Regulatory Requirements & Cybersecurity Acts

Questions and Answers

Which of the following accurately describes a regulator's role?

• To operate businesses within acceptable boundaries as defined by the business owner's point of view.
• To provide suggestions for businesses pertaining to acceptable security practices.
• To promote innovation at the expense of industry best practices.
• To ensure operation within certain industry or domain boundaries as defined by the authority's point of view. (correct)

What is the significance of a regulator having 'legal authority'?

• It allows the regulator to codify, enforce, and supervise regulations within their defined scope. (correct)
• It compels companies to list them as stakeholders.
• It allows the regulator to mainly suggest practices within the industry.
• It gives the regulator the capacity to implement security measures to codify company policies.

Which of the following is NOT a typical function of a regulator?

• Advocating for specific companies within a regulated space. (correct)
• Issuing licenses and permits.
• Taking enforcement action for violations.
• Setting minimum requirements for regulated sectors.

Which of the following is an example of a regulator in Singapore for cybersecurity?

Cyber Security Agency (CSA). (C)

Which organization oversees the regulation of financial services institutions in Singapore?

Monetary Authority of Singapore (MAS). (D)

Which of the following is an example of personal data or Personally Identifiable Information (PII)?

An individual's full name. (D)

What fundamental right is the Personal Data Protection concept largely stemming from?

The right to be forgotten. (C)

Data protection primarily deals with control over which of the following aspects of information?

Collection, storage, accuracy, use, and dissemination. (B)

Which of the following is NOT an example of an attack against personal data?

Providing generic cybersecurity advice. (A)

When was the Personal Data Protection Act (PDPA) in Singapore first enacted?

2012. (C)

What key change was included in the October 2020 amendment to the PDPA?

Mandatory data breach notifications and increased financial penalties for non-compliance. (A)

Which of the following parts was added to the PDPA due to amendment?

Part VIA – Notification of Data Breaches. (B)

According to Section 3 of the PDPA, what is the Act's primary objective?

To govern the collection, use, and disclosure of personal data by organizations. (B)

Under the context of PDPA, what constitutes a 'data breach'?

The unauthorised access, collection, use, disclosure, copying, or modification of personal data. (D)

Which of the following is NOT considered personal data under the PDPA?

Aggregate demographic data without individual identifiers. (D)

Under the PDPA, which entities are generally covered?

All organisations, excluding government entities and data intermediaries. (D)

What are the key data protection principles reflected in the Nine Obligations under the PDPA?

Consent, purpose limitation, notification, access and correction, accuracy, protection, retention, transfer limitation, and accountability. (D)

What does the Do Not Call (DNC) Registry under the PDPA primarily aim to prohibit?

Organizations sending uninvited marketing messages to Singapore telephone numbers registered with the DNC Registry. (C)

Under the PDPA, what is the financial penalty for contravening Do Not Call rules?

Up to $200,000 for individuals and $1 million for companies/organisations. (D)

Under the PDPA, within what time frame must an organisation notify the PDPC of a data breach, if it is notifiable?

As soon as is practicable, but no longer than 3 calendar days. (D)

According to the PDPA, why is it mandatory for an organisation handling personal data to appoint a Data Protection Officer (DPO)?

To comply with section 24 of PDPA (protect personal data by making reasonable security arrangements). (C)

Why is technology risk management considered mandatory for financial institutions in Singapore?

It is mandatory requirement through MAS notices (D)

As per MAS Technology Risk Management (TRM) guidelines, how often should financial institutions conduct risk assessments?

Continuously. (A)

Under MAS Notice CMG-N02, within what timeframe should a financial institution notify MAS of a relevant IT security incident?

As soon as possible, but no later than 1 hour. (D)

According to MAS TRM guidelines, what measures should an organization take regarding its IT outsourcing risks?

Exercise due diligence prior outsourcing and ensure outsourcing shall not result in weakening or degradation of existing IT controls. (D)

What is the original intent of Computer Misuse Act in 1993?

To combat cybercrime, ensuring computer systems security. (D)

Which is the accurate description of Computer Misuse Act Chapter 50A?

It has been amended and target cybercrimes committed overseas, against overseas computers. (B)

According to the Computer Misuse Act, what does Section 8 address?

