Cyber Law in Asia

Singapore

Government Structure

 

Do they designate a lead cyber security agency within the government?

 Yes. The Cyber Security Agency of Singapore (CSA).

Is oversight provided on a centralized or sectoral basis?

​Centralized. The Cybersecurity Act of 2018 (the "Act") confers on the Commissioner of Cybersecurity broad oversight, advisory, and investigatory authority.  The Act also authorizes the Commissioner to appoint existing regulators to serve as Assistant Cyber Commissioners for their respective sectors. See Cybersecurity Act 2018, Part 4.

Designation of Critical Infrastructure

Which sectors do they designate as critical information infrastructure?

​11 Sectors. Energy, Info-communications, Water, Healthcare, Banking and Finance, Security and Emergency Services, Aviation, Land Transport, Maritime, Government, Media. See Cybersecurity Act 2018, First Schedule.

How do they designate within these sectors?

The Commissioner of Cybersecurity is responsible for designating a computer or computer system as a CII. See Cybersecurity Act 2018, Part 7.

Security Measures

Are there mandatory security measure requirements for CI, other than privacy/data protection laws?

Yes. The owner of a CII must perform an audit of compliance with CCI requirements in the Cybersecurity Act 2018 every 2 years. See Cybersecurity Act 2018, Part 15.

Does it take a risk-based approach?

Yes. See Cybersecurity Act 2018, Part 6.

Do the security measures enable the use of international standards?

​Yes. "The government has publicly stated that, in the implementation of the Cybersecurity Act, it will take reference from internationally recognized standards when developing codes of practice and standards of performance for different sectors." See Drew & Napier LLC, Cybersecurity in Singapore, Lexology (Apr. 29, 2019).

Are security measures NIST CSF compatible? (Possible to comply through this approach?)

Unclear.  While the Act does not provide detailed standards, the Act does authorize the Commissioner to issue "codes of practice or standards of performance for the regulation of the owners of critical information infrastructure." See Cybersecurity Act 2018, Part 11.

Do they include prescriptive or technology-based security measures?

The Cybersecurity Act is on its face technology-neutral but gives the Commissioner broad authority to issue codes of practice and standards of performance to ensure the cybersecurity of CII.

Incident Reporting

Are there mandatory incident reporting requirements?

​Yes. For CIIs, the owner must notify the Commissioner of Cybersecurity of the occurrence "within the prescribed period." See Cybersecurity Act 2018, Part 14.

Are there clear thresholds above which an incident should be reported?

​Yes. CII's must notify the Commissioner of the occurrence of the following; (1) the unauthorized hacking of a CII; (2) the installation or execution of unauthorized software or code on a CII; (3) man-in-the-middle attacks, session hijacks or other unauthorized interception of communication between a CII and an authorized user; and (4) denial-of-service attacks.  See CSA Incident Reporting; See also Cybersecurity Act 2018, Part 14.

How do they determine the timeline within which an incident must be reported?

​The prescribed period is set out in Regulation 5 of the CII Regulations, which requires a CII owner to notify the Commissioner of the occurrence of a prescribed cybersecurity incident in the required form within two hours after becoming aware of the occurrence, and provide supplemental details within 14 days of the initial submission. See Cybersecurity Act 2018, Part 5.

Threat Information Sharing

Have they established a national threat information sharing entity?

No. There is currently no governmental body that coordinates national threat information sharing.  CSA has worked with other agencies, like the Financial Services Information Sharing and Analysis Centre (FS-ISAC), in the past to keep up to date on threat information. See Aaron Tan, Singapore to bolster threat intelligence sharing in financial sector, ComputerWeekly (July 18, 2018).

Does this entity share information out to industry, as well as receiving information?

N/A

Is threat information sharing mandatory for any private sector entity?

N/A

Government Access Requirements

Are there requirements to provide government officials physical access to facilities?

Yes. If the incident is classified as severe, the Commissioner or other authorized official may, after "giving reasonable notice," enter the premises where the CII is located. See Cybersecurity Act 2018, Part 20.

Are there requirements to cede control of facilities in an emergency situation?

No.

Are there requirements to provide source code or other decryption capabilities?

No.

Localization Requirements

Are there requirements to establish a local presence - either officer or personnel?

