Cybersecurity 2025

SINGAPORE Law and Practice Contributed by: Lim Chong Kin, David N Alfred, Albert Pichlmaier and Goh Boon Yeow, Drew & Napier LLC

extent to which the personal data transferred to those countries and territories will be protected to a standard comparable to the protection under the PDPA; or • the transfer is necessary for the performance of a contract between the organisation and the data subject, or to do anything at the data subject’s request with a view to their entering a contract with the organisation. As good practice, however, organisations are encouraged to rely on the above circumstances only if they are unable to rely on legally enforce - able obligations or specified certifications. In respect of international data transfers between regulatory authorities in the financial sector, the MAS is a signatory to the Administrative Arrangement (AA) for the Transfer of Personal Data between European Economic Area (EEA) Financial Supervisory Authorities and non-EEA Financial Supervisory Authorities. The AA sets out the safeguards relating to data transfers between regulatory authorities which include purpose limitation, data quality and pro - portionality, transparency, security and confiden - tiality, data subject rights, onward transfers and sharing of personal data, data retention periods, and redress. As a signatory, MAS confirms that it adheres to the safeguards outlined in the AA. More generally, Singapore joined the APEC Cross-Border Privacy Rules System and Priva - cy Recognition for Processors System in 2019, which are accountability-based and enforceable certifications developed by APEC economies for cross-border transfers of personal data. In January 2021, the member states of the Asso - ciation of Southeast Asian Nations (ASEAN) approved the ASEAN Data Management Frame -

work (DMF), and the Model Contractual Clauses for Cross Border Data Flows (MCCs), which are resources and tools for ASEAN businesses to utilise in their data-related business operations. In summary, the DMF provides a common data protection framework for businesses on good data management practices and best practices, while the MCCs are a set of template contractual terms and conditions that may be included in the binding legal agreements between parties transferring personal data to each other across borders. In May 2023, the Joint Guide to ASEAN MCCs and EU Standard Contractual Clauses (SCCs) was launched (the “Joint Guide”). The Joint Guide provides a comparison between ASEAN MCCs and SCCs for organisations looking to transfer or receive consumer data from over - seas partners. Companies already familiar with the ASEAN MCCs can use the Joint Guide as a reference in their contractual negotiations on data transfers with their EU business partners. 3.6 Threat-Led Penetration Testing Critical Information Infrastructure Under the CII Cybersecurity Code, owners of CII are required to conduct regular penetration testing on CII to identify security vulnerabilities that could be exploited by a cyber threat actor. This allows organisations to determine exploit - able vulnerabilities in their systems and address them. Owners of CII are required to conduct a penetra - tion test on the CII: • at least once every 12 months, for CII which is an information technology system; and • at least once every 24 months, for CII which is an operational technology system.

237 CHAMBERS.COM

Powered by