Unauthorised disclosure of access code (e.g. password). (B)

Under Section 15A of the Computer Misuse Act, what powers does the Minister have?

To direct any person or organization to take cybersecurity measures. (D)

What are the potential liabilities for offences under the Computer Misuse Act?

Fines, imprisonment, or both, depending on the type of offence. (A)

Why was the Cybersecurity Act created?

To establish a framework for oversight and maintenance of cybersecurity in Singapore. (D)

According to the Cybersecurity Act, what is the role of the Commissioner of Cybersecurity?

To oversee cybersecurity measures across critical infrastructures. (B)

What powers are granted to the CSA under the Cybersecurity Act to manage and respond to cybersecurity threats and incidents?

The power to investigate threats, access relevant information, and direct remedial measures. (B)

How does the Cybersecurity Act seek to regulate cybersecurity service providers?

By establishing a light-touch licensing regime to improve service quality. (B)

What is the primary objective of the licensing framework for cybersecurity service providers under the Cybersecurity Act?

To improve assurance on security and safety and raise the quality of cybersecurity services. (A)

Which of the following best describes 'Critical Information Infrastructure' (CII) under the Cybersecurity Act?

Essential services in 11 critical sectors. (D)

The MAS Technology Risk Management (TRM) guidelines were updated in 2021. Which of the following topics was added to the updated guidelines?

Data and Infrastructure Security. (C)

In the Cybersecurity Act, what are the penalties for non-compliance that are imposed on CII owners?

Will be levied only in cases of willful non-compliance or willful refusal to provide information. (C)

Under the Cybersecurity Act, Investigative Cybersecurity Services licenses are required for which of the following activities?

For both A and D (B)

Flashcards

What is a regulator?

A public authority or government agency responsible for ensuring operations within acceptable boundaries, with legal authority to codify, enforce, and supervise.

What is legal authority?

The power given to a regulator to create and enforce rules.

What are regulator functions?

To establish minimum requirements and expectations, issue licenses, supervise regulated entities, and take enforcement actions.

What is personal data (PII)?

Any information, true or otherwise, that can identify a person.

What does data protection deal with?

Control over data collection, storage, accuracy, use, and dissemination, ensuring data use is with consent and knowledge.

What is 'The Right to Be Forgotten'?

The right of individuals to request the deletion of their personal data.

What is the purpose of PDPA?

To govern the collection, use, and disclosure of personal data by organizations, protecting individual rights while recognizing organizational needs.

What is 'personal data'?

Data relating to a person that makes them identifable.

What is a data breach?

The unauthorized access, collection, use, or modification of personal data, or the loss of storage where such actions are likely to occur.

What are examples of personal data?

Full name, NRIC, photos, phone number, address, DNA profile, etc.

Who must comply with the PDPA?

Organizations (excluding Government entities) formed/recognized under Singapore law or having a business presence in Singapore/resident in Singapore.

What is the DNC Registry?

Provides transparency and individual choice regarding marketing messages. Protects individuals from unsolicited telemarketing.

What must orgs do about DNC?

Organizations must respect individual's DNC preferences.

What is MAS TRM?

Sets standards for technology risk management in the financial sector.

Integral business part?

Traditional and modern businesses rely on it.

What are some requirements of TRM Notice?

Identify critical systems, maintain high availability, establish recovery time objective, notify MAS of incidents.

Key purpose of TRM?

To identify critical systems, prevent downtimes and promote incident responses.

Describe CMCA?

Covers offences such as unauthorized access, modification, or use of computer material or services.

CMCA: Section 3?

Unauthorised access to computer material.

When did CMCA become the computer and Cybersecurity act?

Introduced in 1993 and amended to “Computer Misuse & Cybersecurity Act Chapter 50A.

What is the Cybersecurity Act?

Addresses cybersecurity threats to critical information infrastructure.

Key objectives of cybersecurity act?

Provides framework for regulation of critical information infrastructure and cybersecurity service providers.

CII (Critical Information Infrastructure)?

Essential services in 11 critical sectors: government, healthcare, telecommunications, etc.

