Last year, there were several new cybersecurity developments introduced around the globe to reduce the risk of catastrophic cyber events at national critical infrastructure. These include regulations from the New York Department of Financial Services (NY DFS), the White House’s Executive Order on Cybersecurity, the EU’s General Data Protection Regulation (GDPR), China’s new Cybersecurity Law, and Hong Kong’s Cybersecurity Fortification Initiative.
Many of these developments introduced new mandatory requirements around breach notifications, self assessments, and ongoing third party monitoring — a trend which appears to be continuing into 2018. Last week, Singapore’s Parliament passed its first Cybersecurity Bill into law. Citing the rising concerns that cyber threats pose to national security and public health, the new regulation attempts to put in to place proactive security measures meant to strengthen and protect the nation’s most essential services.
Singapore’s Cybersecurity Bill was officially passed into law on Monday, February 5th. The new Act applies to “any critical information infrastructure located wholly or partly in Singapore.” A critical information infrastructure (CII) is any “computer or computer system” deemed necessary for the continuous delivery of Singapore’s 11 primary essential services. Essential services are considered any service that, if compromised, would have a “debilitating impact on the national security, defense, foreign relations, economy, public health, public safety or order of Singapore.” The sectors considered essential services include: Energy, Information/Communication, Water, Healthcare, Banking and Finance, Security and Emergency Services, Aviation, Land Transport, Maritime, Government, and Media.
Under the new law, those entities considered to be CII providers will be required to report cybersecurity events to the Cyber Security Agency (CSA) of Singapore. Additionally, CIIs will be required to report on technical architecture related to interconnected infrastructure, conduct regular compliance audits and ongoing cyber risk assessments, as well as participate in required cybersecurity exercises put in place by the Commissioner. Failure to comply with the new development will results in financial penalties of up to $100,000 and/or two years in jail.
At Bitsight, we recognize that security and risk leaders need an effective solution which can quickly scale at the growth of their business, and also evolve as more and more cybersecurity regulations emerge. Bitsight Security Ratings are a critical step in measuring compliance to increasing security regulations and international cybersecurity standards. For example, with the NIST Cybersecurity Framework (CSF), Bitsight Security Ratings enable organizations to continuously monitor how effectively their (and their third parties’) information security programs align to the NIST CSF: security ratings automatically map to the NIST Framework, enabling organizations to quickly assess their cybersecurity maturity and identify important trends. Additionally, Bitsight Security Ratings can also help organizations advance their security program by aligning with the General Data Protection Regulation, a critical international regulation beginning in May 2018.
Bitsight can also be leveraged to help organizations meet the increasing amount of cybersecurity regulations that are emerging, including the Singapore Cybersecurity Bill. Bitsight Security Ratings, which provide a daily, objective, outside-in view of the current state of security, provide continuous monitoring capabilities that can be leveraged to help meet compliance requirements. Bitsight helps organizations with ongoing risk assessments, provides an objective and actionable metric for security and risk leaders to report to executives, regulators and the Board, enables investigations into security events as they arise, and facilitates data-driven conversations that help both organizations and their vendors get to remediation faster.