Singapore - Changes To The Computer Misuse And Cyber Security Act.
Legal News & Analysis - Asia Pacific - Singapore - Cybersecurity
20 July, 2017
The Computer Misuse and Cyber Security Act ("CMCA") was enacted in 1993 to regulate the unauthorized use of computers to access or modify data. Under the CMCA using a computer to secure unauthorised access to any program or data held in other computers in order to commit an offence is a penal offence.
The amendments seek to expand the scope of the CMCA in order to tackle the increasing scale and transnational nature of online crimes.
The amendments criminalise acts enabled by cybersecurity attacks. The use of personal data obtained via an act in breach of the CMCA would be an offence. It would also be unlawful to use hacked credit card details, even if the act of hacking was committed by another.
Acts enabling cybercrime such as obtaining or dealing in tools which may be used to commit a CMCA offence such as malware and port scanners are also criminalised.
The amendments now allow for the extraterritorial application of CMCA offences. The CMCA presently penalizes criminal acts committed while overseas against a computer located overseas, if the act causes or creates significant risk of serious harm in Singapore. Serious harm is defined as injury, death or disruption to essential services.
Multiple unauthorized acts against a computer over a period of time may be now combined in a single charge, allowing for the application for enhanced penalties where the combined acts result in high aggregate damage.
Impact on businesses
Businesses must be aware of the possible consequences should products or methods used be found to facilitate any of the above mentioned offences.
This is especially so for small and medium enterprises ("SMEs"), which may lack the capability to conduct proper compliance measures or risk assessment. However, the IMDA will introduce a new SME Technology Hub to provide in- person advice on areas including cybersecurity to these SMEs.
Proposed Cybersecurity Bill
New Cybersecurity Bill
As part of the National Cyber Security Masterplan 2018 to make Singapore a Trusted and Robust Infocommunication Hub by 2018, a standalone Cybersecurity Bill will be tabled in Parliament in 2017. This is intended to complement the current Computer Misuse and Cybersecurity Act("CMCA"), which criminalises activities like the unauthorized use, access, interception and modification of computers, data and computer services.
On 10 July 2017, the Ministry of Communications and Information and the Cyber Security Agency of Singapore issued a Public Consultation Paper on the Draft Cybersecurity Bill.
For a summary of the key sections of the draft Bill, see our earlier Client Alert ("Singapore Releases Public Consultation Paper on Draft Cybersecurity Bill").
Broadly, the new Cybersecurity Act will institute standards for incident report, audits and risk assessments, as well as facilitate sharing of cybersecurity information. The participation of critical infrastructure operators in cybersecurity exercises will be mandatory.
The reporting obligation is not presently mandated under the CMCA unless the Minister for Home Affairs specifically requires a person to do so.
The Cybersecurity Agency, a body established to manage cyber security strategy, education and outreach, will be empowered to manage cyber incidents and raise the standards of cyber security providers.
Businesses should position themselves to be ahead of the curve and adopt a cyber security system that will be able to detect risks early, mitigate these risks and respond robustly. Training for employees to deal with cyber security risks and threats will be of paramount importance.
Businesses should keep themselves apprised of the upcoming developments in the cyber laws and ensure that they take regular steps to comply with its requirements.
For further information, please contact:
Andy Leck, Principal, Baker & McKenzie.Wong & Leow