1 Legal framework

1.1 Does the law in your jurisdiction distinguish between 'cybersecurity', 'data protection' and 'cybercrime' (jointly referred to as 'cyber')? If so, how are they distinguished or defined?

'Cybersecurity' is defined under the Cyber Security Act 2018 as:

the state in which a computer or computer system is protected from unauthorized access or attack, and because of that state —

  1. the computer or computer system continues to be available and operational;
  2. the integrity of the computer or computer system is maintained; and
  3. the integrity and confidentiality of information stored in, processed by or transmitted through the computer or computer system is maintained.

'Data protection' is not expressly defined under Singapore law; however, the Personal Data Protection Act 2012 is directed at ensuring the protection of personal data.

'Cybercrime' is not expressly defined under Singapore law; however, the Computer Misuse Act 1993 was enacted to combat cybercrime and cyberthreats.

1.2 What are the key statutory and regulatory provisions that address cyber in your jurisdiction?

The key laws are:

  • the Personal Data Protection Act, which governs the collection, use, disclosure and handling of personal data;
  • the Computer Misuse Act, which aims to secure computer material against unauthorised access or modification for matters; and
  • the Cybersecurity Act, which governs measures for preventing, managing and responding to cybersecurity threats, and regulates the owners of critical information infrastructure (CII) and cybersecurity service providers.

1.3 Do special cyber statutes or regulations apply to: (a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)? (b) Certain types of information (personal data, health information, financial information, classified information)?

(a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)?

The Cybersecurity Act governs CII. It provides a framework for the designation of CII and provides CII owners with clarity as to how they must proactively try to prevent cyberattacks. The term 'CII' covers computers and computer systems located wholly or partly in Singapore which are necessary for the continuous delivery of an essential service, such as energy, water, transport, banking and finance, healthcare, government and emergency services.

The financial services industry is heavily regulated by the Monetary Authority of Singapore (MAS). Financial institutions regulated by MAS must notify MAS as soon as possible, but at any rate within one hour, of the discovery of a 'relevant incident' (ie, a security breach).

A 'relevant incident' is a system malfunction or IT security incident which has a severe and widespread impact on the financial institution's operations. This would potentially include a breach of security for personal data. The financial institution must also submit a root cause and impact analysis report to MAS. Notification of the affected data subjects is not mandatory.

MAS has also developed guidelines to assist the industry in dealing with technology risks. In particular, financial institutions should have specific processes in place to identify suspicious or fraudulent transactions or phishing attempts and notify customers of the same. There should also be a reporting mechanism in place to report such activity to service providers and management.

There is currently a bill being considered by Parliament that will increase the penalties for breaches by financial institutions and provide MAS with broader investigatory powers.

The Ministry of Health has developed the Healthcare Cybersecurity Essentials – guidance for licensees to assist in developing basic safeguards for IT assets and data. Although it is not enforceable, businesses in the healthcare space are encouraged to implement and follow the guidelines.

The Infocomm Media Development Authority of Singapore has formulated codes of practice to enhance cybersecurity preparedness for designate licensees. It is not enforceable against all infocomm and media companies; however, compliance is mandatory for internet service providers. The Telecom and Media Competition Code came into effect on 2 May 2022 and provides that personal data should be handled in accordance with the Personal Data Protection Act.

(b) Certain types of information (personal data, health information, financial information, classified information)?

The Personal Data Protection Act governs the protection of 'personal data', which is defined as "data about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access".

Unlike the laws in some jurisdictions, the Personal Data Protection Act has no special rules on particularly sensitive categories of personal data, such as health information. However, the Personal Data Protection Commission has released guidelines specific to the healthcare sector, making recommendations in relation to the protection of personal data. Specifically, the guidelines state that where the adverse impact to individuals if sensitive data (eg, medical information) were to be accessed is significant, tighter security arrangements should be employed.

The Credit Bureau Act provides for the regulation of credit bureaux. It imposes various duties on credit bureaux in relation to the handling of customer information (including accounts for loans and investments as well as applications for credit facilities), and the security and integrity of customer data.

