Singapore’s new Cybersecurity Bill: What’s changed and what happens next
Jan18

Singapore’s new Cybersecurity Bill: What’s changed and what happens next

Singapore has taken a step closer to passing its first Cybersecurity Act. On 8 January 2018, Singapore’s first Cybersecurity Bill was read in Parliament. This Bill is an updated version, and was revised following a public consultation process on the initial draft Bill in July 2017. The government received 92 submissions from a diverse range of stakeholder groups, and the consultation was extended in response to requests for more time to provide feedback, reflecting the level of interest in this legislation. This updated Bill is a timely and important development in view of increasingly sophisticated cyber-attacks that could potentially cause major disruptions to Singapore’s economy. The intention behind this Bill is to have a coordinated national approach to cybersecurity, and ensure that critical information infrastructure (CII) across all sectors are protected consistently. We summarised the key provisions in the previous Bill in our earlier post. In this post, we summarise the key changes introduced by the updated Cybersecurity Bill: What has changed? 1.  Critical information infrastructure. This updated Bill tightens certain important definitions, and acknowledges that the owners of CII may not always be best placed to ensure that the statutory obligations are fulfilled. The key changes are as follows: Definition of CII. The definition of CII has been tightened and will only include those computer or computer systems that have been designated as such by the Commissioner. Definition of owners of CII. Owners of CII, who will need to comply with the relevant statutory obligations under the Bill, are now defined as legal owners (instead of someone with effective control over the CII etc.). The Cyber Security Agency of Singapore (CSA), in its end-of-consultation report, further clarified that computer systems in the supply chain supporting the operation of a CII will not be designated as CII, and therefore third party vendors will not be considered owners of CII. These are positive developments as there is now certainty over the imposition of statutory obligations. Responsibility for compliance. There is also now a mechanism for owners of CII to request the Commissioner to address the notice for compliance to another person under certain conditions (e.g. if the owner does not have effective control over the operations of the CII). This acknowledges that owners may not also be operators of the CII, and are hence not best placed to ensure that the statutory obligations are fulfilled. 2.  Government power to access data. Some of the responses expressed concerns about the government’s broad rights to access information and systems. However, the broad powers granted to the Commissioner to access physical and digital assets have, if anything, been increased further. Although the degree...

Read More
Transforming Singapore into a Technology-driven Global Financial Centre
Nov13

Transforming Singapore into a Technology-driven Global Financial Centre

On 30 October 2017, the Monetary Authority of Singapore (MAS) released an industry transformation map (ITM) for financial services that outlined an agenda for continuous innovation and technology adoption. As a law firm that combines a deep-seated funds and investment management expertise with a leading-edge technology practice, we would like to highlight the following takeaways from the ITM: 1. Leading fund and wealth management hub. MAS is working with the financial industry to develop a centre of excellence for wealth management technology and innovation. A significant part of this initiative would be using big data and artificial intelligence to counter money laundering in the region and maintaining Singapore’ reputation as a clean financial centre. This can be done by identifying unusual patterns of transactions across a network of entities and across times. Digital advisory services, where programs assist clients in deciding on investment portfolios, are also becoming more popular. The introduction of these new technologies are however not discrete, and are instead part of a larger transformation of the financial services ecosystem. 2. Technological innovations. MAS acknowledges that technology has changed the financial services industry, and it is crucial for our financial sector and regulations to transform in tandem. A key focus under the ITM is to facilitate innovation in the sector by encouraging the adoption of technology by financial institutions. For example, MAS will collaborate with financial institutions to create common standards such as for electronic payments, and electronic know-your-client checks. These will accelerate the adoption of technology by financial institutions which will ultimately benefit customers. The ITM reflects what is already happening in practice. We have noticed a greater convergence of fund and wealth management and technology, where fund and wealth management institutions are starting to invest in new technologies such as crypto-currency or blockchain technology. MAS, in turn, has also sought to boost the Singapore venture capital landscape with relaxed rules for fund managers (we recently wrote an article on this which can be accessed here). The ITM enforces this interaction and is a step in the right direction to encourage or enable more of such crossovers in future. Taking a step back, the ITM is part of wider ambition to create a Smart Financial Centre in Singapore, where technology is used pervasively in the financial services industry. MAS is taking a holistic approach to this transformation, by setting up an international advisory panel for cybersecurity matters. This ambition brings with it certain risks, and the advisory panel will bring global perspectives on evolving technologies and cyber threats and their implications for financial services. Overall, with the transformation of the way financial services are delivered, customers can...

