A Peek into Singapore's New Cybersecurity Act
The Singapore Government announced earlier this year that a new, standalone Cybersecurity Act will be tabled in Parliament in 2017. On 26 October 2016, the Minister for Communications and Information, Mr Yaacob Ibrahim, provided a further glimpse of the impending laws. The Minister was speaking at the Financial Times Cyber Security Summit Asia Pacific held in Singapore.
The new Cybersecurity Act will institute standards for incident reporting, audits and risk assessments. It will also facilitate the sharing of cybersecurity information, and mandate the participation of critical information infrastructure operators in cybersecurity exercises.
Importantly, the Government envisions that the new Act will complement the existing Computer Misuse and Cybersecurity Act, which will continue to govern cybercrime investigation.
The Minister also observed that businesses need to spend more on cybersecurity, to keep pace with increased digitisation. At present, the Government is the largest contributor of cybersecurity expenditure. It plans to further increase its cybersecurity spending to 8 percent of its information technology budget.
The Minister's speech follows Singapore Prime Minister Lee Hsien Loong's recent announcement that the country will embark on a new cybersecurity strategy, which seeks to construct a more robust cyber environment for Singapore.
The Government's latest policy initiatives come in the wake of increased cybercrime in Singapore. Recently, local telecommunications provider Starhub suffered two broadband service outages that were the result of malicious distributed denial-of-service (DDoS) attacks on Starhub's domain name servers (DNS). As a result, some customers temporarily faced intermittent broadband access.
In view of the growing threat of cybercrime, more companies in Singapore are looking to obtain cyber insurance coverage. Local insurance companies report a marked increase in enquiries on cyber insurance policies. Given the high financial and reputational costs of remedying cybersecurity breaches, this surge in demand comes as no surprise.
While the actual take-up rate of cyber insurance policies remains modest, it is likely that the adoption of such policies will become ubiquitous as companies strengthen their cybersecurity frameworks.
It will be interesting to see if the Government provides further information on the impending Cybersecurity Act, such as whether critical information infrastructure operators will be subject to mandatory reporting obligations, and the extent to which these obligations, if any, may extend across all business sectors.