Menu
  1. Home
  2. Headlines
  3. Commentaries
    1. Court of Appeal
    2. High Court
    3. Intellectual Property Office of Singapore
    4. Personal Data Protection Commission
    5. Tax Boards
  5. Legislation
  6. Notices & Directions
  7. CLE
    1. Overview
    2. Commercial Law
    3. Singapore Legal System
    4. Civil Practice & ADR
    5. VCC Model Constitutions
    6. Singapore Shipping Law
    7. VIMA 2.0
    8. Standard Form Coal Contracts (SFCC)
User Menu Search
Close

Search

Search
Close

HEADLINES

Headlines published in the last 30 days are listed on SLW.

Beyond the breach: Legal risks following cyber incidents – Opinion

Beyond the breach: Legal risks following cyber incidents – Opinion

Source: Business Times
Article Date: 26 Mar 2026
Author: Leow Jiamin

Getting hacked is troubling enough. But for many, the greater challenge starts after the attack.

Imagine this: Your company’s e-mail server has been hacked, and commercially valuable and sensitive data is now in the hands of unknown attackers.

In the aftermath, you spend weeks addressing regulators’ queries and board concerns, while efforts to restore system integrity further disrupt business continuity. Then, a legal claim from an affected customer arrives.

Data exfiltration is one of many common cyberattacks that catch organisations off guard. While the financial and reputational damage caused by such incidents is widely acknowledged, fewer realise that they also expose the victim organisation to legal liability.

These four real-world scenarios illustrate how cyber incidents can unexpectedly lead to legal risk and exposure.

When data breaches lead to customers’ losses: When a business’ system is hacked, and its customers’ data – such as names, contact details and payment information – is leaked and shared on the dark Web, both the firm and its customers are victims.

Customers who suffer loss or damage may look to the organisation that collected and held their personal data for answers or redress.

Under Singapore law, individuals may seek compensation from organisations for loss or damage arising directly from a data breach. The court has recognised that, to support a claim, such harm may also include emotional distress arising from one’s personal information being exposed.

When your IT provider is hacked, but the consequences reach you: Many organisations rely on third-party software or external IT service providers to manage their data and business systems. When those vendors suffer a security breach, customers’ entrusted data is at risk.

Even if the breach arises from the vendor’s lapse, customers may still turn to the organisation that collected their data for answers on what happened and how the harm will be addressed.

This reflects a broader reality of today’s digital ecosystem. Vulnerabilities in interconnected systems can have consequences across multiple organisations in the supply chain.

When you paid the wrong party, and still owe the real one: You receive what looks like a routine e-mail from a long-term supplier, requesting an update to its bank details for an upcoming payment. You proceed with a transfer to the new account.

Weeks later, your supplier demands payment. It turns out you’ve fallen prey to a phishing scam by someone impersonating the supplier.

Such scams are among the fastest-growing forms of cybercrime, and they target individuals and large organisations.

In such situations, the law generally regards the payment made to the scammer as still being owed, as it was not transferred to the supplier’s bank account. The organisation therefore suffers a loss from the scam while still needing to resolve the outstanding payment dispute with its supplier.

When your systems are used to harm others: Cybercriminals may also exploit your network to target others, sending scam messages, spreading malware or using stolen information to deceive your customers or business partners.

If others suffer financial losses as a result, questions may arise about whether adequate cybersecurity measures were in place. While the organisation itself may have been the victim of the cyberattack, the wider harm caused by the compromised systems can still lead to scrutiny and potential legal exposure.

The risk grows as digital systems become more interconnected across clients, vendors and partners.

Preparing before something goes wrong

Cyber incidents can strike anytime, and organisations of all sizes could be affected. Here are practical steps to mitigate the risks.

Know your obligations in respect of personal data: Organisations that collect or store personal data in Singapore must comply with the Personal Data Protection Act, which imposes clear obligations to safeguard information.

Most importantly, limit the data you keep and protect what you must retain. Regularly audit the personal data your organisation holds and delete information that is not needed.

Conduct vendor due diligence: Before engaging vendors, conduct due diligence by seeking details about their security controls and incident response procedures.

Contracts should define responsibilities if a breach occurs, including notification obligations, incident management roles and cost allocation.

Train and test employees: Regard basic cyberhygiene as a non-negotiable practice across the organisation. Implement policies that require strong and unique passwords, and two-factor authentication.

Many cyber incidents begin with a simple human error, such as clicking a malicious link or responding to a fraudulent e-mail. Regular cybersecurity training and simulated phishing exercises can help employees recognise common threats and respond appropriately.

Set clear internal protocols: Implement clear internal procedures to manage sensitive information, control access to systems and report suspicious activity. These protocols, which can significantly reduce risk, should be communicated organisation-wide and reviewed regularly.

Have an incident response plan: The first few hours after a breach are critical. Organisations should have a plan for containing incidents, preserving evidence, and coordinating communication with stakeholders.

Consider cyber insurance: This can help cushion the financial impact of an incident. Consider whether the vendor should maintain adequate cyber insurance or whether your organisation should seek its own coverage. As coverage varies widely and exclusions are common, ensure that the policy coverage aligns with your organisation’s risks.

Cybersecurity is now a legal risk

Cyber incidents rarely affect only one party. A breach can disrupt business operations, expose commercially sensitive information, and affect customers and partners who rely on an organisation to safeguard their data.

In today’s hyperconnected digital environment, cybersecurity is not only a technical issue but also a governance and risk management concern.

When a breach could be a mere click away, the most responsible course to protect ourselves is to be prepared for it.

Source: The Business Times © SPH Media Limited. Permission required for reproduction.

ADV: Newly Published: The Singapore Torrens System After Baalman ADV: Newly Published: The Singapore Torrens System After Baalman Supreme Court judge Valerie Thean to be appointed deputy attorney-general Supreme Court judge Valerie Thean to be appointed deputy attorney-general
Print
68
Tags: Business & CommerceTMT

Latest Headlines

Academy Publishing / 26 Mar 2026

ADV: Newly Published: The Singapore Torrens System After Baalman

This commentary on the Land Titles Act 1993 (2020 Rev Ed) provides the first full, clause‑by‑clause analysis of Singapore’s Torrens statute since John Baalman’s seminal 1961 commentary on the Land Titles Ordinance 1956. Drawing on...
Singapore Academy of Law / 26 Mar 2026

ADV: Global Rule of Law Conference (24 - 26 Nov 2026)

2026 marks 200 years of Singapore’s Legal System. To commemorate this Bicentennial, the Singapore Judiciary and the SAL present the Global Rule of Law Conference 2026, a landmark gathering to explore how the Rule of Law supports...

No content

A problem occurred while loading content.

Previous Next

Terms Of Use Privacy Statement Copyright 2026 by Singapore Academy of Law
Back To Top