Singapore 
Cyber Security Bill 

In 2017 we witnessed several high profile cyber attacks with global repercussions. The most infamous among them were the two ransomware attacks, WannaCry and Petya, which affected several hundred thousand computers around the world.

Though relatively spared from these two ransomware threats, Singapore has witnessed its fair share of cyber attacks over the past few years with attempts being made to defile government websites, steal customer data from banks and steal data from private enterprises. There was even a breach at the National University of Singapore as well as the Nanyang Technological University.

Not only is Singapore a victim, it is at times, an unwilling conduit for cyber attacks that originate elsewhere. Several reports have pointed out how cyber attackers take advantage of Singapore’s advanced infrastructure and high penetration rate of devices as potential attack surfaces and gateways to launch attacks on other countries.

For enterprises it is painful and costly to recover from a cyber attack, especially if they happen to be small and medium enterprises (SME) companies. Apart from monetary losses, there could be serious reputational damage as well.

A 2017 Cost of Data Breach Study, conducted by the Ponemon Institute, showed that the average cost a data breach for Asean companies (who participated  in the study) was S$150 per incident. The highest component of that pertains to detection and escalation at S$63, followed by lost business cost at S$47.

Detection and escalation costs typically include forensic and investigative activities, assessment and audit services and others. The post data breach response costs accounted for S$41 per compromised record whereas notification costs accounted for S$5 per compromised record.

Taking cognisance of the increased threat environment, the government set up the Cyber Security Agency of Singapore (CSA) in 2015 as the central agency to oversee and coordinate all aspects of cyber security in Singapore.

In 2016 Singapore unveiled its cyber security strategy and a comprehensive Cyber Security Bill is tabled and passed in Parliament earlier this month. 

The proposed Bill has four broad objectives:

• Develop a framework for CIIs which will formalise the duties of CII operators to ensure cybersecurity of their infrastructure.
• Provide more comprehensive and specific power to the CSA to manage and respond to cybersecurity threats and incidents.
• Establish a framework for sharing of cybersecurity information with and by CSA, and the protection of such information.
• Set-up a light-touch licensing framework for cybersecurity service providers.

The public consultation process of the initial draft Cyber Security Bill attracted a more-than-expected 92 submissions from a “wide and diverse range of stakeholder groups”.

Based on the feedback gathered, the government has decided to refine the bill to bring more clarity over the designation of CIIs and also to remove the need for CII designations to be under the Official Secrets Act.

The agencies will also ensure regulatory requirements are simplified by doing away with the need to license individual professionals and remove distinction between “investigative” and “non-investigative” types of licensing. Only penetration testing and managed security operations centre monitoring service providers will be required to get a license.

Despite the bill, companies will still need to take responsibility for the security of their networks. The CSA can and will act as a watchdog and gatekeeper but it will not be able to plug in all the gaps because most of the attacks originate from other countries over which CSA has no jurisdiction.

For most enterprises, cyber security is not part of their core competency. As a result, they are not good at it and in many cases do not have the trained manpower to implement a network security policy. This is especially true for SMEs.

Dr. Yaacob Ibrahim, Minister for Communications and Information, had made an important point during his speech at the 2016 Budget presentation in Parliament. The Minister noted that while cyber breaches at big corporations may make headlines, SMEs are not spared as the lack of cyber security protection make them easy targets.

It makes sense for enterprises to engage a managed security provider such as StarHub to provide them an extra layer of protection while they concentrate on their line of business.

StarHub’s core infrastructure is integrated with round-the-clock, proactive cyber threat detection capabilities, giving it the ability to discover and check malicious data traffic at an early stage. Singapore’s Smart Nation journey as well as the introduction of IoT (Internet of Things) devices in the enterprise space, will result in cyber security becoming more vital going forward.

Having professional expert like StarHub monitor, in real time, threats as they traverse through the network, gives companies a peace of mind to concentrate on their core competence instead of worrying about cyber criminals.

Follow StarHub Business on Linkedin for the latest business updates.