Answer ... (a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)?
The Cybersecurity Act governs CII. It provides a framework for the designation of CII and provides CII owners with clarity as to how they must proactively try to prevent cyberattacks. The term ‘CII’ covers computers and computer systems located wholly or partly in Singapore which are necessary for the continuous delivery of an essential service, such as energy, water, transport, banking and finance, healthcare, government and emergency services.
The financial services industry is heavily regulated by the Monetary Authority of Singapore (MAS). Financial institutions regulated by MAS must notify MAS as soon as possible, but at any rate within one hour, of the discovery of a ‘relevant incident’ (ie, a security breach).
A ‘relevant incident’ is a system malfunction or IT security incident which has a severe and widespread impact on the financial institution’s operations. This would potentially include a breach of security for personal data. The financial institution must also submit a root cause and impact analysis report to MAS. Notification of the affected data subjects is not mandatory.
MAS has also developed guidelines to assist the industry in dealing with technology risks. In particular, financial institutions should have specific processes in place to identify suspicious or fraudulent transactions or phishing attempts and notify customers of the same. There should also be a reporting mechanism in place to report such activity to service providers and management.
There is currently a bill being considered by Parliament that will increase the penalties for breaches by financial institutions and provide MAS with broader investigatory powers.
The Ministry of Health has developed the Healthcare Cybersecurity Essentials – guidance for licensees to assist in developing basic safeguards for IT assets and data. Although it is not enforceable, businesses in the healthcare space are encouraged to implement and follow the guidelines.
The Infocomm Media Development Authority of Singapore has formulated codes of practice to enhance cybersecurity preparedness for designate licensees. It is not enforceable against all infocomm and media companies; however, compliance is mandatory for internet service providers. The Telecom and Media Competition Code came into effect on 2 May 2022 and provides that personal data should be handled in accordance with the Personal Data Protection Act.
(b) Certain types of information (personal data, health information, financial information, classified information)?
The Personal Data Protection Act governs the protection of ‘personal data’, which is defined as “data about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access”.
Unlike the laws in some jurisdictions, the Personal Data Protection Act has no special rules on particularly sensitive categories of personal data, such as health information. However, the Personal Data Protection Commission has released guidelines specific to the healthcare sector, making recommendations in relation to the protection of personal data. Specifically, the guidelines state that where the adverse impact to individuals if sensitive data (eg, medical information) were to be accessed is significant, tighter security arrangements should be employed.
The Credit Bureau Act provides for the regulation of credit bureaux. It imposes various duties on credit bureaux in relation to the handling of customer information (including accounts for loans and investments as well as applications for credit facilities), and the security and integrity of customer data.