SGX RegCo Publishes Cyber Incident Response Guide For SGX-Listed Companies

• Published date: 30 November 2022
• Subject Matter: Finance and Banking, Corporate/Commercial Law, Privacy, Financial Services, Listing Rules & Flotation, Corporate and Company Law, Data Protection
• Law Firm: Rajah & Tann
• Author: Mr Abdul Jabbar Bin Karam Din, Rajesh Sreenivasan, Steve Tan, Benjamin Cheong, Lionel Tan, Tanya Tang and Wong Onn Chee

Executive Summary

In October 2022, the Singapore Exchange Regulation ("SGX RegCo") published the Cyber Incident Response Guide ("Guide") to provide guidance on the best practices which are pertinent to helping issuers listed on the Singapore Exchange Securities Trading Limited ("SGX-ST") as well as the SGX members (collectively "Companies") strengthen their cyber risk management strategies and practices. The Guide aims to set out considerations and good practices for Companies to refer to in preparing and operationalising their own cyber incident response plans, and adapting these considerations and good practices as necessary to meet their own requirements.

Although the Guide does not aim to prescribe a set of standards that all Companies should adopt, it is an indication of the impact a cyber incident can have on Companies and provides a perspective on the emphasis of SGX RegCo on Companies' preparedness and response to cyber risks and incidents. Companies should promptly assess whether their existing internal policies and plans deal with cyber risks and cyber incidents, and if so, whether such policies and plans meet the SGX RegCo's expectations set out in the Guide.

Key Features of the Guide

The Guide outlines suggestions for the Companies in addressing the following key issues so that they can establish a robust cyber incident response plan.

(1) Cyber crisis management structure: Establishing the following teams that can be activated in the event of a cyber incident:

1. Crisis Management Team ("CMT") that comprises senior management (including C-suite executives and Heads of Departments of all relevant functions) and is responsible for key decision-making during a cyber incident; and/or
2. Cyber Incident Response Team ("Cyber IRT") that comprises key representatives from all relevant functions and is responsible for, among other things developing, maintaining and executing a company's cyber incident response plans and any key decisions made by the CMT.
   
   The Guide sets out a sample of the composition of a Cyber IRT and its members' roles and responsibilities.

(2) CMT / Cyber IRT activation: Adopting a structured approach in classifying cyber incidents to determine when CMT and the board of directors of the Companies should be activated and setting out the process for the activation of the CMT and the Cyber IRT.

(3) CMT milestones and timelines: Determining common milestones for updates to the CMT for each cyber scenario, and the Cyber IRT members...