IN TODAY’S digital economy, strong cybersecurity is a fundamental obligation for any company that handles sensitive personal and business data. Major data breaches can crater stock prices, shatter consumer trust and invite hefty legal liabilities and regulatory penalties.
Boards and management that treat cybersecurity as a backburner IT issue rather than a top corporate priority are putting their companies and stakeholders at grave risk. SID published a Cyber Resilience Guide for Boards in Singapore last month, with frameworks and actionable steps to help board directors strengthen their organisations’ cyber resilience and navigate evolving cybersecurity challenges.
Global regulators cracking down
Regulators in major markets are starting to take a tougher stance and demand greater accountability from companies that suffer cyber lapses. In October 2023, IT management software provider SolarWinds was charged for control deficiencies that allowed hackers to breach its software development environment and spread malware to thousands of customers.
The US Securities and Exchange Commission (SEC) settled charges with four companies – Unisys, Avaya Holdings, Check Point Software Technologies and Mimecast – for making misleading disclosures related to the 2020 SolarWinds hack and downplaying the severity and extent of the intrusions in their public statements. Unisys agreed to pay a US$4 million (S$5.4 million) penalty, and the other firms settled for fines of around US$1 million each.
While critics argue the SEC is overreaching by wielding accounting provisions to police cybersecurity, there’s no denying the SEC means business and is pushing companies to beef up cyber risk management. A new SEC rule that took effect in December 2024 requires public companies to disclose material cybersecurity incidents within four days.
Across the Pacific, the Australian Information Commissioner (AIC) launched a landmark lawsuit in June 2024 against health insurer Medibank over a breach that exposed 9.7 million customers’ sensitive data. The AIC alleges Medibank failed to take reasonable steps to safeguard personal data as required by Australia’s Privacy Act. The case will test the AIC’s ability to seek stiff civil penalties, and bodes heightened liability risks for Australian companies.
BT in your inbox
Start and end each day with the latest news stories and analyses delivered straight to your inbox.
The Singapore situation
What are Singapore regulators doing to hold companies accountable and drive stronger cybersecurity governance?
Companies here report a growing onslaught of attacks. In 2024, at least 10 firms listed on the Singapore Exchange (SGX) disclosed ransomware incidents. They include Bukit Sembawang Estates, Aztech Global, RE&S, YKGI, Jumbo Group, Soon Lian Holdings, Japan Food Holdings, ES Group, Hiap Seng Industries and Mustafa. Even law firm Shook Lin & Bok was not spared.
The cybersecurity Agency of Singapore reported that ransomware incidents lodged with the agency remained high in 2023 at 132 cases, unchanged from 2022. Globally, ransomware incidents jumped 74 per cent worldwide, with 4,506 attacks in 2023 compared to 2,593 in 2022, according to officials at the Counter Ransomware Summit.
A majority of Singapore firms continue to pay ransoms. A survey by data security consultant Cohesity that tapped over 500 companies in Singapore and Malaysia found that 65 per cent of respondents feel forced to pay ransoms due to inadequate data recovery capabilities and disruptions to business operations. Moreover, more than 90 per cent of respondents anticipate an increase in cyberthreats.
It is only a matter of time before Singapore regulators start penalising companies for cybersecurity failures. This may not be a bad thing. While it is understandable to focus accountability on systemically important entities like banks and telcos, the reality is that all companies have a duty to protect sensitive data and digital assets. Regulatory pressure can drive much-needed improvements in governance and risk management.
Wielding Rule 1207(10) for stronger accountability
Singapore already has a foundation for driving corporate accountability on cybersecurity. SGX Listing Rule 1207(10) requires boards to opine on the adequacy and effectiveness of risk management and internal controls, including IT controls, with the audit committee’s concurrence.
In practice, however, Rule 1207(10) disclosures often lack substance. Many boards simply assert that controls are adequate without sharing their basis. It is unclear how rigorously they are stress-testing cyber risk management frameworks.
To give Rule 1207(10) more teeth, SGX should issue detailed guidance encouraging companies to make more detailed disclosures on their cybersecurity controls, risk management systems and cyber insurance policies. This could include insight into board oversight mechanisms, risk assessment processes, control environments, incident response plans, budgets and track records.
Ultimately, investors need more than perfunctory assurances. They need to understand how boards are governing cyber risk in practice – the hard questions asked, the oversight exercised, the investments made.
The rising tide of attacks on firms shows that regulatory pressure to bolster cybersecurity is inevitable and necessary. But calibrating this accountability push requires care. An overly punitive approach could backfire, incentivising companies to obscure rather than disclose incidents.
SGX has the opportunity to make Rule 1207(10) a leading regional benchmark for cyber risk governance. By encouraging substantive disclosure in a balanced manner, it can spread best practices and elevate standards without being unduly burdensome.
The writer is a member of the Accreditation and Professional Development committee at the Singapore Institute of Directors.
