Singapore’s attempt to strengthen its cybersecurity regulation is being supported by market participants through responses to a recent consultation paper, according to an internet security association, but lawyers point out that such a discussion is only necessary as many firms continue to rely on lagging in-house cybersecurity practices.
“The discussion paper was quite timely, it is important that a lot – not just financial institutions – any organization established in Singapore that is looking to leverage on technology, they do need to be concerned about technology risk and governance. Quite frankly, it’s a bit sad to see, but sometimes it is very easy for companies to fall back on established practices,” says Rakesh Kirpalani, director of dispute resolution/information technology at Singapore law firm Drew Napier.
The Monetary Authority of Singapore (MAS) launched the consultation paper on its current technology risk and business continuity management guidelines in March, and has proposed enhancing the rules to require firms to strengthen operational resilience.
MAS expects the paper to provide “effective cyber surveillance, secure software development, adversarial attach simulation, and management of cyber security risks proposed by the Internet of Things.”
Kirpalani believes firms have good reason to pay attention to the discussion paper.
“There will be compliance costs, and I suspect that there will be more costs to be spent on risk assessments and making sure that you carry out the IT audits, and things like that. But I think that we have to remember that cyber risk is here, it’s not the case that we can close our eyes and pretend that it is not here. The question is what are we going to do about it?”
Ken Baylor, founder and president of the Vendor Security Alliance – an internet security trade body – believes Singaporean firms are well-engaged when it comes to rule changes, and suggests there will be a lot of interest in the paper.
“[T]he government have issued licenses to a lot of these firms and when the regulators says, ‘show up, we are thinking of pass a new law,’ people show up,” he says. “These [people] are probably from multiple different committee meetings, so pretty much most of financial bankers in Singapore are aware of this [discussion paper] and probably are the ones that have signed off on it, and they have already started embracing it. That’s the way that Singapore work.”
Baylor suggests the report highlights just how advanced MAS is in terms of understanding market movements.
“This document is actually more forward looking when you compare it to in the US, there is a lot here that is ahead of the US and the same with Europe. That is one of the great things about Singapore is that it looks at where the trends are going,” says Baylor.
Both Baylor and Kirpalani agree that while the discussion paper may be technologically-focused, a challenge still exists in engendering greater IT awareness at board level.
“The board of directors must also have people who understand IT risk, and security risk, so that is new. And then those people will actually be involved in the hiring process for effective functional risk,” says Baylor.
“About 20 or 30 years ago IT managers would just report to the board and say, ‘everything is fine,’ and the board would say, ‘thank you, we will carry on with business.’ Now the board has to become involved, and that requires a significant mindset change,” says Kirpalani.
“It will require a lot of execution for mid to senior level management as to what needs to be done to implement the necessary protocols, or what needs to be done to comply with audits, because nobody wants a data breach. The truth of the matter is that it is here, it’s clear, it’s present, and it’s not just the IT manager’s job anymore, everyone needs to take steps to make sure that it doesn’t happen,” he says.