This document summarizes cybersecurity laws and regulations in Singapore. It discusses the Personal Data Protection Act, Computer Misuse and Cybersecurity Act, and negligence law as existing frameworks covering cybersecurity. It also outlines key aspects of the proposed Cybersecurity Act, including establishing a Cybersecurity Agency and Commissioner to oversee critical information infrastructure protection and incident response. The draft bill covers definitions, administration, duties of critical infrastructure owners, investigation and emergency powers, and regulating cybersecurity service providers through licensing. Public consultation is currently underway to gather feedback on the draft legislation.

1. 1
Cybersecurity Legislation
in Singapore
Benjamin Ang
Head, Cyber and Homeland Defence
Centre of Excellence for National Security (CENS / RSIS)
@benjaminang

2. What laws cover cybersecurity in Singapore?
Personal Data Protection Act (PDPA)
Computer Misuse and Cybersecurity Act
Negligence Law
Cybersecurity Act

3. Fines under PDPA
S$10,000 fine on Propnex Realty for failing to make reasonable
security arrangements to prevent unauthorised access of
customers’ personal data
S$10,000 fine on JP Pepperdine
S$10,000 fine on Tech Mahindra for mybill.singtel.com
S$3,000 fine on Smiling Orchid

4. Unauthorised access
to computer material
3.—(1) … knowingly
causes a computer to
perform any function for
the purpose of securing
access without authority
to any program or data
Aha, Betty uses
“password” as her
password

5. Unauthorised modification of
computer material
4.—(1) … knowingly
causes a computer to
perform any function for
the purpose of securing
access to any program
or data held in any
computer with intent to
commit an offence
I can use Betty’s
password to transfer
$ from her bank
account

6. Access with intent to commit or
facilitate commission of offence
5.—(1) … does any act
which he knows will
cause an unauthorised
modification of the
contents of any
computer
I will change the data to
make Betty look like
she’s stealing company
secrets
To: Bob
From: Betty
Hi Bob
Here is my recipe for chocolate
cake confidential client list
Betty

7. Unauthorised use or
interception of computer service
6.—(1) any person who
(a) secures access
without authority to any
computer for the
purpose of obtaining,
directly or indirectly,
any computer service;
Now I’m using
Betty’s wi-fi without
her knowledge

8. Unauthorised obstruction
of use of computer
7.—(1) Any person who,
knowingly and without
authority or lawful
excuse —
(a) interferes with, or
interrupts or obstructs
the lawful use of, a
computer; or

9. Unauthorised obstruction
of use of computer
7.—(1) (b) impedes or
prevents access to, or
impairs the usefulness
or effectiveness of, any
program or data stored
in a computer

10. 8A. Obtaining personal
information
(1)(a) Obtaining or retaining
personal information a
person knew or had
reason to believe came
from s3, 4, 5, or 6,
(2)(a) to commit an
offence, or
(2)(b) to supply it for
committing an offence

11. 8B Items used for
offences
(1)(a) Obtaining or
retaining any item
(i) Intending to commit
or facilitate an
offence under s3, 4,
5, 6, 7

12. Case: PP v Koh Chee Tong [2016] SGDC 37
Search: All customers with
NRIC starting 85xxxxxxx

13. Did Koh commit an offence?
3.—(1) … knowingly causes
a computer to perform any
function
for the purpose of securing
access without authority
to any program or data
• Accessed the UOB
system
• Searched customer
data for a loan shark
• Gained access to the
customer data

14. What are the challenges in prosecuting Koh?
Proof that he accessed the system
Proof that he accessed it without authority

15. Management / response to cyber threats
National cyber incident response framework
15A.—(1) Where the Minister is satisfied that it is necessary for the purposes of
preventing, detecting or countering any threat to the national security, essential
services or defence of Singapore or foreign relations of Singapore,
the Minister may, ..., authorise or direct any person or organisation ... to take
such measures or comply with such requirements as may be necessary to
prevent, detect or counter any threat to a computer or computer service or any
class of computers or computer services.

