Category: Law

In preparing for an article on OTP Law’s website (reproduced on this website) about material adverse change clauses, I made use of a generative AI engine (used on 28 Apr 2023) and asked it for “Cases on material adverse change clauses in Singapore courts.”. This was the answer it gave me:

In Singapore, material adverse change (MAC) clauses are commonly used in commercial contracts to allow parties to terminate or renegotiate the terms of the contract if certain events occur that materially affect the value or viability of the transaction. However, the application and interpretation of MAC clauses in Singapore can be complex and fact-specific, and there have been a limited number of cases on the issue.

One notable case is China Machine New Energy Corp v Jaguar Energy Guatemala LLC [2013] SGHC 186, where the Singapore High Court considered a dispute arising from a power purchase agreement between the parties. The agreement contained a MAC clause that allowed the buyer to terminate the agreement if there was a material adverse change in the seller’s financial condition. The court held that the buyer had not established that there was a MAC and that the seller had not breached the agreement. The court also noted that the burden of proof was on the party seeking to rely on the MAC clause, and that the clause should be narrowly construed.

Another case is BNA v BNB [2015] SGHC 110, where the Singapore High Court considered a dispute arising from a share purchase agreement. The agreement contained a MAC clause that allowed the buyer to terminate the agreement if there was a material adverse effect on the target company’s business, operations, assets or financial condition. The court held that the buyer had not established that there was a MAC and that the seller had not breached the agreement. The court also noted that the MAC clause should be interpreted in the context of the entire agreement and the commercial objectives of the parties.

Overall, these cases suggest that Singapore courts will approach the interpretation and application of MAC clauses on a case-by-case basis and will require a high standard of proof before allowing a party to rely on such a clause to terminate a contract.

This sounds great, easy to read and understand. What is there not to like about it? Except that the cases don’t exist! It is not that the case names or the citations don’t exist. They do but are wrong. The citation for China Machine New Energy Corp v Jaguar Energy Guatemala LLC is not [2013] SGHC 186. It’s another citation. And citation [2013] SGHC 186 is of another case. And, to make it worse, either is about material adverse change clauses. This was a similar situation with the second case cited, BNA v BNB [2015] SGHC 110.

So what is going on here? The short lay-persons answer is that the AI lied. But AIs don’t lie. All they do is trawl the internet for information (ie. the large language model) and then compile the information in a coherent manner that people understand. So how in that compilation process, the AI put together information that may not be related to one another together in a coherent readable form. To a reader, they appear as the truth. Data scientists don’t fully understand what is going on yet but called this phenomenon ‘hallucination’.

How do we avoid this? By asking the right question.

This reminds me of the sci-fi series, “The Hitchhiker’s Guide to the Galaxy.” The Ultimate Question was asked of the supercomputer “Deep Thought”: What is the answer to Life, the Universe, and Everything? After many years of computing, the answer was “42”. It was pointed out by Deep Thought that the question was wrong. Thus the non-sensical answer.

A ‘profession’ has now grown around generative IA to learn how to ask the right questions, ‘prompt engineering’. The combination of prompt engineering, domain knowledge (the human is still needed in the chain), high quality data, and AI models trained on research frameworks will birth a new scientific approach: Iterative Sciences.

As to using generative AI for legal work, thankfully as the preceding paragraph makes clear, the human is still need to provide the domain knowledge of law. The human with that domain knowledge needs to read what is generated by the AI for accuracy. Using the answer to my query above, of the four paragraphs generated by the AI, only two were useable (of sorts): the first and last paragraphs, ie. the two shortest paragraphs that contain well-written motherhood statements. Not sure how useful they are actually. In fact, my article on material adverse change clauses used nothing generated by the AI. So, I am happy to report that for the moment, we are safe.

by Lim Seng Siew, director OTP Law Corporation. Accredited Specialist in Data and Digital Economy Law by SAL.

Singapore, like many countries around the world, is on a trend to regulate online content to enhance the online safety of users. UK has its own Online Safety Bill as does Ireland’s Online Safety and Media Regulation Bill and the EU’s Digital Services Act.

Singapore’s Online Safety (Miscellaneous Amendments) Bill was passed in Parliament on 9 November 2022 and came into force on 1st February 2023.  The Bill primarily makes appropriate amendments to the Broadcasting Act 1994 with the introduction of a new Part 10A. A minor clarification amendment to the Electronic Transactions Act 2010 was also made.  There is no stand-alone Online Safety Act.  The Bill was tabled after consultations with stakeholders and the public.

