SINGAPORE Law and Practice Contributed by: Lim Chong Kin, David N Alfred, Albert Pichlmaier and Goh Boon Yeow, Drew & Napier LLC
systems, encompassed within a facility in Singapore dedicated to that purpose. Under the upcoming Cybersecurity Act, des - ignated providers of major FDI services will be subject to obligations such as providing the Commissioner with information, reporting pre - scribed cybersecurity incidents, and complying with codes of practices and directions that may be issued or approved by the Commissioner. On 1 March 2024, the legislature announced that the inter-agency Taskforce on the Resilience and Security of Digital Infrastructure and Services is studying the introduction of a Digital Infrastruc - ture Act to further enhance the resilience and security of key digital infrastructure and services in Singapore. At the time of writing, there is no publicly available information on the obligations imposed on digital infrastructure providers under the upcoming Digital Infrastructure Act. 3.3 Key Operational Resilience Obligations The key obligations relating to digital operation resilience in the financial sector can be derived from Part 8 of the TRM Guidelines relating to IT resilience. The best practices that FIs should aim to comply with include: • establishing system availability commensu - rate with its business needs; • establishing system recoverability aligned to its business resumption and system recovery priorities; • regularly testing their disaster recovery plans to validate their effectiveness and meet the defined recovery objectives; • establishing a system and data backup strat - egy so that systems and data can be recov - ered in the event of a system disruption or when data is corrupted or deleted; and
• conducting a Threat and Vulnerability Risk Assessment for their data centres to identify potential vulnerabilities, and the protection that should be established to safeguard the data centres against physical and environ - mental threats. In terms of incident reporting obligations, FIs should establish cyber-incident response and management plans to swiftly isolate and neutral - ise cyber threats and to securely resume affected services. The plan should describe communica - tion, co-ordination and response procedures to address plausible cyber threat scenarios. Each FI should seek to understand their exposure to technology risks and place a robust risk man - agement framework to ensure cyber resilience. FIs may also be designated as CII under the Cybersecurity Act. For more information on the designation of CIIs and the obligations imposed on CIIs under the Cybersecurity Act, please refer to 1.2 Cybersecurity Laws , 1.3 Cyberse- curity Regulators and 2.2 Critical Infrastructure Cybersecurity Requirements . 3.4 Operational Resilience Enforcement There are no specific obligations relating to operation resilience in relation to critical ICT service providers. However, critical ICT service providers in the financial sector can take guid - ance from Part 8 of the TRM Guidelines (please refer to 3.3 Key Operational Resilience Obliga- tions for further details). Generally, under Section 29(1) of the Financial Services and Markets Act, MAS has the power to issue directions or make regulations concern - ing any FI or class of FIs as the MAS considers necessary for:
234 CHAMBERS.COM
Powered by FlippingBook