Data Protection and Cybersecurity Regulations in Singapore
Cybersecurity regulations in Singapore impose mandates with a combination of both compliance and risk-based approaches. For forward looking businesses, it is an opportunity to build trust and cyber resilience. We’ll see how in this blog post.
The continued success of digital transformation initiatives among businesses operating in Singapore bring with them a growing exposure to cyber risks. However, policymakers being acutely aware of the threat landscape, are stepping up to elevate the protection level of critical information infrastructure. And this is unfolding with the introduction of new cybersecurity regulations in Singapore.
What are the cybersecurity and data protection regulations in Singapore? How do these regulations impact businesses in Singapore?
How can businesses possessing sensitive data, especially financial institutions, healthcare companies, and IT firms, promote both preventive and reactive cybersecurity activities to ensure compliance?
Data protection regulations in Singapore
- Cybersecurity Act 2018 is an omnibus regulation in Singapore that applies to information and computer systems across all industries. It creates a framework for businesses leveraging the critical information infrastructure to prevent, manage, and respond to cybersecurity threats and incidents. Among the essential service providers that are identified in the Act, banking and finance, healthcare, and aviation industries are the ones most prone to cyber risks.
- PDPA Personal Data Protection Act 2012 imposes guidelines for businesses to make the required security arrangements for preventing unauthorized access, collection, modification, disposal, or similar risks with respect to personal data held or processed by those organisations. This regulation appears to cohere with how security of payments related information is monitored by the PCI SSC. Also, some controls recommended in the guidelines bear a resemblance to other regulations that apply to all businesses processing PII data.
- Monetary Authority of Singapore Technology Risk Management (MAS TRM) Guidelines has set out, with a staunch focus on protection of sensitive data, guidelines that needs businesses in Singapore to adopt specific risk management principles and cybersecurity standards. Strengthening system security and resiliency and deploying strong authentication processes to protect sensitive data are some of the important controls mentioned in the Technology Risk Management guidelines by the Monetary Authority of Singapore. Issued under the Payment Services Act 2019, the TRM guidelines requires banks, financial services and other payments-related businesses in Singapore to ensure that the required security patches are applied to address cyber vulnerabilities.
Achieving compliance with cybersecurity regulations in Singapore
Done well, we believe that the above listed data protection regulations can help businesses build cyber resilience and enable growth. To turn the guidelines into an opportunity will, however, require a strategic approach to risk mitigation and compliance. We suggest an integrated, coordinated approach that will help businesses in Singapore achieve a clear mapping of regulatory requirements and protect sensitive data by building cybersecurity capabilities.
What is the future of digital risk in the financial sector? Why it has become an urgent topic for Singapore businesses today? How to turn digital risk management into advantage?
Answers to these questions – and more – on this panel discussion going live June 30, 2021. Register Now.
Defining regulatory requirements and risk analysis
The first step for any business aspiring to comply with a specific regulation is to map the regulatory requirements and create an inventory of security controls. For instance, a banking company in Singapore that needs to comply with the MAS TRM guidelines and PCI DSS must create a unified framework as illustrated below.
- Identify the critical security controls and create an inventory
- Assess the gaps in compliance and define security dependencies
- List the digital assets related to these security controls and remediate
- Conduct a detailed risk assessment for each critical system
- Define the required level of security for compliance attainment
For any business in Singapore, the PDPA requires them to retain personal data only for business/legal purposes and securely destroy personal data when no longer needed. This obligation under PDPA Singapore requires businesses to continuously discover where data is located in the organization and decide to either secure it or destroy it before auditing.
It becomes clear that a risk-based approach to achieving compliance is even relevant for Singapore businesses as we look at one of the security controls of the Cybersecurity Act 2018 that states that businesses must conduct a cybersecurity risk assessment of the critical information infrastructure at least once a year. In such a case, the specific security control also becomes a part of other regulatory guidelines including ISO, PCI, and HIPAA.
Building cyber resilience and maintaining compliance
Effective security controls are a key element of achieving compliance with data security regulations in Singapore. Making sure that proper threat hunting capabilities are built and Identity Access Management (IAM) method is adopted are just small examples of the security controls that comprise the major cybersecurity regulations in Singapore.
To achieve synergy between regulatory guidelines and security controls, businesses must prioritize cybersecurity activities based on the risk management framework as discussed above.
- For each gap in compliance, identify critical systems and security requirements
- Implement security and data protection actions and monitor progress
- Implement KPIs to ensure that security controls are placed correctly
- Periodically reassess risks
One complete section of MAS TRM compliance is dedicated to threat hunting and incident response. Security controls – 12.2 Cyber Event Monitoring and Detection and 12.3 Cyber Incident Response and Management – require financial institutions in Singapore to establish a security operations centre or acquire managed security services to proactively detect threats and respond to security incidents. This resonates with guidelines from other local and global data security regulatory requirements.
Maintaining compliance with continuously changing regulatory guidelines is no mean feat. It requires an integrated approach that combines cybersecurity and risk management. We believe that the cybersecurity and data protection regulations will look dramatically different in Singapore by 2025. For businesses that are ready to start right now, the recommended risk management program will be well worth the investment and effort.