Read More
IP in the Cloud: the China Perspective
Oct24

IP in the Cloud: the China Perspective

China is in the middle of a rapid shift towards cloud technologies. Execution of the 13th Five Year Plan will deliver substantial investment into cloud computing and the sector is undergoing unprecedented growth. Meanwhile, organisations operating in this digital economy face an increasingly complex intellectual property (IP) environment, as China becomes a global IP centre and scales up IP protection, enforcement and penalties for infringement. Indeed, the number of cloud-related IP lawsuits in China grew 158% between 2011 and 2016. Against this backdrop, organisations face an important question: how can they take advantage of the enormous opportunities presented by the cloud in a way that manages this complex IP landscape? In this post, Matt Pollins and Nick Beckett from CMS look at the practical steps organisations can take to protect themselves and succeed in the cloud. China’s “Internet Plus” economy and the role of cloud computing China is undergoing a rapid digital transformation. The “Fourth Industrial Revolution” is well underway, as the Government’s “Internet Plus” initiative sees the integration of digital technologies into organisations in every industry across the nation. The 13th Five Year Plan, which prioritises digital technologies and innovations, is the driving force of this digital transformation. As part of the Plan, China’s broadband coverage will reach 70% of households by 2020. Mobile internet will reach around 85% of the population, adding a staggering 400 million additional internet users. Against these seismic shifts in technology development and adoption, the opportunity for organisations to leverage digital technologies to drive growth and improve services is clear – whether it is the shift towards cashless payments, the growth of tele-health or the explosion in e-commerce sales. And, not content with maximising the opportunities arising from growth in the domestic market, Chinese companies are going global, launching international enterprises, from e-commerce to digital media. At the core of China’s digital transformation is cloud computing. The sector has grown an average of 40% year-on-year since 2011 and there is no sign of the pace of cloud adoption slowing. China’s digital economy is being built on cloud services, often provided by third party cloud service providers. The cloud offers the opportunity to expand into new businesses and markets faster than ever before. However, this new opportunity comes with new challenges and, like every transaction with a supplier, customers need to assess any associated legal considerations. Like our previous posts on the position in Europe and South-East Asia, this post focuses on an often-overlooked legal consideration in moving to the cloud: IP. “Infringers will pay a heavy price”: China ramps up IP protection and enforcement China is fast becoming a global centre of innovation....

Read More
The Hotel of the Future: Legal Considerations in Hotel Innovation
Oct17

The Hotel of the Future: Legal Considerations in Hotel Innovation

Imagine having your luggage checked straight to your hotel as you alight from your plane, and the next time you see it will be in your hotel room. Lugging of bags from the airport to the hotel may become a thing of the past. Or imagine using your phone to access your room as well as attractions, instead of having to juggle multiple access cards and tickets. This “Hotel of the Future” may soon be a reality, if the recommendations of Singapore’s Hotel Innovation Committee (HIC) are followed. The HIC was formed in February 2016 to oversee the industry’s adoption of innovative solutions, following the recommendations of the Hotel Industry Expert Panel Report. The HIC has released its Best Practices Guide for Hotels in July 2017, and they are currently evaluating submissions received for the Tourism Innovation Challenge for Hotels, a crowd-sourcing pitch exercise. In this post, we look at the opportunities that these developments bring for the hotel industry and comment on some of the key legal considerations for the “Hotel of the Future”, mapped to some of the HIC’s recommendations. The innovation opportunity The hotel sector is well positioned to reap the benefits that technology may bring, driven by rising demand from increasingly sophisticated travellers, and greater applicability of technology in providing a more seamless experience. Innovation will be fundamental in transforming the hotel sector towards productivity driven growth. This is especially important in light of the increased competition as seen in the rise in the number of hotel rooms in Singapore in recent years. Between 2012 and 2016, total available room nights rose by nearly 30% from 12,477,908 in 2012 to 16,161,862 in 2016, which dampened revenue by approximately 12% (average revenue per available room dropped from $226 in 2012 to $198.8 in 2016). Key legal considerations 1. Privacy and data protection – Responsible collection and usage of information As guests connect via a growing number of digital touchpoints, hotels will generate and collect more data than ever before, whether via wearable technology (for in-house payments, room access and even entry to attractions), targeted marketing (such as providing tailored sightseeing recommendations) or loyalty programmes. With all of this data comes the obligation to comply with data protection laws – including, in particular, the Personal Data Protection Act (PDPA). Organisations need to have robust processes and systems in place. Not only is compliance a legal requirement but it is also good business practice. Taking steps such as being transparent about data collection practices, obtaining appropriate consents and keeping data secure will be key to building a trusted relationship with guests in the Hotel of the Future. Our...

