly. While the bill is targeted to regulate CII providers, Lucien Mounier, a cyber-risks underwriter at Beazley Group, believes it will have ripple effects as these companies will ‘most likely start having higher requirements from their clients and partners, and those are likely to be smaller firms and those in other industries.
‘If you want to secure your data, you’ll need to make sure that you not only secure your own computer systems but any partners’ and clients’ that have access to your system. If there is one weak link in the chain it could be an open door to a lot of valuable information,’ he says.
In its report Cyber Risk in Asia-Pacific: The Case for Greater Transparency, Marsh’s Asia Pacific Risk Center points out that while cybercrime is a growing risk for large companies, it may be a relatively more elevated concern for SMEs, as these may be less resilient than their larger counterparts. SMEs generally have less sophisticated systems and technology, and may lack internal resources, plus they might be using untrusted outsourced partners and have a greater dependence on a smaller number of customers, the report noted, adding that Asia Pacific as a whole was ‘an ideal environment for cyber criminals to thrive in due to high digital connectivity, contrasted with low cybersecurity awareness, growing cross-border data transfers and weak regulations’.
A recent survey jointly conducted by local security vendor Quann and research firm IDC showed that almost 91% of the surveyed Singapore companies were in the early stages of security preparedness, with 54% not having systems in place to trigger alerts of unusual activities, and 40% not having incident response plans. It also identified significant gaps in security device deployment, awareness, resources and preparedness.
Richard Green, managing director and head of financial risk products at Marsh Asia, warns that there is a general misconception that cyberattacks only target big companies, with attacks on SMEs becoming increasingly common as a means for gaining access into the networks of bigger organisations. While SMEs are aware of the direct effects, they may not realise the full danger. ‘Indirect impacts, such as time and money incurred during post-incident forensic investigations, litigation and compensation, notification to affected parties and reputational damage, can all have material financial implications to companies,’ he explains.
A survey of Singapore-based SMEs conducted by Beazley and the Singapore Business Federation in late 2016 found that cybersecurity is one of the biggest concerns to local SMEs, with 75% stating that cybersecurity has increased in importance for their business over the previous three years, 25% reporting that they had experienced an attempted or actual data breach or cyberattack in the previous 12 months and nearly a fifth were unsure if they had. Yet 40% had confidence they were adequately protected. Among the most important concerns of those surveyed was protecting their reputation and ensuring data and information was not compromised, ahead of protecting revenues and securing new customers.
The recent Quann survey reveals a low level of engagement from senior leadership in formulating IT security strategies. While 91% of Singaporean respondents consult security executives, only 16% of them will invite executives to board meetings and involve them in risk assessment.
Thio says that the spectrum of preparedness among Singapore firms is dependent on their level of awareness not only in the boardroom but also by management: ‘One of the benefits of introducing such a bill lies in the awareness it creates within the community,’ he says. ‘Many organisations are re-examining their level of preparedness through the performance of risk assessments to understand their risks.’
He believes the Singaporean government should aim to progressively extend the reach of the act beyond CII, pointing out that this supports its Smart Nation initiative to integrate technology into all aspects of life.
While the immediate impact of the bill may not be significant in the short term, Thio says, ‘it has laid the foundation for creating a cyber-aware, cyber-responsible ecosystem within the country. This will serve to enhance the Singapore brand further in the next lap of our economic development.’
Sonia Kolesnikov-Jessop, journalist
CPD technical article
"Awareness is good, risk appreciation is better, but mitigation is the only way to ensure businesses continue to operate during a crisis"