Cybersecurity Presentation PDF
Document Details
Uploaded by AffordableAlbuquerque2438
Singapore Institute of Legal Education
David N. Alfred
Tags
Summary
This presentation discusses data protection and cyber regulation, specifically focusing on cybersecurity. It covers topics such as the introduction to cybersecurity, the Cybersecurity Act 2018, and the Personal Data Protection Act 2012. It also includes sections on readings, some starting questions, laws that regulate cybersecurity, and why cybersecurity is regulated.
Full Transcript
Data Protection and Cyber Regulation - Unit 2: Cybersecurity David N. Alfred Director & Co-Head, Data Protection, Privacy & Cybersecurity Practice, Drew & Napier Co-Head, Drew Data Protection & Cybersecurity Academy Topics Covered 1. Introduction to Cybersecurity 2. Cybersecurity Act 2018 3. Perso...
Data Protection and Cyber Regulation - Unit 2: Cybersecurity David N. Alfred Director & Co-Head, Data Protection, Privacy & Cybersecurity Practice, Drew & Napier Co-Head, Drew Data Protection & Cybersecurity Academy Topics Covered 1. Introduction to Cybersecurity 2. Cybersecurity Act 2018 3. Personal Data Protection Act 2012 Unit 1: Data Protection 2 Readings for this Unit 1. Cybersecurity Act 2018 (CYSA), Sections 7, 10 to 16, 19 and 20 and First Schedule 2. Cyber Security Agency, Cybersecurity Code of Practice for Critical Information Infrastructure, Section 3 (Governance Requirements) 3. Personal Data Protection Act 2012 (PDPA), Sections 24 and 26A to 26E 4. Personal Data (Notification of Data Breaches) Regulations 2021 (DBNR) 5. SGPDPC 3 Singapore Health Services Pte Ltd and Integrated Health Information Systems Pte Ltd 6. Personal Data Protection Commission (PDPC), Advisory Guidelines on Key Concepts in the Personal Data Protection Act (Strongly Recommended) Unit 1: Data Protection 3 1| Introduction to Cybersecurity Unit 2: Cybersecurity 4 Cybersecurity as Part of Total Defence Unit 2: Cybersecurity 5 Some starting questions 1. What is cybersecurity? – “Cybersecurity is the practice of defending computers, servers, mobile devices, electronic systems, networks and data from malicious attacks” (Source: Kaspersky website) – Protecting confidentiality, integrity and availability of systems and data (the “CIA” of cybersecurity) – Resilience of systems – Other definitions? 2. What is cybersecurity law? – Laws that regulate how businesses and other organisations: protect their computer systems and data from cyber-attacks Respond to cyber-attacks and data breaches Unit 1: Data Protection 6 Laws that Regulate Cybersecurity *We are *CYSA: CII and other focusing on the systems CYSA and the PDPA Others (e.g. *PDPA: national Protection security of Personal laws) Data Cybersecurity Sectoral Sectoral Laws: Laws: Telecom Financial Systems information Sectoral Laws: Healthcare Information Unit 2: Cybersecurity 7 Why regulate cybersecurity? Unit 1: Data Protection 8 Why regulate cybersecurity? Significant increase in number of cyberattacks in recent years Some motivations of cyber-criminals: – Organised crime – to make a profit from their criminal activities – Corporate cyber-espionage – State actors – Individual reputation – Cyber-activism (Hacktivism) Unit 1: Data Protection 9 Why regulate cybersecurity? Numerous types of malware: – Ransomware - Hit 65% of organisations in Singapore in 2021 (source: Sophos) – Trojans – Viruses – Spyware – Worms – Adware Phishing Hacking Botnets & DDoS attacks Identity Theft Website Spoofing Unit 1: Data Protection 10 How does a cyber-attack take place? Singapore Health Services & Integrated Health Information Systems SGPDPC 3 What were the facts of this case (in brief)? What was the relationship between SingHealth and IHiS ? What were the steps / actions taken by the hacker to gain access to the system and data? How did SingHealth and IHiS staff respond in the course of the incident? What were the specific security shortcoming identified by the Personal Data Protection Commission in its decision? Unit 1: Data Protection 11 2| CYBERSECURITY ACT 2018 Unit 2: Cybersecurity 12 PART 1: INTRODUCTION Unit 2: Cybersecurity 13 Purpose and Overview Cybersecurity Act 2018, Long title: – An Act to require or authorise the taking of measures to prevent, manage and respond to cybersecurity threats and incidents to regulate owners of critical information infrastructure to regulate cybersecurity service providers Provisions: – Part 1 – Preliminary – Part 2 – Administration (appointment of Commissioner of Cybersecurity, etc.) – Part 3 & First Schedule – Critical Information Infrastructure (“CII”) – Part 4 – Responses to Cybersecurity Threats and Incidents – Part 5 & Second Schedule – Regulation of Cybersecurity Service Providers [not covered in this unit] Unit 2: Cybersecurity 14 Scope Part 3 applies to: – any CII wholly or partly in Singapore (per s 3(1)) – any computer or computer system wholly or partly in Singapore (per s 3(2)) Part 4 applies to activities and service providers in Singapore generally Unit 2: Cybersecurity 15 Key Definitions (Section 3) CII: a computer or a computer system designated under s 7(1) Computer: “an electronic, magnetic, optical, electrochemical, or other data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device …” – Excludes prescribed devices (none at present) Computer System: an arrangement of interconnected computers and includes: – “an information technology system” – “an operational technology system such as an industrial control system, a programmable logic controller, a supervisory control and data acquisition system, or a distributed control system” Unit 2: Cybersecurity 16 Key Definitions (Section 3) Cybersecurity: The state in which a computer or computer system is protected from unauthorised access or attach such that the following is maintained (note: the “CIA” of cybersecurity): – Confidentiality of information processed, etc. by the computer or computer system (what about the computer / system itself?) – Integrity of the computer or computer system or the information it processes, etc. – Availability of the computer or computer system (and information?) Cybersecurity Threat: “an act or activity (whether known or suspected) carried out on or through a computer or computer system, that may imminently jeopardise or affect adversely, without lawful authority, the cybersecurity of that or another computer or computer system” Cybersecurity Incident: “an act or activity carried out without lawful authority on or through a computer or computer system that jeopardises or adversely affects its cybersecurity or the cybersecurity of another computer or computer system” Unit 2: Cybersecurity 17 Key Definitions (Section 3) Essential Service: “any service essential to the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore, and specified in the First Schedule” Essential services in the First Schedule include: – Aviation, Land Transport or Maritime – Banking and Finance – Energy or Water – Info-communications or Media – Functioning of Government – Security and Emergency Services – Healthcare Unit 2: Cybersecurity 18 PART 2: REGULATION OF CII Unit 2: Cybersecurity 19 Regulation of CII (I) Designation of CII (s 7) The Commissioner may obtain information from a person who appears to be exercising control over a computer or computer system for the purpose of ascertaining whether it is fulfills the criteria of a CII (s 8(2)) – Failure to comply is an offence (s 8(4)) – Same exception for legal privilege as s 19 The Commissioner may designate a computer or computer system as CII if both of the following apply (s 7(1)): – the computer or computer system is necessary for the continuous delivery of an essential service, and the loss or compromise of the computer or computer system will have a debilitating effect on the availability of the essential service in Singapore – the computer or computer system is located in Singapore (Q: what about cloud-based services?) Unit 2: Cybersecurity 20 Regulation of CII (I) Designation of CII (s 7, continued) A designation under s 7(1) – must inter alia inform the owner of the CII of the owner’s duties and responsibilities under the CYSA that arise from the designation (s 7(3)) – is valid for 5 years (s 7(3)) See also sections 8 and 9; additional procedures are found in the Cybersecurity (Critical Information Infrastructure) Regulations 2018 [not covered] Unit 2: Cybersecurity 21 Regulation of CII (II) Obtaining Information Relating to a CII (ss 10, 12 & 13) The Commissioner may require the owner of a CII to furnish the following information (s 10(1)): – Information on the design, configuration and security of the CII or any other computer or computer system under the CII owner’s control that is interconnected or communicates with that CII – Information relating to the operation of that CII or other computer or computer system – Any other information in order to ascertain the level of cybersecurity of the CII Material changes to the design, configuration, security or operation are to be updated within 30 days (s 10(5)) Any change in the