In the second reading of the Bill in Parliament, the Minister of Communications and Information highlighted that most online platforms do not fall within the remit of the then-existing provisions of the Broadcasting Act. As such the Bill was intended to regulate social media platforms because of their high volume of harmful content.

The new Part 10A in the Broadcasting Act empowers the Infocomm Media Development Authority (IMDA) to regulate online communication services (whether from within Singapore or outside) accessible by Singapore end-users. The measures that IMDA can take are: (a) to issue codes of practice for providers of regulated online communication services; and (b) to issue blocking directions to online communication services providers and to internet access service providers to deal with egregious content.  A new Fourth Schedule to the Broadcasting Act lists the online communication services that are within Part 10A. At present, the Fourth Schedule is limited to “social media service”.

Codes of Practice

Along with the press release by the Ministry of Communications and Information on 31 Jan 2023, the IMDA also released its draft Code of Practice for Online Safety for further consultation. The Code is expected to be implemented in the second half of 2023. Online communication services that have significant reach or impact can be designated by IMDA as regulated online communication services (ROCS). ROCS providers will be required to comply with the Code.

The draft Code has provisions requiring ROCS providers to put in place systems and processes to mitigate the risks to Singapore users (in particular children of different age groups) from exposure to harmful content and to account to its users for such measures. Harmful content is much wider than egregious content that can give rise to blocking directions by IMDA. Harmful content covers sexual or violent content as opposed to sexually violent content (per egregious content). It also includes cyberbullying content and content facilitating vice and organised crime.

The draft Code has sections on: (a) User Safety;  (b) User Reporting; and  (c) Accountability. Its key provisions are:

(a) The ROCS provider must implement community guidelines, standards, and content moderation measures to minimise users’ exposure to harmful content.

(b) Users must have access to tools to help them manage their own safety and exposure to harmful content.

(c) Users must have easy access to information related to online safety, including Singapore-based safety information.

(d) The ROCS provider must have technologies and processes in place to pro-actively detect and remove child sexual exploitation and abuse material and terrorism content.

(e) The ROCS provider must have targeted measures to minimise children’s exposure to inappropriate content, including children appropriate community guidelines, standards, and content moderation measures.

(f) Children must not be sent targeted content that is detrimental to their physical or mental well-being.

(g) The children and their parents/guardians must have access to tools to enable them to manage the children’s safety and minimise their exposure to harmful or inappropriate content. The tools must limit, not such what content the child can see, but also limit who else can see the child’s information or interact with the child. Unless access by children is restricted, children must be provided with their own accounts where the default settings are robust and more restrictive appropriate to the age of the children.

(h) Users must be able to report concerning content or unwanted interactions. The mechanism must be easy to use and transparent.

(i) Such users’ reports must be assessed and appropriate action taken in a timely and diligent manner, depending on the severity of harm. Action taken can include taking down the content and warning or banning the account that posted the content.

(j) Where the report is not frivolous or vexatious, the reporting user must be informed of the decision and action taken. If action is taken against the user who posted the content, that user must also be informed of the decision and action taken. These must take place without undue delay. The users have the right to ask for a review of the decision and action taken.

(k) The ROCS provider must submit to IMDA annual reports on the measures that are put in place to combat harmful and inappropriate content. The report should include: (i) how much and types of harmful or inappropriate content they encountered ; (ii) what steps have been taken to mitigate Singapore users’ exposure to harmful or inappropriate content; and (iii) what action has been taken on user reports. The report will be published on IMDA’s website.

The draft Code is accompanied by Guidelines that provide non-exhaustive examples of harmful content for all users and inappropriate content for children.

Failure to comply with the codes of practice without a justifiable reason can result in a financial penalty not exceeding S$1 million or directions to remedy the failure.

Blocking Directions

If IMDA finds egregious content on online communication services, directions can be issued to the online communications provider and to internet service providers to disable access to such content by Singapore end-users. Egregious content includes content advocating or instructing self-harm or suicide; physical or sexual violence; terrorism; child sexual exploitation; public health risk in Singapore; or likely to cause racial or religious disharmony in Singapore.