1.4 Do any cyber statutes or regulations have extraterritorial reach? If so, how do they apply extraterritorially and what are the factors or criteria for such application?

The relevant statutes contain no express provisions on extraterritorial application; but in effect, they do have some extraterritorial reach.

The Personal Protection Data Act applies to organisations, wherever located, that process the personal data of individuals in Singapore.

The Computer Misuse Act applies to any person, regardless of nationality and citizenship, outside as well as within Singapore:

  • where the accused was in Singapore at the material time;
  • where the computer program or data was in Singapore at the material time of the offence; or
  • where the offence causes or creates a significant risk of serious harm in Singapore.

Under Section 3 of the Cybersecurity Act, the act applies to any CII necessary for the continuous delivery of an essential service, computer and computer system located wholly or partly in Singapore.

1.5 Do any bilateral or multilateral instruments related to cyber have effect in your jurisdiction?

Singapore is a signatory to the Universal Declaration of Human Rights, which recognises a general right to privacy.

Further, Singapore has signed several international memorandums of understanding to strengthen national cybersecurity, including with:

  • France (May 2015);
  • the United Kingdom (July 2015);
  • Australia (June 2017); and
  • most recently, the United States (August 2021).

Singapore has not been granted an adequacy decision by the European Commission and is not a signatory to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS 108).

Singapore is also not a signatory to the Council of Europe Convention on Cybercrime (CETS 185), which seeks to harmonise domestic criminal law regarding cybercrime and facilitate international cooperation between law enforcement.

1.6 What are the criminal penalties for cybercrime (eg, hacking, theft of trade secrets)?

The Personal Data Protection Act provides for an array of offences, including for:

  • breaches of data protection provisions; and
  • the knowing or reckless unauthorised disclosure of personal data.

The maximum penalties include fines or imprisonment.

The Computer Misuse Act provides for an array of offences, including for:

  • unauthorised access (ie, hacking);
  • access to a computer with the intention to commit or facilitate a crime; and
  • the unauthorised modification of the contents of a computer.

Again, the maximum penalties include fines or imprisonment.

2 Enforcement

2.1 Which governmental entities are responsible for enforcing cyber statutes and regulations? What powers do they have? Can they impose civil and criminal penalties? On whom can penalties be imposed (eg, companies, directors, officers, employees)? Do those entities have extraterritorial reach, and if so what?

The Personal Data Protection Commission is empowered to investigate and enforce the Personal Data Protection Act provisions, such as the powers enabling the commission to carry out investigations to determine whether an organisation or person is compliant. However, the commission is not empowered to award damages to a complainant; the complainant should instead file a private right of action under Section 480 of the Personal Data Protection Act.

The Cyber Security Agency (CSA) has been given the task of protecting Singapore's cyberspace and administering the Cybersecurity Act. In the event of a cybersecurity threat or incident, the CSA will assess the impact or potential impact and take appropriate action to prevent any further harm arising from the threat or incident.

The Cybersecurity Services Regulation Office (CSRO) was set up to administer the licensing framework under the Cybersecurity Act and facilitate liaison with the industry and the wider public on all licensing-related matters. The functions of the CSRO include:

  • enforcing the licensing framework (eg, managing licensing processes, imposing and enforcing licence conditions);
  • responding to queries and feedback from licensees, businesses and the public; and
  • developing and sharing resources on licensable cybersecurity services with consumers, such as the list of licensees.

The Singapore Police Force (SPF) administers the Computer Misuse Act. The SPF has the powers to investigate and arrest individuals or companies if found to be in breach of the Computer Misuse Act.

2.2 Do private parties have a right of action? If so, what type of relief or remedy is available? Is any relief or remedy available against individuals (eg, directors, officers, employees)?

Individuals have a private right of action in civil proceedings for direct loss or damage suffered directly as a result of the contravention of the Personal Data Protection Act (Section 48O). The court may grant relief by way of injunction or declaration, damages or any other relief as the court thinks fit.

