The Monetary Authority of Singapore has issued a circular revising its expectations for being notified by licensed insurers when a data breach occurs.

Insights

MAS Issues Circular Revising Data Breach Notification Expectations for Licensed Insurers

Date
February 28, 2023
Author
OrionW

Data breach notifications became mandatory when the amended Personal Data Protection Act 2012 (PDPA) took effect in February 2021. Consequently, the Personal Data Protection (Notification of Data Breaches) Regulations 2021 (DBN Regulations) were issued, setting out the types of data breaches which trigger the notification requirements. In light of these regulatory changes, the Monetary Authority of Singapore (MAS) issued Circular No. ID 03/23 (Circular) on 22 February 2023 revising its notification expectations for licensed insurers that experience a data breach.

The Circular replaces Circular No. ID 10/14 on “Notification to the Monetary Authority of Singapore on Events of Significant Impact” dated 30 September 2014, which required a licensed insurer to notify MAS of any event which may have a significant impact on the insurer.

PDPA Mandatory Data Breach Notification Requirement

In general, under the PDPA and the DBN Regulations an organisation which suffers a data breach must notify the Personal Data Protection Commission (PDPC) if the data breach:

  • results or is likely to result insignificant harm to affected individuals; or
  • is or is likely to be of a significant scale. 

(For additional information regarding mandatory breach notifications, please see our article on the amendments to the PDPA)

MAS’s Revised Expectations for Data Breach Notifications

Under the Circular, a licensed insurer must notify MAS about the occurrence of:

    
    
Type of Data Breach Characteristics of Data Breach When to Notify MAS
(a) Notifiable data breach under the PDPA and the DBN Regulations Data breach: (a) results or is likely to result in significant harm to affected individuals; or (b) is or is likely to be of a significant scale At the same time the licensed insurer notifies the PDPC – i.e., as soon as practicable, and in any case within 3 calendar days, after a breach is assessed to be notifiable
(b) A ‘relevant incident’ under MAS Notice 127 on “Notice on Technology Risk Management” dated 21 June 2013 A system malfunction or IT security incident which has a severe or widespread impact on the insurer’s operations or materially impacts the insurer’s service to its customers As soon as possible, and in any case within 1 hour, upon the discovery of the relevant incident
(c) An adverse development under MAS’s Guidelines on Outsourcing Any adverse development arising from the insurer’s outsourcing arrangements that could impact the insurer, including a breach of security and confidentiality of customer information As soon as possible upon the occurrence of the adverse development
(d) All other data breaches, regardless of scope or impact (Other Data Breaches) Any data breach which does not fall under (a) to (c) above Starting from Q1 2023, after the end of each calendar quarter in which the Other Data Breaches are discovered (whether or not they occurred during that calendar quarter)

Notification to MAS is on a consolidated basis (i.e., all discovered Other Data Breached are reported together)

For Other Data Breaches, the notification to MAS should include, on a best efforts basis:

  • a description of the incident and its manner of discovery;
  • an analysis of the incident’s cause, including the key control deficiencies;
  • an assessment of the incident’s financial and non-financial impact (e.g., number of affected customers);
  • details of the remedial measures taken, including any service recovery performed (or the reasons for not performing it); and
  • details of future controls to prevent similar incidents.

Any updates to information provided to MAS in respect of Other Data Breaches should be submitted with the quarterly notification for the next following calendar quarter.

Key Takeaway

By issuing the Circular, MAS has made it clear that it takes data breaches seriously. Licensed insurers should be mindful of, and ensure that they have processes in place to comply with, MAS’s revised expectations regarding data breach notifications, particularly because they are more onerous than the requirements set out under the PDPA or previously issued MAS notices/guidelines.

For More Information

OrionW regularly advises clients on data protection matters.  For more information the Personal Data Protection Act 2012, or if you have questions about this article, please contact us at info@orionw.com.

Disclaimer: This article is for general information only and does not constitute legal advice.

Newsletter

Subscribe to
our newsletters

To subscribe, select the newsletter options that interest you (TMT, FinTech or DPC - Data Protection and Cybersecurity) and provide your details.

  • TMT - Technology, Media and Telecommunications
  • FinTech
  • DPC - Data Protection & Cybersecurity
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.