There are 3 types of directions that IMDA can issue:

(a) A direction to an online communication service provider to disable access by Singapore end-users to the egregious content. As an example, to block a post on a social media site from being viewed by a Singapore user through a browser or mobile device.

(b) A direction to an online communication service provider to stop the delivery or communication of egregious content to Singapore end-users. As an example, to block an instant message containing egregious content or a link to egregious content from being sent to Singapore users.

(c) A direction to an internet access service provider to block access by Singapore end-users to an online communication service if the provider of that online communication service fails to comply with an IMDA direction. This can mean that the entire service is blocked and not just the post or message with the egregious content.

Failure to comply with a blocking direction to an online communication service provider can result in a fine not exceeding S$1 million and a further fine of not more than S$100,000 per day for a continuing offence.  Failure to comply by an internet access service provider can result in a fine not exceeding S$20,000 per day up to a maximum of S$500,000.

Conclusion

How effective the codes will be, only time will tell.

by Lim Seng Siew, Director OTP Law Corporation

In the first and second parts, we talked about what is a phishing attack and what to do if you are a victim. In the third part we talked about the simple steps to take to protect yourself against an attack. In this fourth and part of the series about Cyber-hygiene and Phishing, we will talk about other, more complicated, steps that you can take to reduce the chances of being a victim of a hack.

Steps With Assistance Basket

The suggestions in this basket are much more technical than just installing an anti-malware (one of the simple steps in the earlier article) onto your computers and may require your IT provider to help.

Configure Your Email Servers

Your email servers can be configured to ‘prevent’ your emails from being spoofed. I use ‘prevent’ in parentheses because, as I had said earlier, it is not possible to prevent hacking, just making it more difficult for a hacker.

What you tell your IT provider is “Please configure my email servers to enable SPF, DKIM and DMARC. I want to prevent our emails from being spoofed and so that our emails are not marked as spam by other email servers.”

To briefly explain what they mean and do.

SPF stands for “Standard Policy Framework”. What SPF does is to allow email servers receiving your email to verify that the email comes from your domain and is authentic, and not forged or spoofed.

DKIM stands for “Domain Keys Identified Mail”. What it does is to add a digital signature to every message sent from your organisation. Receiving email servers will read the signature and verify whether message actually came from you. DKIM also prevents message content from being changed when the message is transported between servers.

Finally, DMARC stands for “Domain-based Message Authentication, Reporting & Conformance”. DMARC tells the receiving email servers what to do with messages from your organisation when they don’t pass either SPF or DKIM. Failed messages can either (a) continue to be sent to the recipient, (b) quarantined or sent to the spam folder, or (c) rejected, ie not sent to the recipient. Usually as a start, you might want to choose the first option (continue to be sent) until you are certain that only false emails are tagged. Whichever option is chosen, DMARC also sends reports that tell you which messages pass or fail SPF and DKIM. These reports can help you identify possible email attacks and other vulnerabilities with your email servers.

Like the password checker, CSA has its Internet Hygiene Portal (at https://ihp.csa.gov.sg/home where you can check if your website and email are secure.

Back-Ups Including Off-Site Back-Ups

In our everyday life, we have ‘back-ups’ for many things: the spare key to our front door or keeping a properly inflated spare tyre in our car.

The same should apply to your business data. You cannot assume that the information that you store will always be safe and accessible. Even if you are not a victim of a hack, negligence of a staff or a system corruption (physical storage devices do breakdown sooner or later) can result in lost data. Regular and systematic back-ups will ensure that if the information is lost, it can be restored from the back-ups.

Experts advise making several back-up copies of valuable files and safekeeping them in different places. This is to plan for the contingency that your first back-up option becomes corrupted.

Some planning and discussion with your IT provider will be necessary. Questions such as the following need to be asked and answered: Do I need to do daily incremental back-ups? Do I need to do weekly or monthly complete back-ups? Do I need real-time back-ups? Do I do the back-ups on removable devices? On external hard drives? On dedicated back-up devices? On the cloud?

Another key question is “Where is the data that I want backed-up stored?” If your staff stores the files in multiple devices and locations, must all these devices and locations be backed-up? Or should your staff be educated and trained to store all the files in one place (say a dedicated folder on your file servers) so that only that place needs to be backed-up?

