Singapore’s Cybersecurity Bill: No Man is an Island, global alignment needed for true effectiveness
The Singapore Cyber Security Agency (CSA) public consultation exercise for their proposed Cybersecurity Bill, is about to come to an end. For a period of almost a month, feedback was being gleaned from the industry-at-large with regards to the bill which aimed to enable expedient response to cyber threats and incidents.
To date, analysts notably from IDC and Ovum, have made known they think the bill isn’t complete enough. For one, end consumers’ security and privacy haven’t been factored into the bill which emphasises protection of critical information infrastructure (CII) in sectors like transportation, healthcare, banking, energy, and telco among others.
IDC’s Simon Piff also opined that the bill is a great start towards addressing ‘cyberwarfare scenarios’, but not cyberattacks upon commercial sectors like retail, e-commerce and so on, despite this sectors having suffered heavy financial losses and reputational damage.
KPMG Singapore and its head of Cybersecurity, Daryl Pereira, also weighed in with his thoughts in this second part feature about reactions towards Singapore’s Cybersecurity Bill. The first part can be found here.
During a meeting with CSA, KPMG and five other business leaders from various companies shared their views on the draft bill, while CSA clarified some of their ideas, concerns and objectives around cybersecurity and how the bill serves this purpose.
Pereira answers some questions that EITN has with regards to the draft bill.
EITN: Does the commissioner of cybersecurity have powers over private and/or foreign entities/organisations ie. banking, telecommunications? How will this role differ from say a CIO of a bank or telco?
Pereira: The Commissioner of Cybersecurity will have legislative powers under the act to oversee cybersecurity readiness in both government and private organisations (including the Singapore registered branches and legal entities of foreign headquartered organisations). The Commissioner’s powers will cover all sectors designated as Critical Information Infrastructure including Banks and Telecommunications companies.
The Commissioner’s role is primarily to oversee cybersecurity readiness of Singapore’s critical information infrastructure, and to monitor and respond to cybersecurity threats. Whereas the role for company CEOs, with the support of their Chief Information Officer (CIO) and Chief Risk Officer (CRO), is to take all necessary measures to protect the critical information infrastructure in their organisations.
EITN: How do you think banks will react to bank and privacy rules being superseded by the Cybersecurity bill? How will private/foreign organisations react to having to hand over information during investigations?
Pereira: The draft Bill implies that the Cybersecurity rules will supersede existing privacy laws such as the PDPA and Banking Secrecy Act – this is indicated by clause 20(5) which protects a person who “…in good faith, discloses any information to an investigating officer is not treated as being in breach of any restriction upon the disclosure of information imposed by law, contract or rules of professional conduct.”
However, the application of the Cybersecurity law in practice could follow the approach taken by other Cybersecurity Laws such as the US law, where disclosure to the authorities is done after the affected personal information is removed or sanitised.
EITN: How will licensing vendors and service practitioners aid overall in achieving the objective of the cybersecurity bill?
Pereira: Licensing cybersecurity providers may aid by:
· Increasing the visibility of “qualified” service providers to end-user organisations looking to source cybersecurity support. This will provide additional assurance to the end-user organisation that the service provider meets at least an acceptable quality level of professionalism and professional conduct;
· Maintaining quality standards for work done by the licensed providers, which can also aid with cyber incident investigations; and
· Raising the skill bar needed by individuals employed in these specialist cybersecurity domains, thereby raising the skillsets needed to be a qualified practitioner in this area.
All of the above aim to serve the overriding objective of the Bill, which is to encourage organisations to take pre-emptive measure to protect their critical information infrastructure. For some organisations, especially those without significant in-house capabilities, the design and implementation of a contextually appropriate cybersecurity strategy would require the aid of skilled and professional (i.e. licensed) Cybersecurity service providers.
EITN: Would you recommend the implementation of a similar bill in other countries like Thailand or Indonesia or even Malaysia? What are the unique characteristics of Singapore that would enable its cybersecurity bill to be successful?
Pereira: The implementation of a similar Cybersecurity Bill would require economic stability and a level of maturity in the corporate governance principles that allow for the Board and C-Suite executives to personally take responsibility for cybersecurity readiness of their company. In addition, given the borderless nature of cyber threats and attacks, for the Singapore Bill to be effective there is a need for the other countries to implement similar Bills that will collectively promote the implementation of robust safeguards against such attacks.
The alignment of more countries to a shared and common baseline will assist it globally.