Read More
New opportunity for Singapore banks: MAS expands scope of permissible activities
Oct10

New opportunity for Singapore banks: MAS expands scope of permissible activities

On 29 September 2017, the Monetary Authority of Singapore (MAS) released a public consultation paper to relax the anti-commingling rules for banks. This is a follow-up from the Minister for Finance’s announcement in June 2017 that these rules will be further adjusted. See our previous post on the announcement here. Since the introduction of the prohibition on banks to carry out non-financial businesses more than a decade ago (the anti-commingling rules), the banking landscape has evolved. Technological advancements have disrupted traditional banking business models. Today, consumers can access financial and related non-financial services seamlessly. Banks are also facing competition from non-financial players who are leveraging their large user bases to provide e-payments and other financial services. MAS acknowledges this new environment, and recognises that the anti-commingling rules can be simplified and adjusted. MAS’s proposals will allow banks to broaden and better integrate their financial services. Crucially, the adjusted rules will continue to ensure that banks remain focused on their core banking business and competencies, and avoid potential contagion from the conduct of non-financial businesses (the core policy objectives). The following are the key proposals under this public consultation paper: Streamlining the conditions to carry out non-financial businesses. Currently, banks are allowed to carry out non-financial businesses, but only upon compliance with certain minimum requirements. These requirements are onerous and include the requirement to obtain prior approval from the banks’ parent supervisory authorities. MAS proposes to simplify the rules by removing this requirement, subject to certain conditions. The primary condition is that the aggregate size of all non-financial businesses cannot exceed 10% of the bank’s capital funds. This is to limit contagion risks and ensure that banks remain focused on their core financial business. Broadening the scope of permissible non-financial businesses. MAS acknowledges that the online purchase of goods and services and the use of e-payment services are becoming increasingly integrated. Many non-financial entities are also starting to deliver financial services through their online platforms. MAS proposes to broaden the scope of permissible non-financial businesses to enable banks to better compete against such non-financial players in this new digital economy. The proposal allows banks to engage in: (i) operating online platforms that match buyers and sellers of consumer goods or services; (ii) sale of consumer goods or services via online platforms; and (iii) any business incidental to (i) and (ii) including the provision of logistic services to deliver goods to consumers. MAS also proposes to allow banks to engage in: (i) sale of software or systems originally developed by the bank for its financial business; and (ii) entering into tie-ups to sell or provide products or services (which the counterparty...

Read More
3 Things you need to know about Singapore’s proposed changes to Data Protection
Jul31

3 Things you need to know about Singapore’s proposed changes to Data Protection

On 27 July 2017, the Personal Data Protection Commission of Singapore (PDPC) issued a public consultation paper on managing personal data in the digital economy. The consultation paper seeks to greater facilitate the use of personal data in the digital economy through changes to the consent requirements and at the same time seeks to ensure that security standards are uplifted through the introduction of mandatory breach notification. The consultation paper is a step in the right direction for Singapore on its Smart Nation journey given the importance of data analytics in the digital economy, whilst the mandatory breach notification provisions align the Singapore data protection regime with that of Singapore’s draft Cybersecurity Bill which was recently introduced. The consultation paper demonstrates that the PDPC recognises the importance of data for innovation and growth, and has proposed changes to ensure the regulatory environment keeps pace with evolving technology in enabling innovation, while ensuring effective protection for individuals’ personal data in the changing landscape. The following are the 3 key things you need to know about the PDPC’s proposed changes: Notification of purpose can be sufficient. Although the PDPC proposes that organisations should still seek consent for collecting, using and disclosing personal data where practicable, it recognises the need to cater to circumstances where consent is not feasible or desirable, and where the collection, use or disclosure would benefit the public. The PDPC recommends that notifying individuals of the purpose can be sufficient where: (i) it is impractical to obtain consent (and deemed consent does not apply); and (ii) the collection, use or disclosure of personal data is not expected to have any adverse impact on individuals. However, when using this exception, organisations have to conduct a risk and impact assessment and put in place measures to identify and mitigate the risks that may arise. Consent (or notification) not needed where it is for a legitimate purpose. Under the current personal data protection regime, except for where an exemption applies, organisations are not allowed to collect, use or disclose personal data without consent even for a legitimate purpose if this is not expressly provided for or required under any written law (e.g. the sharing and use of personal data to detect and prevent fraudulent activities). As such, the PDPC proposes to update the law so that organisations will be able to collect, use or disclose personal data without consent where: (i) it is not desirable or appropriate to obtain consent; and (ii) the benefits to the public clearly outweigh any adverse or risks to the individual. Again, when relying on this exception, organisations have to conduct a risk and impact assessment...

Read More