At least one back-up copy should be kept off-site or in a reliable cloud service. If your on-site files, including your on-site back-ups, fall victim to ransomware or is destroyed by fire, you will have that off-site copy or cloud copy from which to restore and reconstruct your files.  However, bear in mind that restoring from off-site back-ups is not as easy as copying files back into your system after it has been restored or cleaned of any malware. Further, you have to ensure that the off-site or cloud back-up copies are immutable copies of your data, ie that they cannot be encrypted or corrupted by ransomware. So regular testing of your back-up and restoration process should be carried out.

Encryption

Encryption is a cybersecurity measure that protects your data even if the data is stolen. A hacker will have to ‘crack’ the decryption key before he can get his hands on the data. With strong encryption, decrypting files can take years of computing power.

Both data stored or backed-up on your devices or the cloud (termed ‘data at rest’) and data that is moving across the internet or a private network (termed ‘data in transit’) should be encrypted.

Data in transit is usually encrypted by the application used to transfer that data. As an example, many instant messaging apps encrypt all messages sent and received between their users. Websites that have “https” as part of its web address also encrypt all traffic between its web server and the web browsers of its visitors.

Similarly, many cloud storage providers encrypt both data in transit (ie data that is moving between the user and the cloud storage) and data at rest (ie data that is stored in the cloud storage).

It probably would not make sense to encrypt ALL files generated by a business. So, you will need to discuss with your staff and your IT provider to see what types of data would benefit from encryption and what would not. In short, a risk-based assessment will have to be undertaken.

Files that are copied or backed-up onto removable storage devices should be encrypted, especially if these devices are going to be physically moving around. Thus, if the storage device is lost or stolen, the data remains safely out of the hands of the thief or hacker.

Do not overlook the data encryption tools that are already incorporated in some of the common operating systems like the Encrypted Files System (EFS) in Microsoft’s Windows and Android Encryption in Google’s Android. By default, no file is encrypted for both systems. EFS can be enabled by users (or through Group Policies) on a per-file, per-directory, or a per-drive basis. Encryption in Google’ s Android is generally either a full-disk encryption (FDE) or a file-based encryption (FBE). Confusing? Yes, it can be. That is why help from your IT provider will be useful.

A useful point to note. Whether encryption has been used is factor taken into consideration by the PDPC to determine if an organisation has or has not taken reasonable steps to secure the personal data it collects.

Monitor

“Don’t know, don’t ask” is definitely not one of the mantras to be adopted where cyber-hygiene is concerned. The fact that you had been hacked or that hacking is on-going but you know nothing about it is not only embarrassing when it is subsequently discovered, but can potentially mean that prima facie, you did not take reasonable steps to secure your data.

Proactive monitoring can give you early warning signs of an impending attack, whether they are specifically directly at your organisation or as part of a global tidal wave. Servers, routers, applications and systems that are used by your organisation should be configured (again, with the help of your IT provider) to either generate periodic (say weekly) reports or have real-time monitors to spot any suspicious activities. However, do not overreact when you see such reports for the first time. There will be many suspicious activities. Hackers routinely use bots to scan multiple systems, including yours, for vulnerabilities such as vulnerable codes that have not been patched. In today’s day and age, these activities are part of the ‘background noise’. What you should be looking out for are changes to the ‘background noise’ that might indicate either that you are being targeted or that some vulnerability has been detected.

Steps With Consultation Basket

This third and final basket of suggestions is one that will require consultation between various stakeholders, including senior management, staff, and the IT provider as they involve longer term planning, top management decision, and operational changes. You don’t have to implement all the suggestions but only adopt what suits you and your practice.

Consider Implementing Zero Trust Policy

Zero trust policy is basically a philosophy that states no one, whether inside or outside the network, should be trusted unless their identification has been thoroughly checked. Zero trust assumes that every attempt to access the network or an application is a threat. Traditional security models are based on the ‘moat and castle’ or ‘perimeter defence’ model, that is a moat surrounding the castle and anyone inside the castle is assumed to be a friend. A zero trust model doesn’t make that assumption. It in fact goes a few steps further in that the user or device, even after verification, is granted only the minimum of permissions necessary to perform an authorised task and for only a limited period of time.

The weakness of the perimeter defence model is that the perimeter has all but disappeared with the proliferation of devices that ‘connect’ to your system. This is the result of employees working from home (WFH) in the wake of the global pandemic. Such devices include desktops, laptops, smartphones, tablets, smart TVs and other internet of things (IoT) devices. As a result, hackers have many more points to breach security controls.

