Popular search terms
Click each term for related articles
Singapore’s insurance regulator (the Monetary Authority of Singapore (“MAS”)) has, in a circular of 22 February 2023 (“MAS Circular ID 03/23”), issued its revised expectations for licensed insurers regarding notification of data breaches to the MAS.
MAS Circular ID 03/23 supersedes MAS Circular No. ID 10/14 in which the latter relates to a licensed insurer’s notification to the MAS on events of significant impact such as loss of customer data.
Prior to the issuance of MAS Circular ID 03/23, Singapore’s Personal Data Protection Act 2012 (“PDPA”) was amended to introduce, among other things, mandatory data breach notification requirements for organisations in Singapore. The Personal Data Protection (Notification of Data Breach) Regulations 2021 was subsequently issued and specified the types of data breaches notifiable to Singapore’s data protection regulator (the Personal Data Protection Commission (“PDPC”).
Before going into detail on the categories of data breaches covered by MAS Circular ID 03/23, it would be appropriate at this juncture to generally describe what these categories are under the PDPA and the relevant MAS notices and guidelines:
CATEGORY A: Notifiable Data Breaches under the PDPA
These are data breaches that are:
Timeframe for notification to the PDPC: as soon as practicable but no later than 3 calendar days after determining that the data breach is notifiable.
CATEGORY B: Data Breaches which meet the criteria under MAS Notice on Technology Risk Management (“MAS Notice 127”)
These refer to system malfunctions or IT security incidents which have a severe and widespread impact on the insurer’s operations or materially impacts the insurer’s service to its customers.
Timeframe for notification to the MAS: As soon as possible but no later than 1 hour upon discovery.
CATEGORY C: Data Breaches which meet the MAS Guidelines on Outsourcing
These refer to any adverse development arising from an insurer’s outsourcing arrangements that could impact it. Such adverse developments include any event that could potentially lead to prolonged service failure or disruption in the outsourcing arrangement, or any breach of security and confidentiality of the insurer’s customer information.
Timeframe for notification to the MAS: As soon as possible.
CATEGORY D: Other Data Breaches outside the above categories (A), (B) or (C)
Going forward, in view of the introduction of the mandatory data breach notification requirements and types of notifiable data breach under the PDPA, the MAS’s revised expectations for licensed insurers concerning notification of data breaches to the MAS are as follows:
If there are updates to any of the details in the above paragraph (c) after the initial notification of the data breach, these should be provided together with the subsequent quarter’s notification to the MAS.
Data breaches have been on the rise and have resulted in millions of records exposed in each breach. In this regard and in view of the recent MAS Circular ID 03/23, insurers in Singapore should have a robust data breach response plan in place to deal with a data breach or a cyber attack.
To discuss what this latest development may mean to you, or should you require any assistance to prepare a well-defined and managed approach to dealing with a data breach before it happens, please feel free to reach out to the authors below.