SINGAPORE Law and Practice Contributed by: Lim Chong Kin, David N Alfred, Albert Pichlmaier and Goh Boon Yeow, Drew & Napier LLC
pore. As such, foreign businesses that carry out activities involving personal data in Singapore may be subject to the data protection provisions under the PDPA. In terms of notable exclusions, the PDPA does not apply to individuals acting in a personal or domestic capacity, employees acting in the course of their employment with an organisation, and public agencies. The PDPA confers powers on the PDPC to enforce the PDPA, which include powers relat - ing to: • alternative dispute resolution (eg, mediation); • reviews of data subjects’ access and correc - tion requests; • investigations to ensure compliance with the PDPA (including the DNC provisions); and • undertakings. 2. Critical Infrastructure Cybersecurity 2.1 Scope of Critical Infrastructure Cybersecurity Regulation Please refer to 1.2 Cybersecurity Laws and 1.3 Cybersecurity Regulators for further details on when a CII may fall under the scope of the Cybersecurity Act. 2.2 Critical Infrastructure Cybersecurity Requirements Generally, owners of CII are required to comply with a set of general duties, such as: • to comply with notices issued by the Com - missioner to provide information on the tech - nical architecture of the CII; • to comply with codes of practice, standards of performance or written directions in rela - tion to the CII;
• to notify the Commissioner of any change in ownership of the CII; • to notify the Commissioner of any prescribed cybersecurity incidents (please refer to 2.3 Incident Response and Notification Obliga - tions ); • to conduct regular audits of the compliance of the CII with the Cybersecurity Act, codes of practice and standards of performance; • to conduct regular risk assessments of the CII as required by the Commissioner; and • to participate in cybersecurity exercises as required by the Commissioner. The Cybersecurity Code of Practice for Critical Information Infrastructure (the “CII Cybersecurity Code”) requires owners of CII to put in place security baseline configuration standards for all operating systems, applications and network devices of a piece of CII that is commensurate with the cybersecurity risk profile of that CII. The security baseline configuration standards address the following security principles: • least access privilege and separation of duties; • enforcement of password complexities and policies; • removal of unused accounts; • removal of unnecessary services and applica - tions (eg, removal of compilers and vendor support applications); • closure of unused network ports; • protection against malware; and • timely update of software and security patch - es that are approved by system vendors. The CII Cybersecurity Code sets out the follow - ing protection requirements that owners of CII need to put in place.
230 CHAMBERS.COM
Powered by FlippingBook