There has never been a better time to be in the governance, risk and compliance (GRC) sector with ever-changing cybersecurity regulation. In Europe, the UK has planned to pass a new Cyber Security and Resilience Bill to update the existing Network and Information Security (NIS) regulations first passed in 2018. The EU has already passed its own version of NIS2, which incorporates new critical infrastructure services.
Meanwhile, in Asia, Malaysia has passed its own Cybersecurity Bill, introducing its own National Cyber Security Committee to impose cybersecurity requirements on national critical information infrastructure and a Code of Practice, which largely mirrors Singapore’s own Cybersecurity Act that was also expanded in May 2024 in light of how critical information infrastructure (CII) has increasingly moved to cloud environments and virtualized environments.
All these herald challenges for enterprises, especially global ones, as they seek to update their cybersecurity compliance to be in line with the sweep of legislative changes slated to be rolled out by many more countries over the next few years.
However, these legislative measures vary in their enforcement powers and standards. Some of the stricter ones are highlighted as follows:
NIS2
The penalty structure of NIS2 resembles that of the GDPR, where non-compliances can result in fines up to certain amounts, pegged to annual worldwide turnover. To recap:
| Types of Entities | Fines Under NIS2 |
|---|---|
|
Essential Entities |
10 mil EUR or 2% of total annual worldwide turnover, whichever is higher |
|
Important Entities |
7 mil EUR or 1.4% of total annual worldwide turnover, whichever is higher |
Singapore’s Cybersecurity Act
In Section 18D of the Cybersecurity (Amendment) Bill:
18D.—(1) The Commissioner may by notice given in the prescribed form and manner, require the entity of special cybersecurity interest to furnish, within a reasonable period specified in the notice, the following:
(a) information on the design, configuration and security of the system of special cybersecurity interest;
(b) any other information that the Commissioner may require in order to ascertain the level of cybersecurity of the system of special cybersecurity interest
(2) Any entity of special cybersecurity interest who, without reasonable excuse, fails to comply with a notice mentioned in subsection (1) shall be guilty of an offense and shall be liable on conviction to a fine not exceeding the greater of $200,000 or 10 percent of the annual turnover of the person’s business in Singapore and, in the case of a continuing offense, to a further fine not exceeding $5,000 for every day or part of a day during which the offense continues after conviction.
Said penalties as highlighted in Section 18D (2) are also applicable in several other Sections of the bill for other non-compliances, such as the duty to report cyber incidents (Section 18M), or failures to comply with written directions by the Commissioner to comply with cybersecurity technical standards, or provide proof of action to be taken by CII owners in relation to a cybersecurity threat (Section 18L).
Losses Not Always Possible to Quantify
Governments push for financial-based penalties arising from non-compliances to cybersecurity standards in essential industries, as these directly target the bottom line of companies operating essential services and critical infrastructure. Such legislation is also a reaction to how typical internal risk assessments do not always adequately cover non-quantifiable aspects of cybersecurity incidents that governments are highly concerned about, such as the nation’s reputation for conducting safe digital business, or in some environments such as operational technology, cybersecurity risk that can transcend into the physical world such as a statistical probability of a loss of life, or a near-miss.
But GRC specialists, being answerable to the firms they are employed by (in-house), or by clients they are answerable to (in consultancies) have difficulties in accurately assessing the impact of said risks in business parlance; the loss of life cannot simply be quantified through an annual loss expectancy (ALE) and exposure factor (EF) figure, and trust in a nation-state’s ability to conduct safe digital business is beyond the scope of the entity subject to a risk assessment.
From a micro-economics perspective, cybersecurity can arguably be seen as a market failure requiring government intervention due to the private enterprise’s lack of desire to produce a “socially optimal” amount of cybersecurity unless being forced through governmental regulation. But this is not entirely true either; there is precedence of self-regulation being highly effective at providing robust cybersecurity measures in the payments industry, such as PCI-DSS, which was driven by industry and not by government.
One reason why PCI-DSS was successful is the ability of stakeholders to transcend beyond individual firms’ cybersecurity risks of fraudulent credit card transactions, in realizing that cybersecurity is indeed an externality that required correction.
One way such cooperative environments can be nurtured is through collaborations across industry partners with tacit agreements on how cybersecurity threats that a firm is victim to is essentially an attack on confidence across the entire industry. For instance, a successful takedown of a stock exchange in a country would naturally lead to questions of confidence on other stock exchanges around the world. Industry leaders can come together to contribute to various forums where best cybersecurity practices are being shared, such as the various Information Sharing and Analysis Centres (ISACs). Examples of these include OT-ISAC for the operational technology space and FS-ISAC for the financial sector.
The micro-economics perspective of cyber risk at an ecosystem level is not often discussed due to an increasing reliance on compliance-based measures by governments to enforce cybersecurity except in select industries. However, cybersecurity risk is a subset of business and operational risk, which requires GRC practitioners like us to not only interpret legislation, but translate it into business impact for business leaders to understand how cybersecurity goes beyond simply instituting controls, and also uplifts the industry through thought leadership to positively influence how collaborative efforts in cybersecurity can deal with alleged market failures before “compliance by checkbox” takes over.