Reproduced with permission from Privacy & Security Law Report, 16 PVLR 975, 7/17/17. Copyright 2017 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com
Companies providing critical infrastructure services in Singapore would have new cybersecurity compliance obligations under recently released draft legislation.
The new obligations would apply to companies involved in providing governmental, security and emergency, health-care, telecommunications, banking and finance, energy, water, media, land transport, air transport, and maritime services. They would include meeting cybersecurity standards to be specified later, conducting audits and risk analysis, and cooperating with regulatory investigations.
The bill, proposed by the Cyber Security Agency (CSA) of Singapore and Ministry for Communications and Information July 10, is aimed at protecting critical information infrastructure (CII) computers or computer systems from cyberattacks. It would require CII owners to notify the CSA of cyberattacks, regularly audit system security, conduct risk assessments, participate in cybersecurity exercises, and give the CSA access to computer and information during investigations.
Companies and executives that fail to respond to an information request would be subject to fines of up to S$100,000 ($72,654) and/or imprisonment for up to 2 years. Additional fines of up to S$5,000 ($3,633) per day would apply for refusals to comply following a conviction.
Many of the requirements in the draft bill are things that companies should already be doing, Vincent Loy, partner and Asia Pacific financial crime and cyber leader at PwC LLP in Singapore, told Bloomberg BNA. However, the bill would formalize cybersecurity requirements and give regulators the authority to hold companies liable if they don’t comply, he said.
Stella Cramer, co-head of the technology and innovation practice for Asia at Norton Rose Fulbright in Singapore, told Bloomberg BNA that the cost of compliance will increase if the draft bill becomes law, she said. however its the cost of doing business especially given the broad negative effect that recent cyberattacks such as WannaCry and Petya represent.
The draft proposes a flexible regulatory framework that will account for ‘‘the unique circumstances of each sector and requires industry to take a proactive approach to enhance cybersecurity before threats and incidents happen—based on the risk profile of the sector,’’ Cramer said.