Published on 10 Aug 2017

Success of cyber security bill hinges on balancing costs and benefits

We live in an age of rapid digitisation where mobile communication and cloud computing have dramatically increased cyber connectivity.

By Shaun Wang

We live in an age of rapid digitisation where mobile communication and cloud computing have dramatically increased cyber connectivity. The economic benefits of digitisation are shown by leading companies such as Google, Amazon, Facebook, Uber, Airbnb, Tencent and Alibaba. Digitisation has, however, produced economic threats such as hacking, cyber espionage and fake news. As a result, cyber security has become a key concern for countries, businesses and consumers. More than just a technical issue, cyber security is economically important. Cyber risk management involves controlling the negative aspects of the digital economy and protecting its benefits. Singapore's ability to manage the myriad of fast evolving threats to cyber security will determine its future economic trajectory.

On July 10, Singapore's government released a draft cyber security bill for public consultation that ends on August 3. The bill proposes handing broad authority to the Cyber Security Agency (CSA) to coordinate efforts and to designate owners of critical information infrastructure (CII). It formalises the duties of CII owners in ensuring their own cyber security, including conducting regular audits of compliance, and making regular assessments of cyber threats. Failure to comply is a criminal offence that carries a maximum fine of S$100,000 or a 10-year jail term, or both. The bill focuses on CII owners, but its impact is much broader because many organisations have business ties with CII owners.

The bill shows that Singapore is taking a holistic approach to cyber threats to protect the system of critical information infrastructure.

Although the bill is comprehensive, it is unrealistic to expect it to cover all aspects of cyber threats or enumerate every possible situation. The bill largely addresses computer systems, less so on false information and fake news on social media. It also does not seek to identify and prosecute the perpetrators of cyber crimes, which the law enforcement authorities are responsible for.

Research reveals that the efficacy of rule-based regulation declines when complexity increases, and the marginal benefit of compliance decreases when the cost exceeds a threshold. As such, we must weigh the cost of compliance and the economic benefit from strengthening cyber security.

To be sure, the bill carries risks and rewards should it be passed into law.

  1. The upside: the bill will help Singapore become a smart nation by enhancing its cyber security and information security technology. That will give the country a competitive edge and secure its leadership as a regional centre of finance, shipping and aviation.
  2. The downside: the costs of regulatory compliance and audits may hurt Singapore's economic competitiveness and deter international investors.

The public needs to be kept apprised of how the bill's regulatory demands would be met, and an analysis of the economic costs and benefits. Singapore needs to set practical parameters and focus on pragmatic solutions. Regulatory compliance by itself is not enough to tackle cyber criminals from around the world, and spending more on bolstering cyber security may not always work. Companies should, nevertheless, be encouraged to step up their cyber defence capability.

What will become most relevant are regulations that are specific to individual sectors. The efficacy of Singapore's cyber security will depend on how the legislative bill is translated into sector-specific regulations. The government says it will impose reasonable regulatory requirements on CII owners, and harmonise current sector-specific regulations with the cyber security bill.

No matter how much effort is invested in drafting the legislative bill, there is not a “one size fits all” solution to cyber security, as critical information infrastructure varies in their importance. There are also questions on how small and mid-sized companies – many of whom provide services to CII owners – would be affected by cyber attacks. Some software vendors and cloud service providers operate internationally, and it is not clear how the bill would affect them. Perhaps the bill can give more leeway to the commissioner of the Cyber Security Agency in carrying out his work.

The real benefit of the bill is to enable regulations designed for the needs of individual sectors. It could spur Singapore to develop innovative risk management solutions by using the expertise of insurance and information security firms in a cost-effective way. That would ease CII owners' regulatory burden and provide them with prevention measures and post-breach recovery plans.

Indeed, legalising the bill could help Singapore to develop a robust cyber security system and risk management industry. The success of the bill hinges on whether it enables business solutions to enhance cyber security.

About the author

Dr Shaun Wang is Professor of Actuarial Science and Director of Insurance Risk and Finance Research Center (IRFRC) at Nanyang Business School, NTU Singapore

This commentary was published in The Straits Times on 10 August 2017.