Singapore’s PDPA - Are You Prepared for Your Next Data Breach?

Businesses in Singapore face mounting challenges to protect customer data as a result of the newly enacted Personal Data Protection (Amendment) Bill (PDPA).

With higher penalties expected to be levied from February 2022, it’s imperative that enterprises, particularly those collecting customer data, have a solid information security framework and incident response plan in place.

Cyberattacks in Singapore have been on the rise since 2017 following high-profile breaches of SingHealth, Singapore Airlines, SingTel Sephora, AXA Insurance, Uber and Red Cross. However, businesses in Singapore appear to be well positioned to respond, with nine in 10 businesses having a cyberbreach protocol in place. Cybercriminals are also targeting smaller enterprises, which experienced more than 47,500 phishing attacks in 2019, according to the Cyber Security Agency.

In a recent webinar co-hosted by Kroll and DLA Piper, cyber security and information risk experts from both firms shared insights on what the new amendments mean for Singapore businesses. They also discussed the ramifications businesses could face following a data breach and ways to be better prepared. The webinar was moderated by Scott Thiel, Partner, DLA Piper, and the panel consisted of:

• Yue Lin Lee, Data, Cyber and Privacy Lawyer, DLA Piper
• Louisa Vogelenzang, Associate Managing Director, Identity Theft and Breach Notification, Kroll
• Richard Davies, Associate Managing Director, Cyber Risk, Kroll

Impact on Businesses in Singapore

Mandatory breach reporting, major fines and customer data portability obligations are the key consequences business will face regarding the new amendments. In addition, businesses will have 72 hours to report any incidents to authorities. It is therefore important that businesses understand whether:

• There is a breach reporting protocol in place
• The protocol is robust enough
• The right people in the business are familiar with it
• The data is being managed appropriately

Businesses also have to contend with increased fines, which could either be 10% of total revenue or of S$1 million (whichever is higher). Businesses also face data portability obligations which will need to start thinking about how to meet this requirement before the rules come into force. For financial institutions, there is an even bar to clear as a result of the Monetary Authority of Singapore’s (MAS) Technology Risk Management (TRM) guidelines. These guidelines include specific requirements for having a chief security officer (CSO) officer, the use of technologies such as application programming interface (APIs) or internet-of-things (IoT) devices and conducting proper due diligence on IT and software vendors. The new updates to the PDPA bill signify the Singapore government’s intent to move from regulatory guidance to regulatory enforcement.

Challenges for Small and Medium Enterprise (SMEs) 

Access to dedicated resources and trained data security personnel are some of the key challenges that SMEs are grappling with. Under the PDPA amendments, businesses are now required to appoint a data protection officer (DPO). The DPO’s role is to ensure the organization is compliant with its obligations under the PDPA, and the DPO should be the first point of contact for any data breach incident. However, recruiting a dedicated data officer is often not a viable option for SMEs and may require employees to multi-task.

As a result, SMEs may find it difficult to train key team members and effectively address cyber security and data privacy matters. An example of this is ensuring that the board and senior leadership play a sufficient role in cyber governance and establish key objectives to achieve this.

Similarly, information security is often delegated to a non-technical individual such as an office manager. These personnel can become overly reliant on outsourced providers whose “solutions” are often deployed without the necessary frameworks to properly operationalize them. Resource constraints also prevent many SMEs from determining their level of preparedness for a cyberattack whether through active simulations, tabletop exercises and penetration testing.

While cyber security and privacy is a complex problem, SMEs do have some advantages over large enterprises such as a simpler operating model and technology risk profile. This means achieving adequate security levels can be much more straightforward.

Cyber Assistance for SMEs

To help SMEs overcome the resource gap, the Singapore Government has instituted two grants designed to help smaller enterprises to level-up their cyber resilience: the Digital Acceleration Grant and the Productivity Solutions Grant. Both grants provide businesses with significant cost offsets of up to 70% on digital hardware and software solutions, including the use of consultants (where such consultancy is closely linked to the digital solutions.)

The Costs of a Data Breach

Businesses in Singapore are greatly underestimating the economic cost of a data breach with six in 10 assessing the average cost to be less than SG$1 mn per breach. In reality, the costs are far higher. According to IBM Security, the average cost for businesses in ASEAN was a significant SG$3.6 mn in 2020¹. These costs include containment and response measures such as compliance program upgrades, loss of data/devices, third-party costs, specialist talent recruitment and workforce interruption.

There are also other less obvious but equally important costs including reputation management, brand damage and monitoring costs (i.e., credit monitoring and identity theft monitoring). Businesses should also be mindful of the significant time lag that can occur from when a breach occurs versus when it is discovered. Incidents can sometimes go undiscovered for months or even years, and the resulting damage can be significant. Under the amended PDPA, regulators will likely examine a businesses’ preparedness prior to the breach.

Cyber Response Plan and Cyber Governance

Nine in 10 Singapore businesses have a cyber response plan in place. However, the quality of those plans varies greatly, with only 12% stating that their organizations were “very well prepared”. It is therefore imperative for businesses to have an action plan that clearly articulates the actions that need to be taken in following a data breach. This includes forming an incident response team comprised of stakeholders across the business, including leadership, technology and communications. The team is responsible for establishing response protocols that include providing alternative communications channels, escalation protocols, critical recovery systems and stakeholder management.

To keep minimize the business impact, clear objectives need to be set such as targeted recovery times for business-critical systems. The recovery time for each critical system may vary; some may take hours, but ideally, it should not take days or weeks. It is also essential to understand who is going to be notified of what, when and how, especially, regulators, law enforcement officials, investors, service providers and customers.

Cyber threat actors are constantly adapting and evolving, and it is critical that businesses stay on top of these trends. For instance, ransomware actors have been increasingly using the threat of a data breach to extort organizations, which has led to an increased volume of breaches. Additionally, personnel risk factors also need to be considered. Employees are often key threat vectors through which cyber-threats can enter the organization. Hence, employees should be adequately trained and kept up to date on cyber security risks.

Avoid Becoming A Victim

Despite varied levels of readiness against a data breach, nine in 10 Singapore businesses are providing regular communication and training for their employees. This is a marked improvement over prior years where cyber security was a lower priority for enterprises.

SMEs should focus on embedding cyber security into their organizational culture to boost their cyber resilience. This means having senior-level support to drive change and engagement. Employees should also be kept up to date on security risks and educated on good cyber practices in the workplace and at home, such as practicing good password hygiene and enabling multifactor authentication. It is critical to build a robust cyber security strategy that takes into consideration five key areas: governance, policies and procedures, infrastructure and standards, people and training, and relationships with third parties.

SMEs should also take stock of their data inventory by understanding what sensitive data they collect and where the data is stored. This can help in identifying what data that has been accessed or what system has been disabled or affected during a data breach. Knowing what data has been collected and what data needs protecting will speed the process of evaluating any potential damages. It is also important to ensure there are viable backups available, which play a critical role in recovering from a ransomware attack.

Finally, to better safeguard against the growing threat of cyberattacks, businesses should consider enrolling in cyber insurance. This can help protect against future downside risks of when, not if, a cyberattack occurs.

Sources
¹https://www.ibm.com/hk-en/security/data-breach