Study Notes

Week 3 Agenda

• Recap on Week 2 lectures
• Interview Questions
• Regulatory Requirements
• Personal Data Protection Act (PDPA)
• MAS Technology Risk Management (TRM)
• Computer Misuse Act (CMA)
• Cybersecurity Act (CA)

Recap - Week 2 Agenda

• Security Awareness & Communication is an important topic
• IT Frameworks in General is important to know
• COBIT 5 is a useful IT framework
• ISO 27000 series is another useful IT framework

Regulator - Definition

• Regulators are typically a public authority or government agency
• A regulator's responsibility is to ensure operation within certain industry or domain within acceptable boundaries as defined by authority's point of view
• Regulators possess the legal authority in codifying, enforcing and supervision
• In some cases, independent regulator may be established
• A regulator has defined coverage across a jurisdiction or a particular sector within a jurisdiction.

Regulator - Functions

• Regulators set minimum requirements and expectation for regulated sectors and/or entities
• Regulators issue licenses, permits and approvals
• Regulators supervise regulated entities
• Regulators take enforcement action against violations
• Regulators align with broader direction
• Regulators ensure a level-playing field within the regulated space
• Regulators improve relevant regulation

Regulator - Examples in Singapore

• Financial Services Institutions are regulated by the Monetary Authority of Singapore (MAS)
• Infocomm & Media is regulated by the Infocomm Media Development Authority (IMDA)
• Cybersecurity is regulated by the Cyber Security Agency (CSA)
• Gaming (Casino) is regulated by the Casino Regulatory Authority (CRA)
• Medical professionals are regulated by the Singapore Medical Council, Singapore Dental Council, Singapore Nursing Board, Singapore Pharmacy Council, Traditional Chinese Medicine Practitioners Board, Optometrists & Opticians Board, Allied Health Professions Council and are self-regulated

Regulator - More examples

• Business entities and public accountants are regulated by the Accounting and Corporate Regulatory Authority (ACRA)
• Trade is regulated by the Singapore Customs
• Air Transport is regulated by the Civil Aviation Authority of Singapore
• Land Transport the Land Transport Authority (LTA)
• Sea Transport is regulated by the Maritime and Port Authority (MPA)
• Energy is regulated by the Energy Market Authority (EMA)
• Private Security is regulated by the Public Licensing and Regulatory Authority
• Personal Data Protection is regulated by the Personal Data Protection Commission (PDPC)

Personal Data Protection

• Personal Data or Personal Identifiable Information (PII) is any information, true or otherwise, that can identify a person
• The Personal Data Protection concept stemmed from the European concept "The Right to Be Forgotten"
• Abuse of Personal Data may invade one's right to live their life without any disruption
• Data Protection deals with collection, storage, accuracy, use and dissemination of relevant information
• Data should only be used with consent and knowledge of the subject
• Data protection is also extended to the accuracy/correctness of personal data of an individual
• Attack against personal data can be in the form of Identity theft, Identity cloning, Unsolicited communications (calls, mails and emails), Social repercussion, and Cyber bullying
• The Federal Trade Commission received over 280,000 complaints on identity theft in 2013
• Stolen identities used in fraudulent activities including government benefit fraud, credit card fraud, phone/utilities fraud and bank fraud

Personal Data Protection Act (PDPA)

• The Personal Data Protection Act was enacted in 2012

PDPA - Timeline

• 15 Oct 2012 - Personal Data Protection Bill passed into law by Parliament
• 2 Jan 2013 - PDPC formed and selected Act came into force
• Jan 2014 - Do Not Call Registry came in force
• July 2014 - Full Act came in force

PDPA - Public Consultations

• May-Oct 2020: Consultation on draft Personal Data Protection (Amendment) Bill
• Nov-Dec 2017: Public Consultation for the Proposed Advisory Guidelines on the PDPA for NRIC Numbers
• Jul-Sep 2017: Public Consultation on Approaches to Managing Personal Data in the Digital Economy
• May-Jun 2014: Public Consultation on the Proposed Advisory Guidelines for the Education, Healthcare and Social Service Sectors and Photography
• Jan-Feb 2014: Public Consultation on the Proposed Real Estate Agency and Telecommunication Advisory Guidelines
• May-Jun 2013: Public Consultation on the Proposed Business Operation of the Do Not Call Registry
• Feb-Apr 2013: Public Consultation on Proposed Regulations and Advisory Guidelines

