Singapore: COVID-19 & Corporate Governance: Telecommuting, Meetings and Security during the New Normal

By Sandra Seah, Jonathan Kao, Loren Leung, Chelsea Chan, Jeremy Tan

04-2020

With the disruption and uncertainty caused by COVID-19, organisations need to be aware of the heightened cybersecurity risks and take measures to protect their organisation and workforce while working remotely.

Amidst the disruption to everyday life and regular business practices brought about by COVID-19, conditions are ripe for abuse and attack by cyber criminals. Authorities and security researchers in various jurisdictions have reported a surge in cyber-crime during the current COVID-19 situation (See our article Cybersecurity Update: COVID-19). Of particular concern are reports of highly sophisticated and targeted spear-phishing attacks on organisations in badly affected industries like oil production. These attacks stood out for their familiarity and knowledge of ongoing projects and players, as well as the limited amount of grammatical errors and sloppiness that are typical of similar attacks – making the attacks difficult to identify and respond to. Other common attacks have taken advantage of the COVID-19 situation by posing as a government or health authorities (such as sending emails pretending to be the World Health Organization which contain malicious links and/or request certain information) or purporting to share information about COVID-19 or confirmed cases of COVID-19.

Organisations and their officers need to be cognizant of the heightened cyber risks during this period when most if not all of their workforce is working remotely often without full protection of corporate firewalls and other security measures. The immediate risks of direct financial loss, data breaches and reputational damage are often readily understood by organisations; while it is perhaps more difficult to appreciate the potential impact of a seemingly minor probe or breach today which may set the stage for a full attack later (such as credential harvesting, privilege escalation and advanced persistent threats). It is not uncommon that the impact of an attack may only be fully felt long after the initial attack, for example where sensitive data (such as personal data, trade secrets or confidential communications) has been exfiltrated and are further exploited (such as when made available for sale on the dark web or used for ransom or blackmail), or that these attacks may be part of a broader campaign taking the attackers one step closer to the organisation’s customers, contacts and even the industry at large.  

As organisations settle in for an extended circuit breaker period in Singapore, corporate officers still need to exercise effective control and management of the business while also discharging their duty to manage the risks, including cybersecurity risks, faced by their organisations. For organisations that have not done so, they should take this time to conduct an impact assessment of their remote working practices against data protection or other risk management policies. Even if organisations have done an impact assessment prior to implementing remote working, it is important to continually monitor and review their remote working practices and how meetings are conducted.

Virtual meetings have come under intense scrutiny recently. Virtual meeting solutions and instant messengers are an almost essential tool for businesses during this period but with the many solutions available, organisations need to be familiar with the settings for each solution to ensure that there are no unauthorised users/attendees (or meeting "bombing"), that motions can be properly discussed, considered and voted on, and that there will not be any unintended disclosures of information. Where possible, organisations should follow the general guidance of using multiple independent channels or factors to conduct verification whether of identities, votes or instructions.

While it would be challenging to implement a sweeping overhaul of an organisation’s infrastructure and practices during this period, organisations can use this opportunity to plan for any improvements once the regular business resumes. In any event, we recommend that organisations develop at least some basic rules on remote working and access to company systems that can and should be implemented as a matter of priority while the pandemic remains. Organisations can take guidance from advisories and guides published by national authorities and various professional cybersecurity and defense organisations. In Singapore, the Cyber Security Agency of Singapore and the Singapore Computer Emergency Response Team have published articles and advisories on how companies can bring their operations online as well as how they and their employees can remain safe while working remotely. 

We set out below some pointers and good practices to raise organisations' cyber safety.

Remote working

  • Choose reputable solutions providers to host the online business or facilitate remote working arrangements. Exercise caution when considering “free” solutions or free tiers that may not offer appropriate data protection or security measures for business use.
  • Users should only connect to secure wifi networks and send important information through a VPN where appropriate.
  • Where possible, users should only use secured work devices to access company systems and information, and should not access or store company information on personal devices.
  • Home routers should be up-to-date with firmware updates and patches, and default passwords should be changed.
  • Users should be aware of their surroundings while working remotely even at home. Mute microphones and cover cameras of the user’s device and other nearby devices when not in use. Lock screens even if the user is away for a short while.
  • Software on VPN, network infrastructure and endpoint devices (such as user devices) should be kept up-to-date.
  • Multi-factor authentication should be enabled for VPN and other remote access or virtualisation solutions.
  • Monitor network and resource usage for anomalies and to manage usage.
  • Impose strict security policies such as frequency of change and strength of passwords, as well as the use of multi-factor authentication.
  • Regularly check account privileges, and privileged domain and local system accounts.
  • Continually review risk and impact assessments while working remotely.
  • Ensure that all employees are aware of the risk of cyber attacks and are provided with sufficient training and practical guidance on how to protect against and recognise cyber threats (e.g. phishing emails).
  • Incident response and contingency plans should take into account remote working arrangements and be deployable while working remotely.

(See also our article Singapore Introduces Cybersecurity Labelling Scheme)

Communications

  • Be wary of COVID-19 themed emails requesting for sensitive information.
  • Exercise caution when using the same application for personal and business communications to avoid unintended disclosures of information.
  • Be aware that many applications intended for personal use may not offer the level of security and protection appropriate for business use.
  • Take additional steps to verify information and identities especially when sensitive information is involved. Do not rely on caller-id, particulars in the email or communication when verifying the identity of the sender, use an independent means for identity verification.

Electronic Signing

  • Keep up-to-date with guidance and advisories from various regulators and authorities as well as legislative developments on the requirements for signing, witnessing, commissioning and notarization of documents, or conclusion of transactions and contracts electronically.
  • Check on the requirements for all parties as well as the jurisdictions in which the relevant document will be used or relied upon.
  • Maintain detailed records of all signings and where possible take additional steps to verify the document has been validly signed or entered into. Most jurisdictions with statutory recognition of electronic signing or transactions require that the identity and intention of the signatory can be established and that the method used is reliable.

(See also our article Signing by Email and other virtual means (including NSW amendments on 22 April) in Australia)

Meetings and Voting

  • Keep up-to-date with guidance and advisories from various regulators and authorities as well as legislative developments on the requirements for the conduct of corporate meetings.
  • Download software from the provider’s official website or the organisation’s internal distribution platform, and install updates or patches when available.
  • Secure and restrict access to meetings using passwords, user registration, unique IDs for each meeting, and limiting the distribution of meeting particulars.
  • Monitor the participant list, verify the identities of each participant and remove unknown participants.
  • Only enable file-sharing or recording functions if needed.
  • Exercise caution when using screen-sharing functions to avoid unintended disclosures of information.
  • If voting needs to be conducted, ensure that functionality is reliable, and user identities and votes can be verified.
  • Where documents to be laid before the meeting are transmitted electronically via e-mail, ensure an updated e-mail address is provided and that the documents are password protected.

(See also our articles COVID-19: Alternative Arrangements for Meetings for SGX Listed Companies and COVID-19: Holding shareholders’ meetings for private limited companies in Singapore during elevated safe distancing period )

This article is produced by our Singapore office, Bird & Bird ATMD LLP, and does not constitute legal advice. It is intended to provide general information only. Please note that the information in this article is accurate as at 29 April 2020. We will continue to monitor the situation and provide updates on any changes as soon as these are communicated to us. Please contact our lawyers if you have any specific queries.