SINGAPORE: There remains uncertainty over how the changes to Singapore's Computer Misuse and Cybersecurity Act (CMCA) will affect businesses here, industry stakeholders said, with one business leader calling for better communication of the regulations.
Mr Ken Soh, group CIO of BH Global, a service provider to the marine and offshore, and oil and gas industries, told Channel NewsAsia in an email interview that while some of the changes to the law are clear-cut, such as the extraterritorial application of CMCA offences that causes serious harm to Singapore, it is not so with others relating to the use of personal information.
For instance, the misuse of credit card information is an obvious criminal act, Mr Soh said. But if a seemingly legitimate marketing database contained personal data gotten through illegal means, would the users of the database be prosecuted, he wondered.
Ms Tammie Tham, chairman of the Cyber Security Chapter at the Singapore Infocomm Technology Federation (SiTF), acknowledged that there were some “initial worries” from members that their employees might unknowingly break the law while dealing with hacking tools.
As part of their work, some are using hacked personal information for forensic analysis, or downloading hacking tools to learn how they work, Ms Tham pointed out.
“We have provided our feedback to the Government about these concerns, and have been assured they will be understanding of the jobs (these workers) do,” she said.
COMPLIANCE COSTS TO RISE
That said, Mr Soh recognised that the ongoing enhancements to the cybercrime laws are “not just a natural progression, but a necessity”.
The BH Global executive said companies need to step up the necessary internal awareness programmes and to make sure corporate policies are enhanced to cater to the new amendments. An example is implementing a company-wide policy adhering to the Personal Data Protection Act (PDPA) to mitigate one’s legal exposure, he suggested.
These measures will likely add to companies’ costs, Mr Soh said, particularly in PDPA-related consulting programmes, as well as time and resources needed to fulfil ongoing awareness programmes.
The costs vary from company to company, and whether an external consultant is needed to conduct a compliance assessment, but he estimated that the costs could range from a few thousand to tens of thousands of dollars.
“My sense is, for smaller SMEs (small- and medium-sized enterprises), even a thousand or so might be a hindrance, since this might not be seen by many as a priority in their business operations. So, there is a need for awareness and mindset changes, alongside cost considerations,” Mr Soh said.
These concerns were brought up during the debates on the CMCA changes in Parliament, with Nominated Member of Parliament (NMP) Thomas Chua noting that businesses are lacking in risk awareness and digital capability. Another NMP, Ms K Thanaletchimi, questioned the awareness level of cybersecurity and its importance among companies here, particularly SMEs.
"DOWN-TO-EARTH" COMMUNICATION NEEDED
Mr Soh also noted that, in general, the Government has always been proactive on grants and programmes, but such good intentions are “typically not well-comprehended” by SMEs.
As such, he suggested that SMEs could be better supported with streamlined administrative processes, and for more “down-to-earth communications” to raise awareness of these grants and programmes. One way could be to hire and retrain retrenched staff formerly with SMEs, who might be better equipped to speak the lingo of these “towkays”, to keep them in the know of the relevant grants and programmes.
In doing so, these ambassadors could raise awareness of the seriousness of advanced cyber threats today, how they are different from previous threats, how they could potentially affect business operations and the availability of grants to help them improve their cybersecurity policies, Mr Soh explained.
For its part, SiTF said it has been proactive to help members get up to speed with the changes.
Ms Tham said a mailer was sent to all members after the CMCA amendments were announced. “It’s important for the ICM industry to know that the intention is not to criminalise legitimate cybersecurity practices,” she noted, adding that if members had further questions, it would assist by bringing them up to the relevant authorities.