RiskPedia
SG
Singapore Hub
Multi-regulator incident response

Breach Playbook.

Coordinated escalation across MAS, PDPC and CSA. Who to call first, what to file, and the evidence pack you need at every stage from T+0 to T+30 days.

MAS — material cyber breach
1 hour

MAS TRM §15 · notify within 1 hour of confirming materiality

PDPC — notifiable personal data breach
3 days

≥500 individuals OR significant harm

CSA — CII compromise
Per directive

Cybersecurity Act · CCoP 2.0 timelines

The clock

From detection to closure.

T+0h · Detect & Triage
  • 01SOC raises incident — assign initial severity (P1/P2/P3)
  • 02Incident commander appointed; war-room opened
  • 03Begin evidence preservation (logs, memory dumps, chain of custody)
  • 04Notify Group CISO and Head of Legal within 1 hour for any P1/P2
T+1h · MAS Notification (material cyber breach)
  • 01Notify MAS within 1 hour of confirming a material cyber breach (MAS TRM §15)
  • 02Submit initial notification via FIs' MAS portal or secure email
  • 03Activate business continuity plans for affected critical systems
T+6h · CSA Notification (if CII affected)
  • 01If Critical Information Infrastructure impacted, notify CSA Commissioner
  • 02Provide attack vector hypothesis, affected services, containment status
  • 03Begin coordination with sectoral CII lead
T+72h · PDPC Notification (if personal data breach is notifiable)
  • 01Notifiable IF: significant harm OR ≥500 individuals affected
  • 02Submit via PDPC online portal within 3 calendar days of assessment
  • 03Notify affected individuals 'as soon as practicable' if significant harm
  • 04Maintain breach register and lessons-learned report
T+7d · Detailed Reports & Containment Close
  • 01Detailed incident report to MAS / CSA / PDPC as required
  • 02Root cause analysis with timeline reconstruction
  • 03Remediation plan with milestones
  • 04Board / Risk Committee briefing
T+30d · Post-Incident Review
  • 01Independent post-incident review by internal audit or third-party
  • 02Update incident response plan with lessons learned
  • 03File closure report; track remediation milestones to completion
  • 04Consider voluntary public disclosure if reputational implications
Disclaimer

Indicative playbook — verify against current MAS, PDPC and CSA guidance and your own legal counsel. RiskPedia content is educational only.

Made with Emergent