Relief or remedy available against individuals is limited under the Cybersecurity Act and may only be available where stated in statute – for example, under Section 36(2) of the Cybersecurity Act, which provides that officers and individuals involved in the management of the corporation can be found guilty of the same offence as the company if the company commits the offence as a result of their action or failure to take reasonable steps to prevent or stop the commission of the offence. Alternatively, relief may be found in a right of action based on negligence, breach of contract or breach of statutory duty.

In addition, if the incident relates to cyber-related matters, a cyber incident report may be filed with the CSA.

2.3 What defences are available to companies in response to governmental or private enforcement?

Limited defences are set out under the Personal Data Protection Act. For instance, an offence of unauthorised disclosure of personal data under Section 48D provides for the following defences:

  • The personal data was publicly available at the time of disclosure; or
  • The accused caused the disclosure of the personal data as permitted under the act or as authorised or required by an order of court, or in the reasonable belief that the accused had the legal right to do so.

Many provisions under the Computer Misuse Act usually involve an 'intention' or 'knowledge' requirement. For instance, for the offence of unauthorised modification of computer material to be met under Section 5, a person must know that it will cause an unauthorised modification of the contents of any computer.

3 Landmark matters

3.1 Have there been any landmark cyber enforcement actions or judicial decisions in your jurisdiction? If so, what were they?

A key enforcement action case is Re Singapore Health Services Pte Ltd [2019] SGPDPC 3, which involved the largest-ever cyberattack in Singapore.

The Personal Data Protection Commission took enforcement action against SingHealth for failing to put in place reasonable security measures to protect personal data under its possession and control, which resulted in a data breach affecting 1.5 million patients. A financial penalty of S$250,000 was imposed on SingHealth and of S$750,000 on SingHealth's intermediary, Integrated Health Information Systems Pte Ltd.

As a result of this data breach, the Singapore Ministry of Health issued Cybersecurity Advisory 1/2019; all licensees (eg, hospitals) are encouraged to implement relevant measures in the advisory. The guidelines can be found at www.moh.gov.sg/licensing-and-regulation/regulations-guidelines-and-circulars/details/cybersecurity-advisory-1-2019-cybersecurity-best-practices-arising-from-the-recommendations-in-the-coi-report-to-the-cyber-attack-on-singhealth.

The commission publishes a number of its enforcement decisions on its website for the purpose of individual and community deterrence.

There have been no published enforcement actions under the Cybersecurity Act.

3.2 Have there been any pivotal cyber incidents or events (eg, major data breaches, major cyber-related legislative activity, major cyber-related innovation or technology development) in your jurisdiction?

  • Increased use of 5G: The Cyber Security Agency recently published guidelines for owners of critical information structure to identify threats that can be introduced into systems connected to 5G services;
  • Recent amendments to the Personal Data Protection Act (for more information, see question 6.1);
  • The SingHealth cyberattack, reportedly Singapore's worst cyberattack (for more information, see question 3.1);
  • The Russia-Ukraine conflict: The Singapore Computer Emergency Response Team (SingCert) has advised companies to strengthen their cybersecurity following increased cyberthreats globally arising from recent cyberattacks on Ukraine following the Russia-Ukraine conflict; and
  • New licensing changes to the Cybersecurity Act (for more information see question 6.1).

4 Proactive cyber compliance

4.1 Have any industry best practices or industry standards in proactive cyber compliance developed over time in your jurisdiction? If so, please briefly describe.

The Personal Data Protection Commission has developed various advisories to provide guidance on how to comply with the Personal Data Protection Act (www.pdpc.gov.sg/Guideline-and-Consultation-Menu). Moreover, the commission has issued sector-specific guidelines for telecommunications, real estate agency, education, healthcare, social service, transport service and management corporations (www.pdpc.gov.sg/Guidelines-and-Consultation?type=sector-specific-advisory-guidelines), and industry-led guidelines (www.pdpc.gov.sg/Guidelines-and-Consultation?type=industry-led-guidelines).

The commissioner of cybersecurity has issued a list of codes of practice for the regulation of owners of critical information infrastructure in accordance with the Cybersecurity Act (www.csa.gov.sg/Legislation/Codes-of-Practice).

