In addition, CII owners must provide to the fullest extent practicable the following supplementary details in writing within 14 days after the first submission:
- The cause of the cybersecurity incident
- Its impact on the CII or interconnected computer or computer system
- What remedial measures have been taken
Cybersecurity risk assessments and audits
Additionally, CII owners need to conduct a cybersecurity risk assessment of the CII at least once a year and an audit of the CII’s compliance with the Act by an auditor approved or appointed by the Commissioner at least once every two years.
The cybersecurity risk assessment must be conducted in the following form and manner. First, it must:
- Identify, as far as is reasonably practicable, every cybersecurity risk to the CII.
- Evaluate the likelihood of occurrence and possible consequences of the materialization of each identified cybersecurity risk.
- Identify the action that the CII owner will take in respect of each identified cybersecurity risk.
The report of the assessment must also cover:
- The methodology used in the cybersecurity risk assessment.
- A description of every identified cybersecurity risk to the CII.
- The evaluated likelihood and possible consequences of the materialization of each identified cybersecurity risk.
- The identified action that the CII owner will take in respect of each identified cybersecurity risk.
Seven-day reporting of any ownership change
Further, where there is any change in the beneficial or legal ownership of a CII, such change must be notified to the Commissioner no later than seven days from the date of change.
Compliance with regulatory notices and directions
As the Act also confers to the CSA and the Commissioner specific powers of investigation and for the prevention of serious cybersecurity incidents, owners of CII are required to comply with such notices and directions by the CSA or Commissioner as may be issued in exercise of those powers.
What are the penalties for noncompliance?
Owners of CII who fail, without reasonable excuse, to comply with relevant obligations under the Act are guilty of an offense and liable on conviction to a fine of up to S$100,000 or to imprisonment for a term of up to 10 years, as specified in the Act.
Is there any liability for officers and management?
Yes. Under the Act, where a corporation commits an offense, an officer or individual who is involved in the management of the corporation who knew, or ought reasonably to have known that the offense would be committed, and failed to take all reasonable steps to prevent or stop it, will be found guilty of that same offense and be punished accordingly.
What does my organization need to do?
Ensure that all your officers are apprised of the obligations under the Cybersecurity Act. If necessary, engage external counsel to help conduct a briefing for your management on the ambit of the new law.
Put in place a written policy with clear, easy-to-understand processes on how to deal with cybersecurity incidents, including reporting of cybersecurity incidents as required under the Act. Train key members of your organization on how to implement these processes and the policy.
Engage external counsel to run cybersecurity table-top exercises to familiarize relevant staff with any necessary actions and escalation procedures.
Should you encounter a cybersecurity incident, engage external legal advisors early so that you are properly advised as to your legal rights and obligations arising from the Act, including ensuring that any commercially sensitive information that is disclosed in the course of investigations is kept confidential.
Reed Smith LLP is licensed to operate as a foreign law practice in Singapore under the name and style, Reed Smith Pte Ltd (hereafter collectively, "Reed Smith"). Where advice on Singapore law is required, we will refer the matter to and work with Reed Smith's Formal Law Alliance partner in Singapore, Resource Law LLC, where necessary.
Client Alert 2018-215