Cybersecurity 2025

SINGAPORE Trends and Developments Contributed by: Sheena Jacob, Jaya Malhotra, Sherman Poon and Andre Choo, CMS

Is it time to rethink the laws on ransomware payments? While ransomware payments are not prohibited by law in many countries including in Singapore, anti-money laundering (AML) and countering the financing of terrorism (CFT) regulations, as well as criminal laws, are applicable to such pay - ments. Since cyber threat actors may well be involved in criminal activity, money laundering or terrorism financing, victims seeking to make payment could potentially breach AML and CFT regulations, especially where the attacker is tied to known criminal organisations. Countries are considering the need to revisit their approach to ransomware payments, such as introducing guidelines balancing victims’ urgent need to resolve cyber-attacks with the need for compliance with international AML/CFT standards. This could include developing a legal framework requiring businesses to report such incidents without facing penalties, mirroring the Australian regime of requiring organisations to disclose ransomware payments. Conversely, Singapore could mandate that organisations procure cyber-insurance and prohibit the cov - erage of claims for ransomware payments, with the hope that organisations are deterred from making such payments if the money comes out of their pockets. This also may thwart threat actors’ attempts to identify soft targets likely to make payments. Improving Cybersecurity Initiatives The Singapore government has made significant efforts to expand on and further develop Singa - pore’s cybersecurity infrastructure in light of the evolving cyber threat landscape. The Cybersecurity (Amendment) Act 2024, which passed in May 2024, introduced sever -

and the CSA noted that local organisations averaged only a 70% adoption rate of essen - tial cybersecurity measures, with only a third of organisations fully implementing at least 60% of measures recommended in the national cyber - security standards. The dilemma of cyber-insurance The evolving threat landscape has prompted more insurers to offer cyber-insurance for organ - isations seeking to mitigate the financial risks of cyber-incidents. As costs of a cybersecurity incident or threat can be significant, cyber-insur - ance coverage is important to manage the vari - ous types of costs that may be incurred, includ - ing lawyers, computer forensics experts, crisis management and public relations consultants, and ransomware negotiators. Cyber-insurance helps companies mitigate the risk of harm per - petuated by threat actors, allowing organisations to mitigate or even recoup their financial losses (see here ). However, while cyber-insurance often makes commercial sense for organisations, insurance payouts which go towards paying the ransom costs may create a perverse incentive for threat actors, since having more organisations holding cyber-insurance policies which cover extortion cost payouts may encourage threat actors to launch further attacks. As such many govern - ments, including the Singapore government, discourage victims from paying ransoms, point - ing out that doing so perpetuates a cycle where hackers and scammers target firms that have previously made payouts or new organisations with cyber-insurance, as they may be more inclined to pay the extortion costs. As cyber- insurance becomes more widely adopted, the impact on the rates of cyber-attacks remains to be seen.

247 CHAMBERS.COM

Powered by