Implementing Zero Trust Policy is not easy. Some of the considerations include:

• Verifying the identity of authorised users, often using 2FA. In newer implementations, the authentication is via an authenticator app.
• After the user is verified, the device from which the user seeks authentication also needs to be verified. This usually requires some sort of device management system.
• After the user and device used have been verified, then permissible access of the user and device needs to be verified. As an example, if a user logs in using a laptop with VPN, then the user can have access to certain pre-defined segments of your network or to certain pre-defined folders of your server. If the user logs in using an IoT device (which is generally views as having a higher risk), then the user is only allowed to access an even more restrictive segment of the network or server.
• Some zero trust implementations also verify the types of services that a user or device is permitted to have access to. As an example, a user using an IoT device may only have ‘read only’ access to certain services while a user using a laptop will have full access to the same services.

As the considerations are varied with numerous factors to be taken into account, you will need to work with your key staff and with an experienced IP provider to implement any zero trust policy. Further, it is likely that as you gain more experience, the policies will have to be modified to suit the working requirements of your organisation.

Reduce Your Attack Surface

One of the aims of any cybersecurity plan is to reduce the attack surface. The smaller the attack surface, the easier and cheaper it is to protect. Unnecessary complexity can result in poor management and higher chances of mistakes that allow greater opportunities for hackers to gain unauthorised access to your systems.

The simpler step is to disable all unnecessary or unused: (a) software or applications; (b) computers or devices; and (c) user and admin accounts. However, this is not as easy as it sounds. Many of us allow staff to use their own laptops, tablets and mobile-phones (the Bring Your Own Devices or BYOD ‘culture’), for them to work from home (or for that matter, anywhere), and to use thumb-drives as a means of transferring or transporting files. Just these three steps have increased the attack surface multi-fold and made things more complicated. It makes scanning for vulnerabilities more difficult but makes implementing the zero trust policy more important.

This cannot be done over-night because you do not want to disrupt your existing work processes that has been in place for a while. The cost for doing so also needs to be weighed against the savings. As an example, you should consider buying laptops for your entire office. That way, you can set the configurations for the laptops and only allow these laptops to access your office system. Any access from mobile devices (even your staffs’ own devices) can then be restricted to read-only access to limit any potential harm caused by such devices.

Consider Cloud Services

I will not be dealing with the decision whether to or not to migrate to the cloud. Rather I am just going to weigh cloud versus on-premise solutions from a cybersecurity standpoint. Hybrid WFH makes cloud services an important alternative to on-premise or hosted solutions although both of them have their own security issues.

An important point to keep in mind, the cloud is not the solution to any hacking problem. A careless employee who gives out login credentials in reply to a phishing email will compromise the cloud service. So, training and all the previously discussed suggestions are still important.

Further, the larger and established cloud service providers would have, either as a default or as an option, some of the cybersecurity solutions that I have suggested for a user to choose from. Discuss the options with your IT provider and the cloud service provider you are considering.

I have listed some factors to be considered when deciding between cloud or on-premise solutions.

Cloud Services	On-Premise Solutions
Choice of Industrial Std Security Solutions at lower up-front costs and at subscription rates.	You must decide on specific solutions, usually, at high up-front installation and implementation costs.
Maintenance, up-grades, and monitoring are usually part of the cloud service and covered in the subscription.	You must engage external provider or do these tasks yourself.
Physical security of data centers and network usually best of class.	You must provide for dedicated secured space and network on premises for hardware.
Surrender control of data to provider.	You have full control over what to implement.
Larger service providers and their larger clients are usual targets for hackers (cloud hacking). You will be collateral damage, even if not a target.	You might not be a target for hackers.  However opportunistic hackers might still spot vulnerability in your systems and launch an attack.
Subject to downtime of provider.	Subject to downtime of your own equipment.