The Monetary Authority of Singapore has issued Guidelines on Risk Management Practices to guide financial institutions in managing technology risk and maintaining cyber resilience (www.mas.gov.sg/regulation/guidelines/technology-risk-management-guidelines).

4.2 Have any governmental entities issued voluntary guidance or similar documentation on the issue of proactive cyber compliance? If so, please briefly describe.

See questions 1.3 and 4.1.

4.3 What legal duties, if any, do corporate officers and directors have with respect to proactive cyber compliance? Under what circumstances might they be considered in breach?

There is no duty on directors of Singapore companies that relates specifically to cyber compliance.

However, under Section 157 of the Companies Act, directors must act honestly and use reasonable diligence in the discharge of the duties of their office. In addition, under the common law, directors must carry out their duties with skill, care and diligence.

In the modern business environment, directors should:

  • inform themselves about whether the company has adequate cybersecurity measures in place and an adequate plan to respond to cyber incidents; and
  • if not, ensure that the company takes steps to put such measures and plans in place.

Failure to comply with directors' duties can result in civil or criminal fines or penalties.

Under Section 36(2) of the Cybersecurity Act, officers and individuals involved in the management of the corporation can be found guilty of the same offence as the company if the company commits the offence as a result of their action or failure to take reasonable steps to prevent or stop the commission of the offence.

Companies must appoint a data protection officer (DPO) to oversee compliance with the Personal Data Protection Act. There is no requirement that the DPO be a director or officer of the company; however, according to the Advisory Guidelines issued by the Personal Data Protection Commission, the DPO should ideally be a member of the organisation's senior management team or have a direct reporting line to the senior management. Failure to appoint a DPO may lead to a preliminary investigation by the Personal Data Protection Commission.

4.4 Are there special rules, regulations or guidance in the proactive cyber compliance area that apply to public (eg, exchange-listed) entities?

In relation to data security breach notification requirements, companies listed on the Singapore Exchange (SGX) must include in their annual report any material weaknesses that are identified and the steps taken to address such weaknesses. A listed company may also be required to report a data breach under Rule 703 of the SGX Rulebook, which provides that a listed company must announce any information which is necessary to avoid the establishment of a false market in its securities or would be likely to materially affect the price or value of its securities in a timely manner. It is possible that a severe cyber incident suffered by a listed company could materially affect the price of its securities and therefore require disclosure.

4.5 Is there scope for companies to share details of actual or potential cybersecurity threats, or other cyber-intelligence information, with industry or other stakeholders?

The Singapore Computer Emergency Response Team (SingCert) regularly posts publications on cybersecurity incidents (www.csa.gov.sg/singcert/Publications). SingCERT was set up to facilitate the detection, resolution and prevention of cybersecurity-related incidents on the internet.

5 Cyber-incident response

5.1 In your jurisdiction, do certain types of cyber incidents (eg, data breaches, unauthorised destruction, data leakage) trigger mandatory or voluntary notification requirements? How are such incidents defined? Are notification requirements dependent on the type of information affected? If so, what types?

Data breach notification obligation under Personal Data Protection Act: Organisations must report data breaches if the data breach will likely result in significant harm to individuals and/or is of a significant scale. Organisations must notify the Personal Data Protection Commission and the affected individuals as soon as practicable.

A data breach is notifiable if it:

  • results in, or is likely to result in, significant harm to an affected individual. The Personal Data Protection (Notification of Data Breaches) Regulations 2021 sets out the personal data that is deemed to result in significant harm to affected individuals if compromised in a data breach. This includes the individual's full name or full national identification number in combination with, for example, financial information that is not otherwise publicly disclosed (eg, salary or net worth); or
  • is, or is likely to be, of a significant scale:
    • Data breaches that meet the criteria of significant scale are those that involve the personal data of 500 or more individuals.
    • If an organisation is unable to determine the actual number of affected individuals in a data breach, the organisation should notify the commission if it anticipates that this number is at least 500. The organisation may subsequently update the commission of the actual number of affected individuals once this is established.

