All businesses are concerned with whether their revenue and custom will continue during a crisis.

When their services (more importantly those involving technology) depend on the use of third party suppliers, businesses should also think about their own ability to deliver.

Questions that business managers will be agonising over during a crisis include:

Will our

On 4 November 2019, Singapore’s Parliament published a draft amendment to the Banking Act.

Under the amendment, all banks will be required to evaluate the ability of their service providers (whether these be a branch or office, or an external party) to:

(a) safeguard the confidentiality and integrity, and ensure the availability, of the banks’ information; and

(b) protect all customer information against unauthorised disclosure, retention, or use.

Where the service provider is a branch or office of the bank, specific provisions covering the above must be included in the branch or office’s policies and procedures.

Where the service provider is an external party, however, then the relevant provisions must be included in the contract between the bank and the provider.

Such policies and procedures, or contract, as the case may be, must also confer on the bank, the regulator (the Monetary Authority of Singapore or MAS), or an auditor appointed by the bank, the right to audit the books of the service provider to ensure that the above requirements have been complied with.Continue Reading New requirements for Singapore banks to include provisions in service contracts on protection of customer data

An international cybersecurity advisory panel formed by the Monetary Authority of Singapore (MAS) has recommended that all financial institutions in Singapore ensure that data stored on the public cloud is kept secure, and that they perform cybersecurity risk assessments on their third-party providers.

These proposals were raised at the panel’s second annual meeting, after its members had met with representatives from the Standing Committee on Cyber Security from the Association of Banks in Singapore, Life Insurance Association Singapore and General Insurance Association of Singapore.

The panel also noted that there had been an increase in use by financial institutions of application programming interfaces (APIs) to build software and applications. As use of such APIs could pose a greater risk of cyber threats, the panel suggested specific ways in which the institutions should combat such risk; for instance:

  • conducting “red-teaming” cyberattack simulations
  • securing network connections with any third party providers
  • monitoring for any suspicious cyber activity.

Continue Reading Monetary Authority of Singapore panel urges financial institutions to adopt cybersecurity measures

Earlier this month, the UK Department of Health and Social Care published an initial Code of Conduct for data-driven health and care technology. The code builds on the Department for Digital, Culture, Media and Sport’s Data Ethics Framework.

The code encourages the United Kingdom’s health and care system to form partnerships with suppliers of data-driven technologies, in order to deliver improved health care and position the United Kingdom as a “great place to do business on technology”.

Four key group stakeholders are identified by the code: patients and citizens, health and care professionals, commissioners, and innovators. The code aims to meet the “most important need” for each of these groups, which consist of those experiencing improved care, those delivering better care, those providing services that better meet users’ needs, and those working to make the United Kingdom become a centre for innovation.Continue Reading UK Code of Conduct for data-driven health and care technology

A recent study conducted by researchers at the University of Piraeus, published in the Institute of Electrical and Electronics Engineers’ Access journal (29 January 2018), has indicated that many popular health apps have significant privacy and cybersecurity failings; many of them do not follow standard practices nor will they comply with the upcoming General Data Protection Regulation (GDPR). This means that a large number of mobile health apps are jeopardizing the privacy of millions of users.

Mobile health apps

In the last few years there has been a substantial growth in mobile health apps and the ‘connected health’ model, which aims to achieve flexible, effective and affordable healthcare services by using connected technology that offers better records management, information access and increased diagnostic capabilities. This is also known as ‘smart health’. Many healthcare professionals are shifting to mobile apps for easier communication with their patients, increased productivity and improved health management capabilities.Continue Reading Study identifies cybersecurity and privacy shortcomings in health apps

The EU Commission continues to show its support and investment in new technologies in the digital economy. On February 1, 2018, the Commission and the European Parliament launched the EU Blockchain Observatory and Forum, and earlier this month, the Commission also unveiled its FinTech Action Plan.

The Blockchain Observatory

The observatory is designed to be a comprehensive repository of blockchain expertise and a source of innovation and development. It brings together policymakers, technology experts, regulators, businesses and users with the goal of building on new opportunities offered by the blockchain technology. The initiative forms part of the drive towards the digital single market, a Commission strategy to boost e-commerce, modernize regulations and promote the digital economy. The observatory also aims to support the interoperability of blockchain, which is the ability of computer systems and software to exchange and utilize information without restrictions. It also seeks to address the varied challenges in the blockchain ecosystem – such as trust, compliance, security, traceability by design, among other issues.

The EU Commission has also called for a feasibility study on the opportunity of an EU blockchain infrastructure, with tenders closed in January. The study will research the opportunity, benefits and challenges of an enabling framework supporting blockchain-based services, and whether EU services could run on such an infrastructure.Continue Reading European Commission outlines blockchain development plans, calls for a feasibility study and unveils FinTech Action Plan.

On June 21, 2016, the FAA issued its long-awaited regulations governing “Small Unmanned Aircraft,” or drone operation.  The regulations allow the use of drones weighing less than 55 pounds, traveling less than 100 mph groundspeed, and up to 400 feet above the ground, for a wide variety of purposes during daylight hours.  The regulations allow

In a sign of the continuing significance of the U.S. Supreme Court’s recent ruling in Spokeo v. Robins, 136 S. Ct. 1540 (May 24, 2016), another federal court has cited that ruling in dismissing claims for lack of Article III standing. In Gubula v. Time Warner Cable, Inc., No. 15-cv-1078 (E.D. Wis. June

Responding to the increasingly significant threats to customer payment information, the Payment Card Industry Security Standards Council (‘PCI SSC’) has published an update to its data security standard (‘PCI DSS’). Version 3.2 seeks to protect cardholder data by introducing:
Continue Reading PCI Council Reacts Again to Data Security Threats

Ever since the Target and Home Depot breaches were traced to intrusions at their vendors, the management of cybersecurity at third-party vendors has been a focus of companies and regulators. The FTC has flagged the issue, as has the SEC. The DoD has imposed strict cybersecurity requirements for contractors that “flow down” to sub-contractors.

But despite an increasing focus on the full lifecycle of third-party risk management, vendor incidents continue to represent a high percentage of reported data breaches. According to a March 2016 Ponemon Institute report, 49 percent of survey respondents indicated that their organization experienced a data breach caused by a vendor.
Continue Reading Are You Prepared for Your Vendor’s Data Breach?