PDPA - Amendments

• The PDPA was amended in October 2020 to include mandatory data breach notifications
• The PDPA was amended to include expanded deemed consent framework (Deemed consent by notification)
• The PDPA was amended to include exceptions to consent for legitimate interest
• The PDPA was amended to include increased financial penalties for non-compliance
• The PDPA was amended to include new right to data portability for users outside Singapore

PDPA - Changes

• Part I was Preliminary
• Part II was Personal Data Protection and Commission and Administration
• Part III-IV were Nine Obligations
• Part VIA covered Notification of Data Breaches
• Part VIA covered Data Portability
• Part IX covers Do Not Call Registry
• Part IXA covers Dictionary Attacks and Address-Harvesting Software
• Part IXB covers Offences Affecting Personal Data and Anonymised Information
• Parts VII and VIII are Enforcement features that were deleted and replaced by Parts IXC and IXD

PDPA - Purpose

• Section 3 of the PDPA governs the collection, use and disclosure of personal data by organisations
• The Act recognises both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data
• It is for purposes that a reasonable person would consider appropriate in the circumstances

PDPA - Definition

• “personal data” means data, whether true or not, about an individual who can be identified from that data
• Personal data includes that data and other information to which the organisation has or is likely to have access
• “individual” means a natural person, whether living or deceased
• “organisation" includes any individual, company, association or body of persons, corporate or unincorporated, whether or not formed or recognised under the law of Singapore
• An organisation can also be resident, or having an office or a place of business, in Singapore

PDPA - What is a Data Breach

• A data breach is the unauthorised access, collection, use, disclosure, copying, modification of personal data.
• A data breach is the loss of any storage medium or device on which personal data is stored in circumstances where the unauthorised access, collection, use, disclosure, copying, modification or disposal of the personal data is likely to occur.

PDPA - Examples of Personal Data

• Full Name
• NRIC, FIN, Passport number, Birth Certificate number
• Photo or Video of an individual
• Fingerprint
• Mobile phone number
• Personal email address
• DNA profile
• Name and residential address

PDPA - Scope

• Covers all organizations (except Government entities), whether or not, (a) formed or recognised under the law of Singapore or (b) resident, or having business, in Singapore
• Does not cover data intermediaries
• Covers any personal data, true or not, living or deceased, regardless of sensitivity or form (electronic or not)
• Does not cover Any personal data over 100 years old, personal data of deceased over 10 years, business contact information

PDPA - Data Protection Principles

• Reflected in the Nine (9) Obligations under the PDPA
• Consent Obligation, Purpose Limitation Obligation, Notification Obligation, Access and Correction Obligation, Accuracy Obligation, Protection Obligation, Retention Limitation Obligation, Transfer Limitation Obligation, and Accountability Obligation
• Consent is required prior to data collection, use or disclosure.
• Purpose of collection, use and disclosure purpose has to be stated
• Individuals must be informed of the purpose(s) for data collection, use and disclosure.
• Additional consent is required beyond the stated purpose.
• An Individual has the right to request his/her data in an organisation, including use or disclosure of the data.
• An organisation will respect individual request to correct their data.
• An organisation shall make reasonable effort to ensure the personal data collected is accurate and complete
• An organisation shall protect personal data in its possession or control
• An organisation shall cease to retain personal data upon meeting certain criteria
• Any organisations shall not transfer data outside of Singapore unless meeting prescribed condition
• An organization should be open to sharing information about its data protection policies and practices upon request by individuals

DNC Registry

• A part of the provision of PDPA 2012
• Prohibits organisations from sending marketing messages in the form of voice calls, text or fax messages to Singapore telephone numbers, registered with the DNC Registry

PDPA - Incidents in Singapore

• There have been a variety of PDPA incidents in Singapore that have been prosecuted.

• For example there are cases regarding Nepalese doctor loses $94,000 to imposter, Criminal record of seven expunged after police review discovered identity theft

• Property salesperson to be charged for breaching the Do Not Call requirements

• PDPC takes action against tuition agency and organisations for breaching the Do Not Call requirements

PDPA - Financial Penalties

• If any of the existing nine obligations or the new (tenth) data breach notification rules are contravened, penalties include 10% of the annual turnover of the organisation with annual turnover exceeding $10 million, or $1 million whichever is higher.
• If the Do Not Call rules is contravened, individuals will be fined up to $200,000 and Companies/organisations will be fined up to $1 million

PDPA - Data Breach Notification Info

• A Data breach is notifiable if it results in, or is likely to result in, significant harm to the affected individual; or is or is likely to be of a significant scale.
• Timing to notify PDPC is as soon as is practicable, but no longer than 3 calendar days after the day the organisation assesses that a data breach is a notifiable data breach.