No.

Are there requirements to localize data?

No.

Penalties

Are there financial penalties outlined? If so, what for and what is the maximum penalty?

Yes. A CII owner that fails to comply with the reporting requirements of the Cybersecurity Act 2018 may be liable for a fine up to $100,000.

A CII owner that fails to comply with the auditing/risk assessment requirements of the Cybersecurity Act 2018 may be liable for up to $25,000 (or more if the offense is continuing).

Additionally, any owner which does not comply with the Commissioner's cybersecurity exercises may be liable for a fine up to $100,000.  See Cybersecurity Act 2018, Part 14.

Are there criminal penalties outlined? If so, what for and what is the maximum penalty?

Yes. A CII owner that fails to comply with the reporting requirements of the Cybersecurity Act 2018 may be imprisoned for up to 2 years.

A CII owner that fails to comply with the auditing/risk assessment requirements of the Cybersecurity Act 2018 may be imprisoned for up to 12 months. See Cybersecurity Act 2018, Parts 14- 15.

Effective Dates

What are the effective dates and dates of enactment of the country's key cybersecurity statutes/regulations?

The Cybersecurity Act of 2018 was published on March 16, 2018.

India

Government Structure

 

Do they designate a lead cyber security agency within the government?

Yes. The National Critical Information Infrastructure Protection Centre (NCIIPC).

Is oversight provided on a centralized or sectoral basis?

Sectoral. The basic responsibility for protecting CII system shall lie with the agency running that CII. See NCIIPC, About Us; NCIIPC, Guidelines for Identification of Critical Information Infrastructure, August 2019.

Designation of Critical Infrastructure

Which sectors do they designate as critical information infrastructure?

​Critical Sectors are defined as sectors which are critical to the nation and whose incapacitation or destruction will have a debilitating impact on national security, economy, public health or safety.  See NCIIPC, Guidelines for Identification of Critical Information Infrastructure (August 2019.

How do they designate within these sectors?

Individual. The appropriate government department may, by notification in the Official Gazette, declare any computer resource which directly or indirectly affects the facility of a CII to be a "Protected System."  See NCIIPC, Guidelines for Identification of Critical Information Infrastructure (August 2019).

Organizations have to make decisions on how to audit their IT infrastructure to determine what is critical and non-critical. See NCIIPC, Standard Operating Procedure (June 2017).

Security Measures

Are there mandatory security measure requirements for CI, other than privacy/data protection laws?

Yes. Every Protected System must form an Internal Audit team to conduct an internal cyber securty audit every 6 months. They also must conduct an external audit by a private or government auditor every year, or whenever there is an upgrade or change in IT infrastructure/application/system software. See NCIIPC, Standard Operating Procedure (June 2017).

Does it take a risk-based approach?

Yes. A Vulnerability/Threat/Risk (VTR) assessment of enterprise wide cyber architecture must be part of the corporate planning/strategy. The resulting residual risk must have clear and unambiguous sign off from senior management. See NCIIPC, Guidelines for Protection of Critical Information Infrastructure, (January 2015).

Do the security measures enable the use of international standards?

Yes. International standards and guidelines were adapted to achieve efficient Information Security Infrastructure (specifically cites ISO27001 ISMS and NERC-CIP). See NCIIPC, Standard Operating Procedure (June 2017).

Are security measures NIST CSF compatible? (Possible to comply through this approach?)

Generally, yes. While it is not clear that NCIIPC has adapted its framework to the NIST Framework alone, the NCIIPC does require organizations to "evaluate correctness, consistency and completeness of their Security Policies with respect to standards such as . . . National Institute of Standards and Technology." See NCIIPC,  Framework for Evaluating Cyber Security in Critical Information Infrastructure.

Do they include prescriptive or technology-based security measures?

No. The framework is, on its face, technology neutral. The identification and assessment of CII is based on outcome-based parameters.

Incident Reporting

Are there mandatory incident reporting requirements?

It depends on the sector. There are no generally applicable requirements under the NCIIPC Framework, but there are sectoral requirements.

