Proposed bill for cybersecurity to take precedence over bank, privacy rules

It will take precedence over bank, privacy rules on data sharing if cyber attack occurs

Law and security experts have described the overarching Cyber Security Bill released yesterday as bold and decisive. ST PHOTO: KEVIN LIM

In a cyber attack, a new law in the works will take precedence over banking and privacy rules that forbid the sharing of confidential information.

The proposed Cyber Security Bill, which will be introduced and debated in Parliament later this year, will require a bank to report any cyber attack "within hours''.

It will have to alert a proposed Commissioner of Cyber Security and, if an investigation is ordered, will have to share information with Singapore's Cyber Security Agency (CSA). Failure to do so can lead to a fine or jail term.

Law and security experts have described the overarching Cyber Security Bill released yesterday as bold and decisive.

Among other things, the Bill aims to blur the line between cyber threats to the public sector and the private sector by plugging security gaps in critical information infrastructure (CII), such as those used to run banking, telecoms, transport, healthcare and energy essential services.

Lawyer Gilbert Leong, senior partner at Dentons Rodyk & Davidson, said: "The Singapore Government has taken the enlightened approach in that it recognises that there cannot be one standard for the public sector and another for the private sector. After all, cyber criminals do not respect any such boundaries."

The Bill, the fruit of almost two years of work by the CSA, is going through a public consultation that ends on Aug 3.

It follows last October's announcement of a high-level cyber- security strategy that will see Singapore increase its infocomm technology budget for cyber-security spending to 8 per cent, up from about 5 per cent before.

In fiscal year 2014, Singapore spent $408.6 million on cyber security.

The Bill is consistent with efforts to raise Singapore's cyber-security posture, said the CSA.

"The current legislation, the Computer Misuse and Cybersecurity Act, focuses more on cyber crime. As the (threat) landscape evolves, it is better to have an omnibus Bill that oversees the cyber security of (essential services) as a whole," said CSA chief executive David Koh.

The Bill will also confer power on CSA's chief as Commissioner of Cyber Security to investigate threats and incidents to ensure essential services are not disrupted in the event of a cyber attack.

Citing the recent WannaCry and NotPetya ransomware attacks, Mr Koh said: "Around the world, we have seen attacks affecting critical infrastructure such as energy and power supply."

He warned that Singapore is vulnerable even though its critical sectors were not disrupted by the ransomware.

In April, hackers broke into the networks of the National University of Singapore and Nanyang Technological University. They used a roundabout way to steal government-related data - both are involved in government-linked projects for the defence, foreign affairs and transport sectors.

The attacks on the universities followed the discovery in February of the theft of 850 national servicemen's and Defence Ministry staff's personal data.

Even elections overseas have been vulnerable to cyber attacks.

A hacking group dubbed Pawn Storm, which tried to breach French President Emmanuel Macron's campaign team e-mails earlier this year, was believed to be behind the attacks last year on the e-mail accounts of the United States Democratic National Committee to undermine Mrs Hillary Clinton's presidential bid.

For the first time, the Cyber Security Bill here spells out proactive measures which aim to minimise disruption to essential services when such attacks happen.

They include mandating CII owners to notify the commissioner if the CII suffers a cyber- security attack. The CSA's National Cyber Incident Response Framework requires notification "within hours".

Depending on the offences, the maximum penalty is a $100,000 fine or a jail term of up to 10 years.

Mr Gerry Chng, consultancy firm Ernst & Young's Asean cyber leader, described the Bill as "bold, decisive and forward-looking in considering the threats posed by cyber attacks on Singapore's essential services".

PwC Singapore's Asia-Pacific cybercrime and financial crime leader Vincent Loy said: "It is a matter of (time before) cyber-security incidents happen here. This Cyber Security Bill will provide a good foundation for Singapore to manage cyber-security risk."


Join ST's Telegram channel and get the latest breaking news delivered to you.

A version of this article appeared in the print edition of The Straits Times on July 11, 2017, with the headline Proposed bill for cybersecurity to take precedence over bank, privacy rules. Subscribe