SINGAPORE Law and Practice Contributed by: Lim Chong Kin, David N Alfred, Albert Pichlmaier and Goh Boon Yeow, Drew & Napier LLC
The TRM Notices include requirements to: • put in place a framework and process to identify critical systems; • make reasonable efforts to maintain a high availability of critical systems; • establish a recovery time objective for each critical system; • notify the MAS of a system malfunction or IT security incident; • submit a root cause and impact analysis report to the MAS of the relevant incident within 14 days; and • implement IT controls to protect customer information from unauthorised access or disclosure. The Notices on Cyber Hygiene include require - ments to: • secure administrative accounts; • apply security patching; • establish baseline security standards; • deploy network perimeter defences; • implement anti-malware measures; and • strengthen multi-factor authentication. 3.2 ICT Service Provider Contractual Requirements Under the TRM Guidelines, MAS sets out a num - ber of principles and best practices to in relation to third-party service providers, which include: • ensuring service providers have the requisite level of competence and skills to perform IT functions and manage technology risks; • conducting IT security awareness training programmes for service providers who have access to FIs’ information assets; • identifying threats and vulnerabilities applica - ble to information assets that are maintained or supported by service providers;
• assessing service providers’ disaster recovery capability and ensuring that disaster recovery arrangements are established, tested and verified to meet FIs’ business needs; • ensuring service providers are accorded the same level of protection and subject to the same security standards in data security as FIs; • involving service providers in scenario-based cyber exercises to validate FIs’ response and recovery, as well as communication plans against cyber threats; and • reporting of phishing attempts to service providers. More generally, ICT service providers may fall under the upcoming category of designated pro - viders of major foundational digital infrastructure services under the Cybersecurity Act. “Founda - tional digital infrastructure services” are services that promote the availability, latency, through - put or security of digital services, and have been specified in the Third Schedule to the upcom - ing Cybersecurity Act. This will include a “cloud computing service” and a “data centre facility service”, as set out below. • A “cloud computing service” is defined as a service, delivered from a computer or com - puter system in Singapore or outside Singa - pore, that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resourc - es. • A “data centre facility service” is defined as any service which relies on a computer or computer system in Singapore to facilitate data storage, processing and transmission by another person through the centralised accommodation, interconnection and opera - tion of one or more computers or computer
233 CHAMBERS.COM
Powered by FlippingBook