beneficial or legal ownership must be notified to the Commissioner with 7 days by the former owner, if the whole ownership is transferred, or otherwise any owner of the CII (s 13(1)) Failure to comply with any of the above is an offence (ss 10(2), 10(7) & 13(2)) Same exception for legal privilege, etc. as s 19 Unit 2: Cybersecurity 22 Regulation of CII (III) Codes of Practice and Standards of Performance (s 11) The Commissioner may issue or approve one or more codes of practice or standards of performance for the regulation of the owners of CII with respect to measures to be taken by them to ensure the cybersecurity of the CII (s 11(1)(a)) Every owner of a CII must comply with the codes of practice and standards of performance that apply to their CII (following publication of a notice relating to the code or standard) unless otherwise waived by the Commissioner under s 11(7) (s 11(6)) The Commissioner may amend or revoke any code of practice or standard of performance (s 11(1)(b))) The Commissioner must publish a notice of the issuance, approval, amendment or revocation of a code of practice or standard of performance (s 11(3)) failing which it does not take effect (s 11(4)) A code of practice or standard of performance does not have legislative effect (s 11(5)) and any of its provisions that is inconsistent with the CYSA does not have effect (to the extent of the inconsistency) (s 11(2)) The Commissioner for Cybersecurity / CSA issued the Cybersecurity Code of Practice for Critical Information Infrastructure on 4 July 2022, last updated 12 Dec 2022 (https://www.csa.gov.sg/legislation/codes-of-practice) Unit 2: Cybersecurity 23 Regulation of CII (IV) Directions to Ensure Cybersecurity of a CII (s 12) The Commissioner may issue a direction to the owner(s) of a CII in order to ensure the cybersecurity of the CII or it is necessary or expedient for the administration of the CYSA (s 12(1)) Without limitation, a direction may include the following (s 12(2)): – the action to be taken by the owner(s) in relation to a cybersecurity threat – compliance with any code of practice or standard of performance applicable to the owner(s) – appointment of an auditor approved by the Commissioner to audit the owner(s) on their compliance with the CYSA or any code of practice or standard of performance applicable to the owner(s) Process for issuance of a direction includes giving the owner an opportunity to make representations (s 12(4) & (5)) Failure to comply is an offence (s 12(6)) Unit 2: Cybersecurity 24 Regulation of CII (V) Duty to Report Cybersecurity Incident in respect of CII (s 14) The owner of a CII must notify the Commissioner upon the occurrence of any of the following (s 14(1)): – a prescribed cybersecurity incident in respect of the CII or any other computer or computer system under the CII owner’s control that is interconnected with or that communicates with the CII – any other type of cybersecurity incident in respect of the CII that the Commissioner has specified by written direction to the owner The owner of a CII must establish such mechanisms and processes for the purposes of detecting cybersecurity threats and incidents in respect of the CII, as set out in any applicable code of practice (s 14(2)) Failure to comply is an offence (s 14(3)) Unit 2: Cybersecurity 25 Regulation of CII (VI) Cybersecurity Audits and Risk Assements (s 15) The owner of a CII must comply with the following (s 15(1)): – at least once every 2 years, cause an audit to be carried out of the compliance of the CII with the CYSA and the applicable codes of practice and standards of performance (to be done by an auditor approved or appointed by the Commissioner) – at least once a year, conduct a cybersecurity risk assessment of the CII The owner of a CII must furnish a copy of the audit report or risk assessment to the Commissioner within 30 days of completion (s 15(2)) See the rest of the section for further details Failure to comply is an offence (s 15(7) & (8)) Unit 2: Cybersecurity 26 Regulation of CII (VII) Cybersecurity Exercises (s 16) The Commissioner may conduct cybersecurity exercises for the purpose of testing the state of readiness of owners of different CII in responding to significant cybersecurity incidents. An owner of a CII must participate in a cybersecurity exercise if directed in writing to do so by the Commissioner Failure to comply is an offence (s 15(7) & (8)) Unit 2: Cybersecurity 27 PART 3: RESPONSE TO CYBERSECURITY THREATS AND INCIDENTS Unit 2: Cybersecurity 28 Response to