MAS Sets Out Revised Expectations for Notification of Data Breaches by Licensed Insurers - Lexology

MAS Sets Out Revised Expectations for Notification of Data Breaches by Licensed Insurers
Rajah & Tann Asia
Rajah & Tann Asia logo
Singapore March 14 2023
Introduction

Data breaches are a key concern for organisations, particularly in light of the increasing incidents of data leaks. As part of Singapore's regulatory framework to protect personal data, there are various requirements in place regarding notification of data breaches to the relevant authorities. For licensed insurers, which collect and hold large quantities of personal data, it is important to be aware of the applicable notification requirements and timelines.

On 22 February 2023, the Monetary Authority of Singapore ("MAS") issued Circular No. ID 03/23 – Notification of Data Breaches to the Monetary Authority of Singapore ("Circular 03/23"). Circular 03/23 sets out the revised expectations for licensed insurers regarding notifying MAS of data breaches. It replaces Circular No. ID 10/14 – Notification to the Monetary Authority of Singapore on Events of Significant Impact, which has been cancelled from 22 February 2023, the date Circular 03/23 came into effect.

Circular 03/23 sets out the data breaches that must be notified to MAS under the following categories:

Data breaches under the Personal Data Protection Act 2012 ("PDPA");
Data breaches that meet the criteria under MAS Notice 127 – Notice on Technology Risk Management ("Notice 127") and the MAS Guidelines on Outsourcing ("Outsourcing Guidelines"); and
Other data breaches.
This Update highlights the notification requirements, as well as the relevant timelines for notification, under Circular 03/23.

Summary

Circular 03/23 provides that data breaches are as defined in the PDPA:

the unauthorised access, collection, use, disclosure, copying, modification or disposal of personal data; or
the loss of any storage medium or device on which personal data is stored in circumstances where the unauthorised access, collection, use, disclosure, copying, modification or disposal of the personal data is likely to occur.
The data breach notification requirements under Circular 03/23 are summarised in the table below, with further details provided in the subsequent sections.



Notification of PDPA Data Breaches

Circular 03/23 provides that, if a licensed insurer encounters a data breach that must be notified to the Personal Data Protection Commission ("PDPC") pursuant to the PDPA, they must concurrently notify MAS of such data breach.

Under the PDPA, a data breach must be notified to the PDPC if it:

is likely to result in significant harm to the individuals whose personal data is affected by the breach; or
is of a significant scale (not fewer than 500 individuals).
Once an organisation has credible grounds to believe that a data breach has occurred, it must take reasonable and expeditious steps to assess whether a data breach meets the criteria for notification. Where an organisation assesses that a data breach is notifiable, the organisation must notify the PDPC as soon as is practicable, but no later than three calendar days after the day the organisation makes that assessment.

Notification of Data Breaches under Notice 127 and Outsourcing Guidelines

Circular 03/23 provides that MAS should be notified of data breaches that meet the criteria under Notice 127 and the Outsourcing Guidelines, based on the timelines indicated within these instruments.

Notice 127

Under Notice 127, an insurer shall notify MAS as soon as possible, but not later than one hour, upon the discovery of a relevant incident. A relevant incident refers to a system malfunction or IT security incident, which has a severe and widespread impact on the insurer's operations or materially impacts the insurer's service to its customers.

Outsourcing Guidelines

Under the Outsourcing Guidelines, an institution should notify MAS as soon as possible of any adverse development arising from its outsourcing arrangements that could impact the institution. Such adverse developments include any breach of security and confidentiality of the institution's customer information. An institution should also notify MAS of such adverse development encountered within the institution's group.

Other Data Breaches

For data breaches that fall outside of the above categories, Circular 03/23 provides that MAS should be notified of them on a consolidated basis, within three weeks from the last day of each quarter starting from Q1 2023.

The notification should contain:

a description of the incident and how it was discovered;
an analysis of the root cause of the incident and the key control deficiencies;
an assessment of the impact of the incident (e.g. number of customers affected, financial and non-financial impact);
a description of the remedial measures taken to manage the incident, including the extent of service recovery performed or the insurer’s reasons for deciding not to perform service recovery; and
a description of the controls to be implemented to prevent occurrence of similar incidents.
Where there are updates to any of the above details, such updates should be provided together with the subsequent quarter's notification to MAS.

Concluding Words

Licensed insurers should take note of the various categories of data breaches that must be notified to MAS, as well as the relevant timelines for notification. Such institutions should assess their internal processes to ensure that they have protocols in place to comply with the notification requirements set out above.

Click on the below links for more information (accessible at the MAS website at www.mas.gov.sg):

Circular No. ID 03/23 – Notification of Data Breaches to the Monetary Authority of Singapore
Notice 127 – Notice on Technology Risk Management
MAS Guidelines on Outsourcing