SINGAPORE Law and Practice Contributed by: Lim Chong Kin, David N Alfred, Albert Pichlmaier and Goh Boon Yeow, Drew & Napier LLC
• the management of technology risks, includ - ing cybersecurity risks; • the safe and sound use of technology to deliver financial services; and • the safe and sound use of technology to protect data. In terms of enforcement action, an FI that fails to comply with a direction issued to it under Section 29(1) or contravenes any regulation mentioned in that subsection shall be guilty of an offence and shall be liable on conviction to a fine not exceeding SGD1 million and, in the case of a continuing offence, to a further fine of SGD100,000 for every day or part of a day dur - ing which the offence continues after conviction. The maximum penalty of SGD1 million is com - mensurate with the most serious types of breaches that can be committed by FIs. This quantum was derived after considering com - parable existing penalty regimes of other Sin - gapore government agencies and the need to signal the importance of TRM. Additionally, under the current Cybersecurity Act, the Commissioner has broad powers under Sections 19 and 20 to investigate and prevent cybersecurity incidents and “serious” cyber - security incidents respectively. These include powers to require persons to attend interviews, require the production of relevant information (such as physical or electronic records, or docu - ments that are in the possession of that person), carry out questioning, give directions to carry out remedial measures or cease activities, require assistance with investigations, enter premises, access and inspect computer systems, among others. It is an offence for any person to fail to co-oper - ate with the CSA without reasonable excuse and
such persons shall be liable on conviction to be punished in accordance with the fines, terms of imprisonment or both, as set out in the relevant statutory provisions. Under the upcoming Section 18K(1) of the upcoming Cybersecurity Act, the Commissioner may require major FDI service providers to fur - nish information. If the major FDI service provid - er fails to, without reasonable excuse, furnish the required cybersecurity-related information within the specified period or continues providing the designated FDI service despite the non-compli - ance, they shall be guilty of an offence. They shall be liable for a fine not exceeding the greater of SGD200,000 or 10% of the annual turnover of the service provider’s business in Singapore. The upcoming Section 18L(1) also empowers the Commissioner to issue written instructions to major FDI service providers which may relate to the action to be taken by the provider in rela - tion to a cybersecurity threat, compliance with any prescribed technical standards relating to cybersecurity, among others. Any major FDI ser - vice provider who fails to comply with such a written direction and continues to provide FDI infrastructure service after the deadline for com - pliance will be liable on conviction to a fine not exceeding the greater of SGD200,000 or 10% of the annual turnover of the person’s business in Singapore. Further, under the upcoming Section 18M (1), major FDI service providers must notify the Commissioner of the occurrence of a prescribed cybersecurity incident in respect of the major FDI, where the incident results in a disruption or degradation to the continuous delivery of the foundational digital infrastructure service or the major FDI service provider’s business operations in Singapore. Any major FDI service provider
235 CHAMBERS.COM
Powered by FlippingBook