Notification under Cybersecurity Act: Under Section 14(1) of the Cybersecurity Act, the owner of critical information infrastructure (CII) (necessary for the continuous delivery of an essential service located wholly or partly in Singapore) must notify the commissioner of cybersecurity of the occurrence of any of the following:

  • a prescribed cybersecurity incident in respect of the CII;
  • a prescribed cybersecurity incident in respect of any computer or computer system under the owner's control that is interconnected with or that communicates with the CII; or
  • any other type of cybersecurity incident in respect of the CII that the commissioner has specified by written direction to the owner.

5.2 What are the mandatory or voluntary cyber-incident notification requirements? For example, to whom must notification be sent (eg, individuals, regulators, public filings)? Is there a required form or format? What is the timeframe for notification? Is the organisation that suffered the cyber-incident obliged to provide services, compensation or specific information to individuals who were affected? What are the exceptions/safe harbours that would allow organisations to avoid or not make notifications (eg, no risk of harm; information accessed was encrypted)?

Personal Data Protection Act: Under the Personal Data Protection Act, upon determining that a data breach is notifiable, the organisation must notify:

  • the Personal Data Protection Commission as soon as practicable, but in any case no later than three calendar days; and
  • where required, affected individuals as soon as practicable, at the same time as or after notifying the commission.

Notification is not required if an exception set out in the act applies. Section 26D(5) states that an organisation is not required to notify affected individuals if:

  • on or after assessing that the data breach is a notifiable data breach, it takes any action, in accordance with any prescribed requirements, that renders it unlikely that the notifiable data breach will result in significant harm to the affected individual; or
  • it had implemented, prior to the occurrence of the notifiable data breach, any technological measure that renders it unlikely that the notifiable data breach will result in significant harm to the affected individual.

Under Section 26D(7) of the Personal Data Protection Act, the organisation may apply to the Personal Data Protection Commission for a waiver of the requirement to notify the affected individuals.

Where an exception applies, the organisation need not notify the affected individuals,

but it must still notify the commission of the data breach.

  • Notification to commission: Organisations may provide their notification through the commission's website. The notification should include:
    • the facts of the data breach;
    • the procedure for handling the data breach; and
    • the contact details of at least one authorised representative of the organisation.
  • Notification to individuals: Organisations may communicate with the affected individuals to send the notification through their usual channels. The notification should include guidance on the steps that affected individuals can take to protect themselves from the potential harm arising from the data breach. The notification should include:
    • the facts of the data breach;
    • the data breach management and remediation plan; and
    • the contact details of at least one authorised representative.

The organisation is not required to provide any services or compensation to affected individuals. However, the organisation's notification to the affected individuals should contain its data breach management and remediation plan, including:

  • information on any action by the organisation, whether taken before or to be taken after the organisation notifies the affected individual:
    • to eliminate or mitigate any potential harm to the affected individual as a result of the notifiable data breach; and
    • to address or remedy any failure or shortcoming that the organisation believes caused, or enabled or facilitated the occurrence of, the notifiable data breach; and
  • steps that affected individuals can take to eliminate or mitigate any potential harm as a result of the notifiable data breach, including preventing the misuse of the affected individuals' personal data affected by the notifiable data breach.

Cybersecurity Act: Section 14 of the Cybersecurity Act states that the commissioner of cybersecurity must be notified within two hours of discovery of the occurrence. The designated owner of the information must provide, within 14 days of the initial submission, supplementary details on:

  • the cause of the cybersecurity incident;
  • its impact on the designated owner of critical information or any interconnected computer or computer system; and
  • the remedial measures that have been taken.

There are no requirements for the notification of affected data subjects.

5.3 What steps are companies legally required to take in response to cyber incidents?

Data breach notification requirements under the Personal Data Protection Act, as set out in questions 5.1 and 5.2.

Certain industries may have their own notification obligations (eg, financial institutions regulated by the Monetary Authority of Singapore must notify the authority within one hour of the discovery of a relevant incident).

If the organisation has been designated as an 'owner of critical information infrastructure' under the Cybersecurity Act , it must notify the commissioner of cybersecurity within two hours of becoming aware of the occurrence of a prescribed cybersecurity incident. Within 14 days of the initial notification, the organisation must also submit the following details:

  • the cause of the cybersecurity incident;
  • its impact on the designated owner of critical information or any interconnected computer or computer system; and
  • the remedial measures that have been taken.