 

The Indian Computer Emergency Response Team ("CERT") Rules, which were issued under the IT Act, impose mandatory notification requirements on service providers, intermediaries, data centers and corporate entities, upon the occurrence of certain cybersecurity incidents. See 2014 Information Technology Rules, §§ 70(b)(6)-(7), 12(1)(a).  See also Ministry of Electronics and Information Technology, Report and Contribute to a Secure and Safe Digital India (2013).

Are there clear thresholds above which an incident should be reported?

Not generally, but it depends on the sector.  Under the IT Act, "Cyber Security Incident" is defined as "any real or suspected adverse events, in relation to cybersecurity, that violate any explicitly or implicitly applicable security policy, resulting in unauthorized access, denial of service or disruption, unauthorised use of compute resources for processing or storage of information or changes to data, and information without authorisation."  See 2014 Information Technology Rules, § 70(h).

How do they determine the timeline within which an incident must be reported?

​Under the IT Act, incidents must be reported to CERT "as early as possible to leave scope for action." See 2014 Information Technology Rules, § 12(1)(a).

Threat Information Sharing

Have they established a national threat information sharing entity?

Yes. The NCIIPC.  See NCIIPC, Guidelines for Protection of Critical Information Infrastructure, (January 2015).

Does this entity share information out to industry, as well as receiving information?

​Yes. The NCIIPC receives feedback from NCII constituents and adjusts controls and guidelines. See NCIIPC, Guidelines for Protection of Critical Information Infrastructure, (January 2015).

Is threat information sharing mandatory for any private sector entity?

No. See NCIIPC, Guidelines for Protection of Critical Information Infrastructure, (January 2015).

Government Access Requirements

Are there requirements to provide government officials physical access to facilities?

No. However, organizations must allow the government to perform systematic technical audits of IT infrastructure. See NCIIPC, Standard Operating Procedure (June 2017).

Are there requirements to cede control of facilities in an emergency situation?

No.

Are there requirements to provide source code or other decryption capabilities?

Yes, under the IT Act, the Central Government may, for secure use of the electronic medium and for promotion of e-governance and e-commerce, prescribe the modes or methods for encryption. Furthermore, "[t]he subscriber or intermediary or any person in charge of the computer resource shall, when called upon by any agency which has been directed under sub section (1), extend all facilities and technical assistance to intercept or monitor or decrypt the information, as the case may be."  See Information Technology Act, § § 69(3)(a), 84 A.

Localization Requirements

Are there requirements to establish a local presence - either officer or personnel?

No.

Are there requirements to localize data?

Only for payment systems. The Reserve Bank of India promulgated rules in 2018 that required that data collected be localized within six months. See Kalika Likhi, India’s data localization efforts could do more harm than good, Atlantic Council (Feb. 1, 2019).

Penalties

Are there financial penalties outlined? If so, what for and what is the maximum penalty?

Yes. There are several penalties listed in the Information Technology Act. Some are applicable here. Entities are required to pay damages as compensation for failure to protect data, not to exceed five crore rupees. There are also penalties for failure to furnish information to authorities.  See Information Technology Act,  §§ 43A, 44.

Are there criminal penalties outlined? If so, what for and what is the maximum penalty?

Yes. There are several offenses listed in the Information Technology Act. Only a few are applicable here. Failure to provide interception/monitoring/decryption access to computer to government officials when they determine it is in the interest of India can result in imprisonment up to 7 years. Failure to supply information to NCIIPC when asked can result in imprisonment for up to 1 year or a fine. See Information Technology Act, § § 69, 70B.

Effective Dates

What are the effective dates and dates of enactment of the country's key cybersecurity statutes/regulations?

The Information Technology Act was notified on October 17, 2000.  It was amended on February 5, 2009.

© 2023 by National Cyber Law Project Reference Site

uscc_3_color_CMYK_K100_R_Stacked transpa

Disclaimer: This material presented in the International Law Project was prepared by Wiley Rein LLP, the United States Chamber, and the National Security Institute at the Antonin Scalia Law School at George Mason Law School.  It is not legal advice.  Chamber members using this information should consult their own counsel as needed for compliance and regulatory issues in particular jurisdictions.  The information contained herein is provided as a resource, as is, based on domestic regulations and laws as of January 30, 2020. Regulations and laws change so you should consult other resources to ensure continued accuracy.