PDPA - DPO Info

• Mandatory (as required by PDPA) for any organisation handling personal data to appoint a DPO
• The DPO's duties include helping the organisation to comply with section 24 of PDPA (protect personal data by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification or similar risks (the "Protection Obligation")

MAS Technology Risk Management (TRM)

• Overview of what TRM is and its history

TRM - Tech Role

• Technology supports both traditional and modern businesses, as an integral part of most businesses today
• Information Technology has evolved from data processing to automation and finally as business enabler
• The complexity and dependency of IT increases along with the higher role assumed
• High reliance and complexity of IT brings heightened risk of business disruptions

TRM - Risk Issues

• Banking and Financial Service Industry is a critical area of any country's economy and Singapore is a major financial hub.
• There are different risks including business, operational and technology.
• Technology is a key focus by Monetary Authority of Singapore.
• The technology risk management is mandatory through MAS notices

TRM - Real world examples

• DBS had a service outage on online and branch banking systems on 5 July 2010 caused by breakdown of the Bank's mainframe-storage area network, where MAS took a supervisory action.

• OCBC had a service outage on online and branch banking system on 13 Sept 2011, and MAS took a supervisory action.

• DBS Bank customers were hit by ATM fraud again in Feb 2012

• Citi, DBS, UOB and OCBC customers all hit by fraudulent credit card transaction in February 2014

TRM - Regulation vs Self-regulation

• Is difficult to manage and have an agreement between regulation and self-regulation

TRM - Guidelines

• Technology Risk Management Notices and Guidelines from MAS are designed to help

• MAS issued 12 notices and guidelines on 21 June 2013

• Each notice is designated to a category of financial institution within financial services industry e.g. banks, insurance, broker, etc.

• Notices are tied to legal act and laws which mean they are mandatory and enforceable

• The notices came into force on 1 July 2014

• MAS issued Consultation Paper on Proposed Revisions to Technology Risk Management (TRM) Guidelines on 7 March 2019 and the current version is TRM 18 January 2021

TRM - Guidelines Development

• TRM Guidelines are developed and iteratively improved

TRM - IBTRM vs TRM

• IBTRM were Guidelines from 2001 to 2008 for risk-assessment for Banks with Internet Banking, while the TRM guidelines were legally binding notices from 2013 for all financial institutions impacting All Critical Systems
• The critical system recovery must be less than 4 hours, unscheduled annual downtime must be less than 4 hours, with incident notification < 1 hour, and root cause analysis < 14 days from the Notice CMG-N02 (revised 6 Mar 2014)

TRM - Publication

• TRM publication consists of Notices with Legal Requirements
• Guidelines with Technology Risk Management (TRM) Guidelines
• Checklist with Compliance Checklist
• Report with IT Incident Report Template

TRM - Requirements of TRM Notice CMG N02

• Establish framework and Process to identify critical systems
• HA for critical systems. Downtime should not exceed 4 hours in 12 rolling months
• Recovery Time Objective (RTO) should not exceed 4 hours for critical systems
• Notify MAS of relevant incident (system malfunction or IT security incident) within 1 hour
• Submit root cause and impact analysis to MAS within 14 days
• Implement IT control to protect customer data

TRM - More details

• Financial institutions shall put in place a framework and process to identify critical systems to Enable identification of critical systems that will significantly disrupt Financial Institution when not available.
• Risk assessment can be performed to critical systems
• Risk treatment to bring the risk from critical systems to acceptable level
• Enable monitoring of critical systems for early and prompt detection, and Optimising resources to protect critical system (instead of arbitrary systems)
• Financial institutions shall make all reasonable effort to maintain high availability for critical systems by ensuring the maximum unscheduled downtime for each critical system does not exceed a total of 4 hours within any period of 12 months.
• Design for critical systems should include any redudancies required to keep the system up and running, regardless of disruption.
• This may include technologies such as mirror processing, hot site and others and System stability is key to prevent repeated downtime.
• A financial institution shall establish a recovery time objective (“RTO”) of not more than 4 hours for each critical system
• The objective is to minimise downtime when disruption is unavoidable with Adequate competencies and capacity to deal with disruption and to Develop robust incident management and handling processes

