SINGAPORE Law and Practice Contributed by: Lim Chong Kin, David N Alfred, Albert Pichlmaier and Goh Boon Yeow, Drew & Napier LLC
2.3 Incident Response and Notification Obligations Under the Cybersecurity (Critical Information Infrastructure) Regulations 2018, cybersecurity incidents that must be reported to the Commis - sioner include: • any unauthorised hacking of the CII or the interconnected computer or computer system to gain unauthorised access to or control of the CII or interconnected computer or com - puter system; • any installation or execution of unauthorised software, or computer code, of a malicious nature on the CII or the interconnected com - puter or computer system; • any man‑in‑the‑middle attack, session hijack or other unauthorised interception by means of a computer or computer system of com - munication between the CII or the intercon - nected computer or computer system, and an authorised user of the CII or the intercon - nected computer or computer system, as the case may be; and • any denial-of-service attack or other unau - thorised act or acts carried out through a computer or computer system that adversely affects the availability or operability of the CII or the interconnected computer or computer system. 2.4 State Responsibilities and Obligations The Cybersecurity Act sets out a number of duties and functions of the Commissioner of Cybersecurity in relation to the identification and response to cyber threats. Under Section 5 of the Cybersecurity Act, the Commissioner of Cybersecurity has a duty, among others:
• to monitor cybersecurity threats in or outside of Singapore; • to advise the government or any other public authority on the national needs and policies in respect of cybersecurity matters generally; and • to respond to cybersecurity incidents that threaten the national security, defence, economy, foreign relations, public health, public order or public safety, or any essential services of Singapore, whether such cyberse - curity incidents occur in or outside Singapore. Additionally, the Singapore Computer Emer - gency Response Team (SingCERT), which is part of the CSA, routinely issues cybersecurity and cyber hygiene advisories and alerts. SingCERT also works with the sectoral regulators to issue relevant alerts and advisories to industry players and to inform companies and affected individu - als on cybersecurity threats and incidents. 3. Financial Sector Operational Resilience Regulation 3.1 Scope of Financial Sector Operational Resilience Regulation Please refer to 1.2 Cybersecurity Laws for a summary of the sectoral cybersecurity laws applicable to the banking and finance sector. In the banking and finance sector, the MAS has issued a set of legally binding Notices on TRM and Cyber Hygiene which apply to FIs (eg, banks, insurers, capital markets services licence holders, operators, and settlement institutions of designated payment systems). These Notices impose obligations on FIs to enhance informa - tion security and mitigate the growing risks of cyberthreats.
232 CHAMBERS.COM
Powered by FlippingBook