Pre-Budget 2019 Perspectives - Cyber Security
Most company boards and senior management recognise that cyber security is one of the top five organisational risks. In KPMG’s 2018 Global CEO Outlook report, 49% of respondents say that becoming the victim of a cyber-attack is a case of “not ‘if’ but ‘when’”.
As Singapore becomes even more of a digital nation by adopting new and emerging technologies such as blockchain, cloud, IoT and robotic process automation (RPA), cyber-attacks will remain a significant risk. And with companies embarking on more digitalisation programmes, their digital footprints are increased tremendously, thereby increasing the surface area for cyber-attacks as well. However, there is still a huge gap between digital transformation and cyber security transformation. Digital transformation is much further ahead of cyber security transformation, as managing cyber risks is still often an afterthought.
The key challenge is that business owners want to quickly gain market share or competitive advantage by launching digital products and platforms ahead of their competitors. Security by design is often not a consideration, and instead gets left until the second phase of such launches or even later. Expertise is also still lacking in many sectors, especially in capabilities such as threat intelligence, cyber incident response, and cyber crisis management and recovery.
Ideally, organisations should have a holistic approach towards managing cyber risks. Having resources and the right technologies in place should be harmonised with the right processes and governance. Businesses should be encouraged to think about security by design right from the start when embarking on any digital transformation programme and/or project, while smaller or less mature companies could be provided with better guidance on standards and best practices that their businesses should embrace and adopt. The government can drive greater cyber security adoption by encouraging and assisting organisations to build up and sustain cyber security preparedness and long-term resilience.
A large aspect of being a Smart Nation is this resilience to cyber-attacks. Yet, managing cyber security remains largely an afterthought for many. This is especially dangerous as emerging technology and digitalisation do come with inherent cyber risks that can cripple entire economies.
Cyber security must become a priority for every organisation – a part and parcel of every business in every sector in Singapore. The following proposals can enable this to happen.
1. Enhance governance, risk management and vigilance.
Cyber security is a business risk. Therefore, organisations should be encouraged to enhance their cyber resilience through enhanced governance and risk management practices. To encourage the adoption of better cyber practices, the government could provide tiered tax concessions or rebates for corporations that undertake two or more (with increasing rebates provided for each additional strategy that is implemented) relevant cyber risk management strategies from the following:
- Setting up a combined “three lines of defence” (“3LoD”) structure to better delineate governance over cyber security operations, security strategy/policy, and security audit.
- Taking up cyber insurance to offset the financial impact of cyber-attacks.
- Conducting regular cyber crisis exercises to stress-test the resilience of systems and people to withstand cyber-attacks.
- Managing third-party cyber risks arising from the connected business ecosystem, including suppliers/vendors and business partners, through active monitoring and audit of third party cyber risks.
- Engaging professional services that can provide specialist advice in areas such as cyber security design, implementation, testing, audit and review.
2. Build human capital.
With an increasing number of major cyber-attacks taking place in Asia, we need to go beyond upgrading existing cyber defence and response capabilities, to ensuring our people are equipped to take on such ever-evolving cyber threats:
- Encourage mandatory training for boards and senior management. This will help to increase their understanding of cyber threats and risk developments, and enable more informed decisions on the effectiveness of their cyber security programmes.
- Ensure availability of skilled resources to meet the growing demand for cyber security professionals by continuing with various existing funding and subsidies related to upskilling initiatives for at least another three years (e.g. TechSkills Accelerator, SkillsFuture, Company Led Training, and Cyber Security Associates and Technologists programmes).
3. Encourage investment in cyber security solutions across all sectors.
Organisations should be encouraged to invest in cyber security solutions such as monitoring and detection, to keep up with evolving cyber threats. Subsidies and cyber technology funding could be considered, with more funding for less mature sectors to build up their cyber security capabilities as they embark on digitalisation initiatives.
In December 2018, the Monetary Authority of Singapore (MAS) announced a $30 million grant to enhance cyber security capabilities for the financial sector. Moving forward, similar incentives/grants should be offered to other sectors (e.g. energy, water, healthcare, hospitality, retail, maritime, emergency, transportation) to level up their cyber security capabilities as well, with relevant government agencies encouraging these initiatives alongside the Cyber Security Agency (CSA):
- Funding of up to 70% for small and medium enterprises (SMEs) and up to 50% for others to develop cyber security related capabilities (e.g. cyber security readiness diagnostics, cyber defence, cyber assurance) in sectors undergoing digital transformation, especially CSA-identified “Critical Information Infrastructure” sectors, sectors identified by the Committee on the Future Economy and under the Industry Transformation Maps, as well as businesses setting up cyber security centres of excellence. Qualifying expenditure should include cyber security-related staff costs, training expenses
andassurance-related expenses, as well as outsourced payments to Singapore-based service providers. For payments to foreign service providers, a reduced rate of 30% funding should be granted.
- Introduce automatic enhanced tax deductions on prescribed cyber security expenses (including training expenses and assurance-related expenses) (net of grants) so as to encourage pervasive adoption:
- 250% tax deduction for local spending for prescribed expenses made to Singapore-based service providers/vendors.
- 200% tax deduction for payments for prescribed expenses made to overseas service providers/vendors.
- Accord 250% enhanced tax allowance on capital expenditure on qualifying cyber security projects e.g. next-generation cyber defence capabilities. ◦Enhance certainty of the R&D tax incentive scheme. This scheme provides 250% enhanced tax deduction on qualifying costs such as staff and outsourcing costs, as it includes development of new or enhanced technologies and solutions to strengthen corporate data governance and cyber security as pre-approved areas under the scheme. ◦A concessionary tax rate of 5% on income derived from exportable cyber security and cyber insurance-related services to attract and anchor companies such as IBM in Singapore.
- Enhance certainty of the R&D tax incentive scheme. This scheme provides 250% enhanced tax deduction on qualifying costs such as staff and outsourcing costs, as it includes development of new or enhanced technologies and solutions to strengthen corporate data governance and cyber security as pre-approved areas under the scheme.
- A concessionary tax rate of 5% on income derived from exportable cyber security and cyber insurance-related services to attract and anchor companies such as IBM in Singapore.