TRM - Incident Response

• The Authority must be notified with 1 hour of discovery of a relevant incident
• Then, within 14 days from the discovery of the relevant incident, a root cause and impact analysis report to the Authority is required
• The visibility of incidents allows the authority to determine if systemic attacks or disruptions is taking place and The expectation of a root cause and impact analysis allows for thorough investigation of material incidents for preventative actions

TRM - IT Controls

• Financial institutions shall implement IT controls to protect customer information from unauthorised access or disclosure, and Refer to the TRM Guidelines as a reference on the IT controls to implement

TRM Guidelines

• TRM has a variety of guidelines for various aspects of the business

• Governance and Oversight in place by the Board of Directors & Senior Management; Board of Directors and Senior Management is accountable for establishment of technology risk management framework; Board of Directors and Senior Management should be involved in key IT decision and responsible for achieving security, reliability, resiliency and recoverability; IT policies, standards and procedures, and it should ensure people screening process and IT security awareness

• Technology Risk Management Framework should contain, establish technology risk management framework, institute effective risk management practices and internal controls, identify criticality of information system assets, conduct risk identification, risk assessment/analysis and develop proper risk treatment plans, and to maintain risk register with regular monitoring and reporting

• IT Outsourcing Risks is important to manage, including Board of Directors and Senior Management diligence, and shall not result in weakening or degradation of existing IT controls, and understanding that Cloud computing is considered as a form of outsourcing

• IS Systems should be well planned with IT Project Management to ensure management oversight; requirements to be identified early, and security testing and source code review to be performed

• IT Service Management is key with change management, robust incident management, effective problem management, and capacity management to plan for additional resources.

• System reliability is best achieved from high system availability, a speedy recovery by the Disaster Recovery Plan, regular testing of disaster recovery plan to measure effectiveness, and implementing backup with testing & validation for recovery.

• Infrastructure Security Management requires data protection with data loss prevention (DLP), managing technology refresh to prevent significant risk from the use of legacy systems, management with Standardised and proper configuration, establishment of patch management procedures, and to continuously monitor to detect attacks

• Data Centre Protection & Controls requires constant threat and vulnerability risk assessments, physical security measures, and accounting for centre resiliency.

• Access control is vital with user management on a need-to-use basis, and supervision of privileged access management

• Online Financial Services can have internet-facing systems secured against to relevant attacks such as Denial of Service (DoS), 2-factor authentication, customer awareness, and encryption of sensitive data

• Payment Card Security is essential including the implementation of safeguards to protect payment card data, the usage of technology such as one time token (OTP) and fraud detection, and to install protection against skimming attack

• IT Audit provides indepentent assessment for the Board of Directors and senior management, with an adequate coverage in the audit plan, and also monitors and escalates the audit issues.

• The Latest MAS TRM Guidelines provide more info about the 13 points listed above

IT service management

• Effective IT Audit function to provide independent assessment
• IT Audit plan should have adequate coverage of board, directors and senior management
• Monitor and escalate IT audit issues

Computer Misuse Act Chapter 50A (CMA)

• Overview and history to understand the law

CMA - Overview

• Originally introduced in 1993 as Computer Misuse Act as a Legislative response to combat cybercrime
• Amended many times and renamed in 2013 to "Computer Misuse & Cybersecurity Act Chapter 50A" to include cybersecurity measures and last amended in 2017
• Now called Computer Misuse Act Chapter 50A after Cybersecurity Act was introduced separately

CMA - 2017 Amendments

• 4 key changes were implemented in 2017
• Offence to obtain, retain or supply personal info obtained through cybercrime
• Offence to obtain items which can be used to commit cybercrimes
• Target cybercrimes committed overseas, against overseas computers
• Allow amalgamation of cybercrime charges

CMA - Key Offences

• Section 3 - Unauthorised access to computer material is illegal
• Section 4 - Access with intent to commit or facilitate commission of offence is illegal
• Section 5 - Unauthorised modification of computer material is illegal
• Section 6 – Unauthorised use or interception of computer service is illegal
• Section 7 –- Unauthorised obstruction of use of computer is illegal
• Section 8 - Unauthorised disclosure of access code (e.g. password) is illegal
• Section 8A - Supplying personal information obtained in contravention of Section 3 to 6 above is illegal
• Section 8B - Obtaining items for use to commit offence under Section 3 to 7 above is illegal