Cybersecurity Threats and Incidents (CYSA, Part 4) (I) Investigation (s 19) The Commissioner may investigate any cybersecurity threat or incident for the following purposes (s 19(1)): – assessing the impact or potential impact of the cybersecurity threat or incident – preventing harm arising from the cybersecurity incident – preventing a further cybersecurity incident from arising from that cybersecurity threat or incident The Commissioner’s powers of investigation (s 19(2)) may be applied as against any person (e.g. to compel attendance and obtain information) and failure to comply is an offence (s 19(8)) Legal Privilege, etc.: Disclosure of information that is subject to any right, privilege or immunity conferred, or obligation or limitation imposed, by or under any law or rules of professional conduct in relation to the disclosure of such information is not required, except that the performance of a contractual obligation is not an excuse for not disclosing the information (s 19(6)) Unit 2: Cybersecurity 29 Response to Cybersecurity Threats and Incidents (CYSA, Part 4) (II) Elimination of Serious Threats and Incidents (s 20) The Commissioner has additional powers in relation to any cybersecurity threat or incident that meets any of the following criteria (s. 20(3)): – it creates a risk of significant harm being caused to a CII – it creates a risk of disruption to the provision of an essential service – it creates a threat to the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore – it is of a severe nature, in terms of the severity of the harm that may be caused to persons in Singapore or the number of computers or value of the information put at risk, whether or not the computers or computer systems put at risk are themselves CII The Commissioner may investigate any such serious cybersecurity threat or incident for the following purposes (s 20(1)): – assessing the impact or potential impact of the cybersecurity threat or incident – eliminating the threat or preventing harm arising from the cybersecurity incident – preventing a further cybersecurity incident Unit 2: Cybersecurity 30 Response to Cybersecurity Threats and Incidents (CYSA, Part 4) (II) Elimination of Serious Threats and Incidents (s 20, continued) For such serious cybersecurity threats and incidents, the Commissioner may: – in addition to the powers under s 19(1) – direct, (by written notice ) any person to carry out remedial measures, or to cease carrying on certain activities in relation to a computer or computer system that […] is or was affected by the cybersecurity incident, in order to minimise cybersecurity vulnerabilities in the computer or computer system – require the owner of a computer or computer system to take any action to assist with the investigation (examples in the Act) – enter premises, perform scans, obtain records, etc. Examples of remedial measures (under s 20(2)) include the following: – removal of malicious software from the computer; – installation of software updates to address cybersecurity vulnerabilities; – temporarily disconnecting infected computers from a computer network until the above is carried out – redirection of malicious data traffic towards a designated computer or computer system Unit 2: Cybersecurity 31 Introduction The PDPA, Singapore’s first general data protection law, was enacted in 2012 and came into force in stages up to July 2014 – Personal Data Protection Commission (PDPC) was established in 2013 – PDPA’s Do Not Call and Data Protection Provisions came into force in 2014 PDPA was significantly amended in 2020 to introduce new obligations in line with modern data protection laws in other jurisdictions – New provisions on data protection obligations and rights of individuals – New criminal offences relating to misuse of personal data – Enhanced enforcement powers for PDPC/Commissioner Unit 2: Cybersecurity 32 PART 4: CYBERSECURITY CODE OF PRACTICE Unit 2: Cybersecurity 33 Overview Topics covered in the Cybersecurity Code of Practice for CII (“COP”): – Audit requirements – Governance requirements – Identification requirements (Asset Management) – Protection requirements – Detection requirements – Response and Recovery requirements – Cyber Resiliency requirements – Cybersecurity Training & Awareness – Operational Technology (OT) Security requirements – Domain-specific requirements (DNSSEC) We are only focussing on Governance requirements (section 3 of the COP) Note relevant definitions Unit 2: Cybersecurity 34 Governance of Cybersecurity Key requirements