16. Civil Liability in
Negligence Law

17. What happens if you’re sued for Negligence
Yahoo – sued for ‘gross negligence’ in not securing user
accounts (link)
Home Depot – paid settlements of US$25m to banks and
US$19.5 m to consumers for 2014 breach (link)
Neiman Marcus – paid settlement of US$1.6m to shoppers for
2013 breach (link)
Target – offers US$10m settlement for breach

18. The Draft Cybersecurity Bill
Cybersecurity Act to be passed in end 2017 2018

19. Why another Act?
Incident
Response
Cybercrime
International
Cyber
Norms
Cyber
Services

20. Drafting
We are here
1st + 2nd
Reading
It will be introduced in
Parliament as a Bill in
late 2017 2018
Select
Committee
3rd
Reading
This will contain input
and amendments from
the consultation
Signing
After PCMR passes it,
the President will sign
it, and it will be
Gazetted
From Bill to Act
Public Consultation

21. Existing laws related to cybersecurity
Computer Misuse and Cybersecurity Act (CMCA)
Personal Data Protection Act (PDPA)
Regulations in some sectors e.g. reporting requirements for Banks

22. Protection of CII
The CSO may also
come from the
sector regulator e.g.
MAS for banks
CSA to designate
CII Owners (CIIO’s)
CSA to appoint
Cybersecurity
Officers (CSO) as
POC between CIIO
and CSA

23. Information Sharing
How to encourage sharing?
Use CSA as the central node
CSA to protect confidentiality
Informers get indemnity under the law
Allow CSA to share information
to prevent, detect, counter or investigate

24. How information sharing could work
Mandatory disclosure
● From CIIOs
● From others, in a s15A
CMCA situation
Voluntary disclosure
● Voluntary disclosures
would be protected
● Including IOCs
(indicators of
compromise)

25. Part 1: Definitions

26. Computer Systems
Computer System
… an arrangement of
interconnected
computers … —
includes ICS, SCADA,
DCS
Computer
Same wide definition as
the Computer Misuse
Act

27. Cybersecurity incidents and threats
Incident
act or activity … that
jeopardised or adversely
impacted, without lawful
authority, the security,
availability or integrity of a
computer or computer
system
Threat
act or activity on … which is
known or suspected, that
may imminently jeopardise
or adversely impact etc

28. Critical Information Infrastructure
computer or a
computer system that is
necessary for the
continuous delivery of
essential services which
Singapore relies on, …
… the loss or compromise
of which will lead to a
debilitating impact on
national security, defence,
foreign relations, economy,
public health, public safety
or public order of Singapore
See First
Schedule

29. Part 2: Administration
Appointment of Cybersecurity Commissioner

30. Part 3: Critical Information
Infrastructure
    
   

31. Section 8
Power to obtain
information to ascertain
if computer system, etc.
fulfils criteria of critical
information
infrastructure

32. Section 10
Duties of owner of CII
(a) Provide Info to CSA
(b) Comply with codes/
standards
(c) Notify CSA of
incidents or threats
d) Regular audits
e) Regular risk
assessments
f) Participate in
cybersecurity
exercises

33. Section 11
Technical information relating to CII
Design and configuration of CII
Ditto for inter-connected computers
Info on any other computer system that is inter-connected
Any other information

34. Section 13 – Power to issue directions
If (a) necessary or
expedient for ensuring
the cybersecurity of CII
(b) Or for the effective
administration of the
Act;
(a) Actions to be taken
by CII about a
cybersecurity threat;
(b) Audit and
(c) Any other matters

35. Section 15 : Duty to report incident at CII
Duty is on CII owner
(a) Significant event
(b) Event on any inter-
connected computer
(c) Any other incident
Owner needs to set up
threat detection
No time period
specified

36. Part 4: Responding to and
Prevention of Cybersecurity
Incidents

37. Section 20
Powers to investigate
and prevent
cybersecurity incidents
(a) People / reports
(b) Records /
documents
(c) Statements

38. Section 21
Powers to investigate
and prevent serious
cybersecurity incidents
(a) Cleaning up malware
(b) Disconnecting computers
(c) Redirecting traffic
(d) Monitoring computers
(e) Entering premises
(f) Accessing computers
(g) Taking copies

39. Section 24
Emergency
cybersecurity
measures
Minister decides;
Can direct anyone to “take
such measures or comply
with such requirements as
may be necessary to
prevent, detect or counter
any threat”

40. Part 5: Regulating
Cybersecurity Service
Providers

41. Licensing – feedback was received
“30 At this point, we
only intend to license
penetration testing and
managed SOC
monitoring service
providers”

42. Get involved in the
discussion
@benjaminang