Publicly listed companies are subject to disclosure obligations under the SGX Rulebook – see question 4.4.

Other industry-specific codes may require the notification of data breaches to industry regulators or other bodies.

5.4 What legal duties, if any, do corporate officers and directors have with respect to cyber-incident response? Under what circumstances might they be considered in breach?

There is no duty on directors in Singapore that relates specifically to cyber-incident response.

However, under Section 157(1) of the Companies Act, directors must act honestly and use reasonable diligence in the discharge of the duties of their office. Failure to do so will be a breach and the director can be:

  • liable to the company for any profit made by him or her or for any damage suffered by the company as a result of the breach of any of these provisions; and
  • guilty of an offence and liable on conviction to a fine not exceeding S$5,000 or to imprisonment for a term not exceeding 12 months.

In addition, under the common law, directors must carry out their duties with skill, care and diligence.

In the modern business environment, directors should:

  • inform themselves about whether the company has adequate cybersecurity measures in place and an adequate plan to respond to cyber incidents; and
  • if not, ensure that the company takes steps to put such measures and plans in place.

Failure to comply with directors' duties can result in civil or criminal proceedings and disqualification from acting as a director.

Under Section 36(2) of the Cybersecurity Act, officers and individuals involved in the management of the corporation can be found guilty of the same offence as the company if the company commits the offence as a result of their action or failure to take reasonable steps to prevent or stop the commission of the offence.

5.5 Do companies maintain cyber-incident insurance policies in your jurisdiction?

Cyber-incident insurance policies are available in Singapore. There are no regulatory limits to insurance coverage against specific types of loss in respect of cyber insurance. However, normal contractual principles apply such that any illegality will likely be excluded under the insurance policy.

Cyber insurance policies are becoming increasingly common for Singapore companies of all sizes, as the risks of a cyber incident grow increasingly apparent. Cyber insurance is available as a standalone policy or as part of a more general business insurance policy for small and medium-sized enterprises.

6 Trends and predictions

6.1 How would you describe the current cyber landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

Personal Data Protection Act: The amended Personal Data Protection Act took effect from 1 February 2021, implementing certain changes such as the mandatory data breach notification requirements (see question 5.2) and strengthening the Personal Data Protection Commission's enforcement powers.

From 1 October 2022, there will be increased financial penalties for failure to comply with the act. Companies that breach its provision may face fines of up to:

  • S$1 million; or
  • where the organisation's annual turnover in Singapore exceeds S$10 million, 10% of its Singapore turnover.

Cybersecurity Act: The Cyber Security Agency of Singapore is currently conducting a review of the Cybersecurity Act 2018 which is due to be finalised in 2023, with the act to be updated thereafter.

Apart from the current review, a new licensing framework took effect from 11 April 2022 under the Cybersecurity Act:

  • The new framework applies to two types of cybersecurity service providers:
    • providers of penetration testing services; and
    • providers of managed security operations centre monitoring services, including third-party vendors that support such service providers and resellers of licensed cybersecurity services.
  • Existing cybersecurity service providers that are already engaged in the business of providing either or both licensable cybersecurity services will be given six months to apply for a licence. Cybersecurity service providers that do not apply for a licence in time will have to cease the provision of licensable cybersecurity services until a licence has been obtained. However, a cybersecurity service provider that applies for a licence by 11 October 2022 may continue to provide its services until a decision on the licence application has been made.
  • The licence is valid for a period of two years. The licensee must comply with ongoing licensing and conduct conditions as prescribed under Part 5 of the Cybersecurity Act (eg, Section 29, which requires that records on the cybersecurity services provided for be kept for three years).

7 Tips and traps

7.1 What are the top three cyber-related problems or challenges that companies face in trying to secure their networks and data assets, and what are the best ways to address them?

  • Review the guidelines and advisories set out by the regulatory bodies.
  • Ensure that systems are secure and conduct regular testing.
  • Obtain cyber insurance so that in the event of a cyber incident, the business will have access to a range of experienced service providers that can assist.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.