in the COP, Section 3: – Leadership and oversight Adequate resources to cybersecurity strategy and application to CII Effective leadership from the board and senior management – Risk management Risk management framework to identify, analyse, evaluate and address (respond to) cybersecurity risks in a cost-effective manner Maintain a risk register for each CII – Policies, Standards, Guidelines and Procedures Policies and standards for (internal) compliance Guidelines on best practices Procedures with specific actions to be taken – Security-by-Design, Cybersecurity Design Principles and Change Management are not covered Unit 2: Cybersecurity 35 Governance of Cybersecurity Key requirements in the COP, Section 3 (continued): – Use of Cloud Organisation remains responsible for maintaining oversight of cybersecurity and managing cybersecurity risks to CII even if CII is wholly or partly implemented using cloud computing systems – Outsourcing and vendor management Organisation remains responsible for cybersecurity even if it engages an external party to perform any functions with respect to the CII Controls must be implemented to minimise cybersecurity risks Unit 2: Cybersecurity 36 3| PERSONAL DATA PROTECTION ACT 2012 Unit 2: Cybersecurity 37 Overview Data Protection obligations previously covered in unit 1 Today, we are focusing on: – Protection (security) of personal data – Data breach notification Unit 2: Cybersecurity 38 PART 1: PROTECTION OF PERSONAL DATA Unit 2: Cybersecurity 39 Protection of Personal Data (Section 24) Although data protection laws predated the advent of the Internet and the wide-spread use of computing devices we have today, they typically included a specific obligation to protect personal data Under the PDPA, all organisations are required to protect personal data by making reasonable security arrangements to prevent the following (s 24): – unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks – loss of any storage medium or device on which personal data is stored In a modern context, as most data is stored in electronic form in computers, computer systems and other electronic / digital devices and systems, this translates to requirements to ensure cybersecurity of systems and databases containing personal data Unit 2: Cybersecurity 40 Protection of Personal Data (Section 24) Requirements: – Covers personal data in the possession or under the control of the organisation – “reasonable security arrangements” – not defined (Side note: This kind of wording is found in many other countries law including, e.g. EU and US) – Two key elements, measures are to prevent: unauthorised access, etc. to personal data loss of storage media / devices containing personal data Unit 2: Cybersecurity 41 Protection of Personal Data (Section 24) PDPC’s Advisory Guidelines on Key Concepts in the PDPA, para 17 – “There is no ‘on size fits all’ solution for organisations to comply with the Protection Obligation. Each organisation should consider adopting security arrangements that are reasonable and appropriate in the circumstances …” – Factors to take into consideration: Nature of the personal data Form in which the personal data was collected (e.g. electronic or physical) Possible impact to the individual concerned if an unauthorised person obtains, modifies or disposes of the personal data Unit 2: Cybersecurity 42 Protection of Personal Data (Section 24) PDPC’s Advisory Guidelines on Key Concepts in the PDPA, para 17 (continued): – In practice, an organisation should: Design and organise its security arrangements to fit the nature of the personal data held by the organisation and the possible harm that may result from a security breah Identify reliable and well-trained personnel responsible for ensuring information security Implement robust policies and procedures for ensuring appropriate levels of security for personal data of varying levels of sensitivity Be prepared and able to respond to information security breaches promptly and effectively – Security arrangements include: Administrative measures (e.g. confidentiality obligations, robust policies, staff training) Technical measures (e.g. network security measures, access control, use of encryption) Physical measures (e.g. physical locks, privacy filters, proper disposal of physical documents) Unit 2: Cybersecurity 43 Protection of Personal Data (Section 24) In relation to data intermediaries and the organisations that engage them (data controllers), note that section 24 applies to both (per S. 4(2) & (3)) Scope of