Singapore Insurance Regulator’s Revised Expectations For Licensed Insurers Regarding Notification Of Data Breaches

Singapore’s insurance regulator (the Monetary Authority of Singapore (“MAS”)) has, in a circular of 22 February 2023 (“MAS Circular ID 03/23”), issued its revised expectations for licensed insurers regarding notification of data breaches to the MAS.

MAS Circular ID 03/23 supersedes MAS Circular No. ID 10/14 in which the latter relates to a licensed insurer’s notification to the MAS on events of significant impact such as loss of customer data.

Prior to the issuance of MAS Circular ID 03/23, Singapore’s Personal Data Protection Act 2012 (“PDPA”) was amended to introduce, among other things, mandatory data breach notification requirements for organisations in Singapore. The Personal Data Protection (Notification of Data Breach) Regulations 2021 was subsequently issued and specified the types of data breaches notifiable to Singapore’s data protection regulator (the Personal Data Protection Commission (“PDPC”).

Before going into detail on the categories of data breaches covered by MAS Circular ID 03/23, it would be appropriate at this juncture to generally describe what these categories are under the PDPA and the relevant MAS notices and guidelines:

CATEGORY A: Notifiable Data Breaches under the PDPA

These are data breaches that are:

• likely to result in significant harm to the affected individuals; or
• of a significant scale (i.e., affects ≥ 500 individuals)

Timeframe for notification to the PDPC: as soon as practicable but no later than 3 calendar days after determining that the data breach is notifiable.

CATEGORY B: Data Breaches which meet the criteria under MAS Notice on Technology Risk Management (“MAS Notice 127”)

These refer to system malfunctions or IT security incidents which have a severe and widespread impact on the insurer’s operations or materially impacts the insurer’s service to its customers.

Timeframe for notification to the MAS: As soon as possible but no later than 1 hour upon discovery.

CATEGORY C: Data Breaches which meet the MAS Guidelines on Outsourcing

These refer to any adverse development arising from an insurer’s outsourcing arrangements that could impact it. Such adverse developments include any event that could potentially lead to prolonged service failure or disruption in the outsourcing arrangement, or any breach of security and confidentiality of the insurer’s customer information.

Timeframe for notification to the MAS: As soon as possible.

CATEGORY D: Other Data Breaches outside the above categories (A), (B) or (C)

Going forward, in view of the introduction of the mandatory data breach notification requirements and types of notifiable data breach under the PDPA, the MAS’s revised expectations for licensed insurers concerning notification of data breaches to the MAS are as follows:

1. The MAS should be concurrently notified of data breaches that are required to be notified to the PDPC (i.e., Category A above)
2. The MAS should be notified of data breaches that meet the criteria under MAS Notice 127 and the MAS Guidelines on Outsourcing (i.e., Categories B and C above) in accordance with the timeframes stipulated in such notice and guidelines.
3. For data breaches falling outside Categories A, B and C, the MAS should be notified of them on a consolidated basis, within 3 weeks from the last day of each quarter commencing Q1 2023. Data breaches to be included should be those identified during the quarter regardless of whether they had occurred during or before the quarter. Additionally, for each data breach the notification should contain on a best effort basis:
4. 1. a description of the incident and how it was discovered;
5. 2. an analysis of the root cause of the incident and the key control deficiencies;
6. 3. an assessment of the impact of the incident (e.g., number of customers affected, financial and non-financial impact);
7. 4. a description of the remedial measures taken to manage the incident, including the extent of service recovery performed or the insurer’s reasons for deciding not to perform service recovery; and
8. 5. a description of the controls to be implemented to prevent occurrence of similar incidents.

If there are updates to any of the details in the above paragraph (c) after the initial notification of the data breach, these should be provided together with the subsequent quarter’s notification to the MAS.

Data breaches have been on the rise and have resulted in millions of records exposed in each breach. In this regard and in view of the recent MAS Circular ID 03/23, insurers in Singapore should have a robust data breach response plan in place to deal with a data breach or a cyber attack.

To discuss what this latest development may mean to you, or should you require any assistance to prepare a well-defined and managed approach to dealing with a data breach before it happens, please feel free to reach out to the authors below.