CMA - Others

• Section 9 – Enhanced punishment for offences involving protected computers with Protected computers including those related to security, defence, international relations of Singapore, public safety systems (e.g. police, medical services, etc.), etc.
• Section 10 – Abetments and attempts punishable as offences: Includes abetments, attempts to commit, preparation to commit!
• Section 11 – Territorial scope: Includes within or outside of Singapore
• Section 12 – Amalgation of Charges
• Section 15A – Cybersecurity measures and requirements: Minister has power to direct any person or organization to take measures
• Section 16 - Arrest by police without warrant is possible

CMA - Liabilities

• ranging from fines up to $100,000 and imprisonment up to 20 years depending on the classification of conviction
• Includes subsequent conviction, as well any damages caused, including involving protected computers and the type of offence.

CMA - Cases

• PP v Ang Han Siong [2016] was charged 5 months imprisonment for dishonestly misappropriating victims' wallets and using the victim's credit cards, in relation to Section 3(1) CMCA.
• PP v Koh Chee Tong [2016] was charged 12 weeks imprisonment 24 counts of unauthorised access to data in the UOB computer system under Section 3(1) of the CMCA.
• PP v James Raj s/o Arokiasamy [2015] was charged 56 months imprisonment carried out computer attacks on several websites under the moniker of "The Messiah". Pleaded guilty to 39 offences under the CMCA and one charge under the Misuse of Drugs Act.

Cybersecurity Act

• Overview of the Act

CA - Overview

• In July 2017, MCI & CSA issued Public Consultation Paper of draft Cybersecurity Bill, which closed in Nov 2017, before being passed in early 2018
• The purpose is to Establish framework for oversight and maintenance of cybersecurity in Singapore and Empower CSA officers to carry out their functions, including the Appointment of a Commissioner of Cybersecurity, who position to be held by CEO of CSA

CA - Key Objectives

• Provide framework for regulation of Critical Information Infrastructure (CII)
• Provide CSA with powers to manage and respond to cybersecurity threats and incidents
• Establish framework for sharing of cybersecurity information with CSA and protection of such information
• Establish a light-touch licensing framework for cybersecurity service providers

CA - Critical Information Infrastructure (CII)

• definition of CII provides Essential services in 11 critical sectors, e.g. government, healthcare, telecommunications, etc.
• CIls may be owned by either public or private sector
• Commissioner has power to designate CII
• CII owners responsible to maintain cybersecurity of CII. with Duty to provide information, duty to report incidents, duty to conduct audits, etc.
• Appointment of Assistant Commissioner to assist Commissioner to oversee cybersecurity of CIIs

CA - Incident Response

• Provide CSA with powers to investigate threat or incident, which can be delegated to Assistant Commissioner or other authorized officers
• These powers include Examine anyone relevant to investigation (where Person will not be treated as being breached of any restrictions), Access to relevant information (e.g. technical logs), Directing persons to carry out remedial measures (e.g., scan computers for vulnerabilities, enter premises to locate computers, etc.), and the ability to Seize computer or equipment for investigation

CA - Penalties

• Include fines up to $25,000 or imprisonment up to 2 years
• Penalties not meant to penalize owners of CIIs
• Will be levied only in cases of willful non-compliance or willful refusal to provide information

CA - Regulations

• Regulations for Cybersecurity Service Providers include the Purpose is to Improve assurance on security and safety, to Raise quality and appreciation for it, and to Address information asymmetry
• To achieve above purpose, a light-touch licensing regime proposed

CA - License types

• There are 2 types of licenses proposed:
• Investigative Cybersecurity Services - e.g. vulnerability assessments, etc.
• Non-investigative Cybersecurity Services – e.g. monitoring, compliance checking, etc.
• Licenses will cover cybersecurity service providers and cybersecurity professionals with a provision to start off with penetration testing and managed Security Operations Centre (SOC) first, with requirement for Providers and professionals to meet certain requirements
• Note: In-house provision of cybersecurity services are exempted from having a license