The recent cyberattack on Singapore’s SingHealth network led to the theft of around 1.5 million individuals’ data. Prime Minister Lee Hsien Loong’s information seemed to be deliberately targeted by the attackers.
Ian Roberts, partner at international law firm Clyde & Co and leader of its non-marine insurance practice in Singapore, said that the incident highlights the importance of cyber risk management for all companies. He offered his comments on the recent cyberattack and listed six steps organisations must consider when under cyberattack.
“Singapore’s Cybersecurity Act, which came into force earlier this year, aims to protect critical information infrastructure (CII) against cyberattacks,” said Roberts. “The CII sectors include healthcare as well as energy, water, banking and finance, transport, infocomm, media, security and emergency services, and government.”
Furthermore, the Act authorises the Cyber Security Agency of Singapore (CSA) to take protective measures and respond to cybersecurity threats. It also empowers the Commissioner of Cybersecurity to conduct investigations, as demonstrated in the SingHealth attack.
He added that cyber risk can be managed and mitigated with cyber insurance, which is becoming more popular as a key aspect of a company’s strategy. The first 48 hours after a company has identified a cyberattack are crucial, and there are six steps firms must consider:
1. Manage and protect communications
It is highly recommended that a legal advisor be assigned the duty of coordinating the rapid response team as they will be able to liaise with team members and the company, and claim the protection of legal professional privilege over most of those communications.
2. Stop the attack
It is of course critical that any cyberattack be stopped as soon as possible.
Where available, a security and technology plan should be executed to respond to the attack, including identifying the extent of damage caused by the attack and also to limit the extent of business disruption caused.
In the SingHealth cyberattack, news reports indicate unusual activity was detected on SingHealth’s IT databases on July 04, and immediate action was taken to halt this while investigations took place and security measures were established. Network traffic was closely monitored before it was ascertained it was indeed a cyberattack and the Ministry of Health and CSA were informed, and forensic investigations were carried out.
3. Determine if there been a data breach
Contrary to common misconceptions, a cyberattack and a data breach are not the same. While many cyberattacks have the primary aim of extracting data from a system, constituting a data breach, other forms of attack aim to directly extort funds from a company (for example, certain malware attacks).
4. Breach notifications
If a data breach has occurred, it is important to identify as accurately as possible the extent of the records stolen, particularly the nature of the information stolen and the location (or locations) of the affected entities, which is required for notification purposes.
Identifying the jurisdictions and breach notification laws of each jurisdiction as soon as possible is critical given the diversity in the requirements that notification laws across the world impose. Legal advisors with a global reach greatly assist in undertaking this possibly mammoth task within a reasonable timeframe.
The variety of the notification requirements for even a relatively minor breach can be surprising, with regulations in some jurisdictions amounting the breach to criminal conduct, whereas no action may be required in other jurisdictions. The deadlines by which a breach needs to be notified also vary.
Singapore is currently reviewing its Personal Data Protection Act (PDPA) including the likely implementation of a mandatory breach notification regime. The proposed approach will strike a reasonable balance between the need for organisations to collect, use and disclose personal data and individuals’ right to the protection of their personal data. It is anticipated that notification will be deemed mandatory where the scale of the breach involves data of more than 500 people, for example, according to the proposals.
In the case of SingHealth, all patients, whether or not they are affected, will receive an SMS notification over the next five days. Or they can choose to proactively access a mobile app or the SingHealth website to check if they have been affected.
5. Managing communications
Depending on how serious a breach is and the extent of the notification that will be made, a breach coach may also need to consider, in conjunction with the jurisdictional legal advisors and the company, whether any public relations material or campaigns will need to be prepared to protect the brand and reputation of the affected company.
6. Cyber insurance
The most comprehensive cyber policies include rapid response cover. Unlike most other policies, the protection afforded by rapid response could come into play as soon as a potential cyberattack has been identified, before the existence of a claim has been established.