Why boards need a playbook to respond to cyber incidents
Listed companies are required to have adequate and effective systems of internal controls and risk management systems
Add BT as a preferred source
DeeperDive is a beta AI feature. Refer to full articles for the facts.
ORGANISATIONS of all sizes are increasingly exposed to cyberattacks that are becoming more frequent, sophisticated and well-coordinated. The rise of generative artificial intelligence (AI) has intensified these risks by enabling advanced phishing methods like deepfakes and AI-automated attacks, among others.
The Singapore Exchange (SGX) requires that listed issuers treat cybersecurity as a board-governed risk with disclosure consequences. Good practice demands that the board of a listed company, typically through the audit committee, implement a robust cyber risk governance framework and incident response plan.
Cyber risk oversight
Listed companies are required to have adequate and effective systems of internal controls and risk management systems, including financial, operational, compliance and information technology (IT) controls.
An effective, independent and adequately resourced internal audit function must be maintained on an ongoing basis. The board should determine the nature and extent of the significant risks which the company is willing to take, and to disclose in the company’s annual report that it has received appropriate management assurance.
Applying these principles in practice, boards should develop a playbook on managing cyber risks. This could include an enterprise-wide cyber risk framework, tested incident response and business continuity plans, cyber insurance coverage calibrated to risk, and periodic independent assurance over cyber controls and disclosure controls.
To effectively mitigate risk, Singapore businesses should maintain vigilant oversight of the rapidly changing threat landscape.
Navigate Asia in
a new global order
Get the insights delivered to your inbox.
In October 2025, a cyber security breach exposed the personal data of close to six million Qantas customers after Salesforce, a cloud software provider, was targeted. Attackers posed as staff over the phone (”vishing”) to trick employees into granting them unauthorised access to the data.
This incident highlights that protecting against cyber risks requires not only advanced IT infrastructure but also a workforce that is trained to safeguard these systems.
Last year, a ransomware incident involving Toppan Next Tech in Singapore resulted in the compromise of customer data at several major banks here.
SEE ALSO
This underscores the critical need for rigorous oversight of third-party vendors entrusted with enterprise data. The leakage of confidential customer information not only undermines customer trust and damages an enterprise’s reputation but may also lead to legal repercussions.
Market disclosure obligations
A listed company must announce, via SGXNet, any information necessary to avoid a false market in its securities or that would be likely to materially affect the price or value of its securities.
When a cyber incident occurs, a listed company must assess the materiality of the incident, including the financial impact arising from it. If the cyber incident is material and warrants an announcement, it must be made in a timely manner.
This obligation is given statutory backing under the Securities and Futures Act 2001.
Examples of cybersecurity incidents that may materially affect the price or value of a company’s securities include disruptions to it operations, exfiltration of sensitive or confidential data, or system outages that threaten financial performance or going concern.
The content of the announcement is as important as its timing. The extent of information that should be disclosed would depend on the materiality of the incident. To reduce reputational risk from a cyber incident, companies should verify incident details and plan clear, timely communications to other stakeholders, which include their customers and shareholders.
Having ready-made communication templates tailored to specific scenarios can help a company manage messaging quickly during a cyber incident. These resources save time by eliminating the need to create and approve new messages, allowing faster communication with stakeholders.
As a result, stakeholders feel more confident in the company’s capability to handle and resolve cyber issues efficiently. The SID Cyber Resilience Guide for Boards in Singapore (2025) outlines a structured eight-step framework for integrating cyber resilience into corporate governance and strategies.
Entities governed by the Personal Data Protection Act 2012 must also be mindful of their obligations to notify data breaches to the Personal Data Protection Commission Singapore and/or affected individuals (where required).
Further, listed groups offering financial, cloud or data centre services may be subject to notification requirements to the appropriate sectoral regulators.
To pay or not to pay
Singapore’s position is that the payment of ransoms to cyber attackers is strongly discouraged.
Although paying a ransom is not legally prohibited, doing so after an attack does not guarantee that the data under siege will be decrypted or kept private by the attackers. In fact, organisations that have paid ransoms before may be seen as “soft” targets and could face repeated attacks.
Half of Singapore companies paid the ransom to get their data back, compared to 63 per cent in 2024, according to a Sophos survey of firms in the first quarter of 2025. The research found that Singapore companies paid a median of US$365,565 in 2025, down from US$760,000 in 2024. Ransomware remains a major threat to Singapore organisations.
Boards must ensure that internal controls explicitly address IT risks and that disclosure controls can handle fast-moving cyber crises. Doing so turns a compliance burden into a governance asset when – not if – the next incident occurs.
The writer is a former member of the Accreditation and Professional Development Committee of the Singapore Institute of Directors.
Decoding Asia newsletter: your guide to navigating Asia in a new global order. Sign up here to get Decoding Asia newsletter. Delivered to your inbox. Free.
Copyright SPH Media. All rights reserved.
