As part of its commitment to offer a trusted world-class and business friendly environment, Singapore has a set of guidelines and regulations around cybersecurity that may apply to startups doing business in locally, or from Singapore to the rest of the world.
It may seem like a lot, but NOT ALL the guidelines and regulations below are applicable to any single company (unless you run a very complex business). These are a collection of industry specific guidelines and best practices that have been issued and recommended by relevant government agencies.
Hint, hint, this is also a huge reason why international infosec standards, like ISO 27001, take on a non-prescriptive nature and remain industry-agnostic but still will cover most of the ones below already.
Let’s give you a summary on the information security regulatory guidelines applicable to businesses in Singapore!
Table of Contents
1. Financial Industry
2. Healthcare Industry
3. Infocomm and Media Industry
4. Security at Government Agencies
There are a few guidelines applicable to the financial industry in Singapore. The most significant and comprehensive would be the Technology Risk Management (TRM) guidelines applicable to financial institutions. Released in 2021, these guidelines are also applicable to 3rd parties, or even 4th parties, that interact with Financial Institutions (FIs). The TRM has several overlaps with ISO 27001, albeit it comes across as more prescriptive.
We love the way TRM still allows for easy understanding on how an ISMS should be implemented, even if you do not have much cybersecurity experience. Each step is clearly laid out to tackle each possible cybersecurity vulnerability mentioned. If you’re a fintech thinking of doing business in Singapore, either ISO27001 or these would be a great place to start (even though it might not be applicable to you directly).
You can find the TRM guidelines here.
Cyber Hygiene Notices
Different to the TRM, the hygiene notices are mandatory in nature (instead of only recommended). Also published by the MAS, these notices are specific per type of license or FI. Here is a document covering the notices and the FAQs to help you understand it better.
These notices are pursuant to specific acts, for example the Credit Bureau Act 2016. They thus serve as a statement that cybersecurity must not be taken lightly, and that cyber threats and vulnerability post a major risk to carry out business securely.
Cyber Hygiene notices include the following numbers: 655 (for banks), 834 (for finance companies), 1119 (for financial holding companies), TCA N06 (trust companies), CMG-N03 (for capital market entities), 1118 (for merchant banks), 132 (for insurers and insurance agents), 507 (for insurance brokers), FAA-N21 (for financial advisers), 655A (for credit card or charge card licensees), PSN06 (for payment services), and under the credit bureau act for businesses providing credit.
Outsourced Service Provider’s Audit Report (OSPAR)
The OSPAR is not a guideline, but rather the outcome report of an audit made on third party providers of financial institutions in Singapore. This is part of the procurement process followed by banks in Singapore.
Published by Association of Banks in Singapore (ABS) for the Outsourced Service Providers (OSPs), this is to ensure that outsourced providers maintain the same level of risk awareness and management for cybersecurity risks as banks. To put it simply, an audit will be done to review the outsourced serviced providers to the same standards as FIs, as if the FIs managed the services on their own.
The report and audits can be made by auditors appointed by the ABS. Although there are a lot of overlaps with ISO27001, you will still need to pay for an auditor to obtain the OSPAR report. Since the audit process is extremely similar to that of SOC2, your life will be easier if you have a SOC2 report here (at least until we last updated this article).
More information can be found in this page.
As the healthcare sector is undergoing a rapid digital transformation, the Health Science Authority (HSA) has also released regulatory guidelines for the healthcare sector in Singapore.
The Healthcare Cybersecurity Essentials (HCSE) covers in general, the basic practices a healthcare institution should take and it’s particularly applicable to private hospitals and medical clinics. It also contains a “why is it important?” section with regards to each cybersecurity practice, to help healthcare workers understand the rationale behind each measure and control.
To further help the healthcare industry understand and implement cybersecurity better, the HSA has also released a policy template for healthcare institutions to complete. This would help healthcare institutions cultivate a good practice of keeping track the different cybersecurity controls and measures in the organization.
Circulars by the Ministry of Health
Whenever specific vulnerabilities or attacks take place, the Ministry of Health produces circulars that tackle the subject. For example, following the SolarWinds attack of 2021, the MOH release an advisory immediately. These advisories are extremely useful for healthcare institutions.
Regulatory Guidelines for Software Medical Devices
As SaMD (Software as A Medical Device) increases in popularity, it poses a cybersecurity threat to healthcare institutions. The HSA has released a “Regulatory Guidelines for Software Medical Devices – A Life Cycle Approach”, to help healthcare institutions mitigate digital threats along the life cycle of the SaMD.
Infocomm and Media Industry
The Infocomm Media Development Authority (IMDA) of Singapore plays a huge part in ensuring the infocomm and media sector continues to grow sustainably. This means coming up with regulations and licenses to ensure growth for the sector is carried out securely.
As such, IMDA has released a set of ‘Codes of Practice’ for the following infocomm and media sectors.
General Regulatory Guidelines
Cybersecurity Act, codes of practice and notices
Typically under responsibility of the Cybersecurity Agency of Singapore (CSA), these include codes of practice for critical information infrastructure in Singapore. Although young startups would rarely fall under critical information infrastructure, it’s very important to take note of the best practices issued by the CSA. This would be very relevant to companies trying to do business with the government of Singapore.
You can find more information about them here.
The Personal Data Protection Act (PDPA) provides a baseline standard of protection for personal data in Singapore (like the European GDPR). Data privacy is closely related to cybersecurity, particularly on the “protection” part. Should a business or company not do, or act, sufficiently to prevent a data breach of personal information, then the PDPA will give the authorities sufficient grounds for prosecution, which would often involve fines.
This regulation is thus one of the most comprehensive and mandatory for businesses to adopt, but it will not go into prescriptive details of how your Information Security should look like. This is why it’s important to have an infosec program in place.
Here is an infographic of the data protection obligation one has. In addition, complying to PDPA regulations is one of the few business practices that would greatly boost your business’ image and consumer trust.
Remember you might need a Data Protection Officer (DPO), you can register it with the Personal Data Protection Commission (PDPC) here. It’s free to register, and your DPO can receive up-to-date information from PDPC to manage compliance.
Security at Government Agencies
The Singapore government has a set of policies, previously called IM8, now called The Instruction Manual for ICT&SS Management. This is to adequately manage risks and to help ensure the government agencies are secure. The ‘manual’ that is released to the public covers Digital Service Standards (DSS), Third Party Management (TPM), and Data, yet the questions in relation to security cannot be disclosed to the general public.
Smart Nation has published 2 sets of documents for data protection.
- Personal data protection policies: sets out the “key policies in the IM on ICT&SS Management that govern how personal data is managed and protected by agencies”
- Government data security policies: sets out the “sets out the key policies in the IM on ICT&SS Management that govern how data security is managed by agencies”
If you are a business interested in providing third party solutions to government agencies, it is definitely a good read. 😉
Cyber threats do not target only a specific company size or industry. Over at cysense, we thus believe in the value of cybersecurity for organisations of all sizes.
These regulatory compliance guidelines act as a reminder that cybersecurity is so important, regardless of industry. Complying to these guidelines is the simplest way to ensuring your business stays safe amidst the rising number of cyber threats.
Disclaimer: This article is accurate as of 14th Feb 2022, with information from various sources. Please approach us in the event of irregulaties.
Ready for ISO 27001?
A certification can greatly boost the confidence your partners and customers have in your business. With a better understanding of ISO 27001, we hope you can start planning the roadmap and ISMS for your organization. Get in touch with us if you have more questions about security or you would like help getting certified.