responsibility depends on extent of tasks to be done by each: – Processing by the data intermediary (implement necessary technical, physical and administrative measures) – Governance by the data controller (implement, typically via contract, measures to govern the data intermediary’s protection of personal data) Unit 2: Cybersecurity 44 PART 2: DATA BREACH NOTIFICATION Unit 2: Cybersecurity 45 Scope Definition/Concepts (Ss 26A & 26B): – Data Breach: (a) unauthorised access, collection, use, disclosure, copying, modification or disposal of personal data, or (b) loss of any storage medium or device on which personal data is stored in circumstances where the unauthorised access, collection, use, disclosure, copying, modification or disposal of the personal data is likely to occur Cf. s 24 – Notifiable Data Breach: A data breach that (a) results in, or is likely to result in, significant harm to an affected individual or (b) is, or is likely to be, of a significant scale A data breach is deemed to result in significant harm and is deemed to be of significant scale in prescribed circumstances (s 26B(2) & (3)) Significant harm: see Personal Data Protection (Notification of Data Breaches) Regulations 2021 (“DBN Regulations”), reg. 3 and Schedule (see next slide) Significant scale: 500 (see DBN Regulations, reg. 4) Notwithstanding the above, a data breach within an organisation is not notifiable (s 26B(4)) Unit 2: Cybersecurity 46 DBN Obligations (I) Conduct an Assessment of a Data Breach Where an organisation has reason to believe that a data breach has occurred affecting personal data in its possession or under its control: – If the organisation is a data intermediary and the affected data is data it is processing for the data controller, the organisation (DI) must notify the data controller of the data breach without undue delay (s 26C(3)) – If the organisation is a data controller, in must conduct, in a reasonable and expeditious manner, an assessment of whether the data breach is a notifiable data breach (s 26C(2)) Q: Timeframes? Also note obligation of a data intermediary of a public agency (s 26E) Unit 2: Cybersecurity 47 DBN Obligations (II) Notification to PDPC Where an organisation assess that a data breach is notifiable, it must notify PDPC as soon as practicable and, in any case, within 3 calendar days (s 26D(1)) Notification to PDPC is to be made via the PDPC website (www.pdpc.gov.sg) The notification must contain the prescribed information, to the best of the knowledge and belief of the organisation when the notification is made (s 26D(3)) – The specific information required is set out in the DBN Regulations (reg. 5) and the relevant webform on the PDPC website Notification to PDPC (and affected individuals – see next slide) apply concurrently with any other obligation of the organisation to notify any other person (e.g. CSA) of the occurrence of a data breach Unit 2: Cybersecurity 48 DBN Obligations (III) Notification to Affected Individuals Where an organisation assess that a data breach is notifiable and it results, or is likely to result, in significant harm to the affected individuals, it must also notify the affected individuals on or after notifying PDPC (s 26D(2)) Notification to the affected individuals is to be made in any manner that is reasonable in the circumstances (s 26D(2)) The notification must contain the prescribed information, to the best of the knowledge and belief of the organisation when the notification is made (s 26D(3)) – The specific information required is set out in the DBN Regulations (reg. 6) Unit 2: Cybersecurity 49 DBN Obligations (III) Notification to Affected Individuals (continued) Exceptions to this requirement: – If the organisation, on or after assessing that the data breach is a notifiable data breach, takes any action, in accordance with any prescribed requirements, that renders it unlikely that the notifiable data breach will result in significant harm to the affected individual (s 26D(5)(a)) – If the organisation had implemented, prior to the occurrence of the notifiable data breach, any technological measure that renders it unlikely that the notifiable data breach will result in significant harm to the affected individual (s 26D(5)(b)) – If a prescribed law enforcement agency so instructs or PDPC so directs (s 26D(6)) – PDPC, on application by the organisation, waives this requirements (s 26D(7)) Unit 2: Cybersecurity 50 Drew & Napier LLC 10 Collyer Quay, #10-01 Ocean Financial Centre, Singapore 049315 www.drewnapier.com