Why all risk managers need to take a second look at the CyberSecurity Bill

From a risk manager’s perspective, the Singapore CyberSecurity Bill is merely icing on the cake of already-robust legislation, and expectations, from the Singaporean Government. But is there more to it than meets the eye? StrategicRISK spoke to PARIMA board member and International SOS risk manager, Kelvin Wu about why all risk managers - designated or not - need to take notice of this bill. 

International SOS group senior manager, risk management and insurance, Kelvin Wu says, “The background of the bill is about the Singapore government recognising the nature of our industry and economy and how they want to position the country as a global hub. In this day and age, it’s about being a technology hub; it’s about being an information hub, and the cyber security and cyber resilience aspects have to be considered.”

Wu says what sets this legislation apart from other regulations such as the amendments to Australia’s Privacy Act and the European Union General Data Protection Regulation, is that it only applies to critically important infrastructures (CII) as designated by the government (there are 11 designated firms – mostly large corporates and government branches - at the time of going to press).

“What this does is it gives the government a right to ask for certain types of information to ascertain how firms are you managing your cybersecurity. The key to the legislation is having emergency powers to help firms on how to respond if you have been subject to a breach or a hack.”

But Wu stresses this regulation is not meant to be prescriptive. “When it comes to corporates, the focus is very much principles-based, where the aim is not really to penalise the corporations for a breach, but to ensure that in the event of a breach, the firm is proactively stepping forward to notify them and to work together with the government.”

Wu says while firms are to await designation status from the Singapore government, rather than ’self-diagnose’, it is vital that all firms look at the expectations of CII firms to see how their firm is fairing. 

“What is interesting is within the guidelines, it says if you are a CII you should be doing all ’these things’ at the very minimum to ensure that you are a cybersecurity responsible company. That sort of information can be a helpful guideline for risk managers to have in order to track how your company is doing in the cybersecurity space.”

One question remains: why should risk managers who are (or aren’t) designated be concerned about this? Wu says “Because the bill specifically mentions that, as an international organisation, dealing with multinational operators, it is important to always try to keep up with global regulatory developments. We have had a good look at the and the legislation coming out of Australia; the Singapore Cyber Security Bill is no different in many ways. If you are a corporation in this day and age you have to keep abreast of all the regulations, whether they apply to you or not.”