The Summary

In summary and to recap all four parts:

• Have a Written Breach Management Plan – Include C.A.R.E. (Contain, Assess, Report, Evaluate)
• Prevention is Better Than Cure – Practice Cyber-hygiene
  1. Simple Steps
     1. Have Anti-Malware / Update Software
     2. Practice Password Hygiene:

Strong password / Different Accounts, Different Passwords / 2FA / Don’t share passwords / Don’t login over unsecured wi-fi / Change passwords regularly / Use password manager

• Learn to Spot Phishing Messages:

Mismatched or Misleading Information / Beware of Homograph attacks / Use of Urgent or Threatening Language / Promise of Attractive Rewards / Request for Confidential Information / Unexpected Emails & Suspicious Attachments

1. Training & Keeping up to Date
2. Steps With Assistance
   1. Configure Email Servers – SPF /DKIM / DMARC
   2. Back-Ups – Multiple Copies & Off-site Copies

• Encryption

1. Monitor Your Systems
2. Steps With Consultation
   1. Zero Trust Policy
   2. Reduce Attack Surface

• Consider Cloud Services
• Key Resources
  1. CSA’s Password Checker (https://www.csa.gov.sg/gosafeonline/Resources/Password-Checker)
  2. CSA’s Internet Hygiene Portal (https://ihp.csa.gov.sg/home)
  3. Talk to us at OTP Law Corporation. Our website site is otp.sg

by Lim Seng Siew, Director OTP Law Corporation

In the first and second parts, we talked about what is a phishing attack and what to do if you are a victim. In this third part, we will talk about simple steps that you can take to reduce the chances of being a victim of such an attack.

Cyber-hygiene – Prevention (or Reduction) is Better Than Cure

It is impossible to prevent a cybersecurity incident from happening. You can only do so if you have infinite resources, infinite time, and infinite talent. And that is an impossibility. Instead, efforts should be focused on, firstly, making it difficult for a hacker to hack into your system, such that the hacker will move onto other targets, and, secondly, if there is a successful hack to reduce the opportunity for harm.

I have divided the precautions that an organisation can take into 3 baskets:

1. The first basket contains simple steps that an organisation can take on its own with minimal or no assistance from IT providers (Simple Steps Basket).
2. The second basket is for those steps that an organisation can take with assistance from IT providers if the organisation does not have the in-house know-how to do so (Steps With Assistance Basket).
3. And the third basket contains those steps that will require the organisation to work with IT providers as these steps often involve consultation with various stakeholders (Steps With Consultation Basket).

I will deal with the simple steps in this article and leave the other 2 for a later one.

It must be borne in mind that cyber-hygiene is not an IT issue, only for the IT staff to implement. It is an ‘all-of-organisation’ issue.  The hacker, using social engineering methods, will not be sending phishing emails to the IT staff of an organisation but to the general staff who are likely to be less aware of cybersecurity issues. Social engineering methods are methods used by hackers to manipulate our emotions such that we stop thinking rationally and start acting on impulse without proper regard to what it is that we are actually doing.

Simple Steps Basket

Have Anti-Virus / Anti-Malware

Anti-virus and anti-malware software are almost similar, and the terms are often used interchangeably. However, there are important differences. Anti-malware generally has a broader coverage then anti-virus with advanced features such as sandboxing and removal of potential malware applications, behaviour monitoring to identify threats based on suspicious behaviour rather than relying on the ‘signatures’ of pre-existing and known threats and is designed to be used in a business environment across the entire organisation. As a result, anti-malware is generally more expensive than a plain vanilla anti-virus software.

It is also important to have the software installed on all potential attack surfaces. An attack surface is all possible points of attack, whether physical or digital, where an unauthorised user can gain access to a system. The digital attack surface encompasses all the hardware and software that is connected to an organisation’s network. These include applications, codes, ports, servers, and websites. The physical attack surface comprises all endpoint devices that an attacker can gain physical access to, such as desktop computers, hard drives, laptops, mobile phones, tablets, Smart TVs and USB drives. Even passwords written on paper and physical break-ins to premises are potential physical attack surfaces.

Update Your Software

All software, even those from well-regarded software companies, have bugs. Some of these bugs can result in serious vulnerabilities to systems where the software is used. Hackers routinely scan for such vulnerabilities and once a vulnerability is found, will attempt to exploit it before the software developer discovers and patches the vulnerability. Updating all your software regularly will reduce the hacker’s opportunity to exploit vulnerabilities in your systems.

Many modern commercial off-the-shelf software have automatic updates, some even have this enabled by default while others require you to manually enable this feature. The general rule is to enable automatic updates with one key exception, if your system uses customised software. Occasionally customised software relies on third-party software libraries. If these third-party libraries are updated and routines relied on by your customised software are depreciated (ie made obsolete), your customised software may suddenly stop working. Responsible developers of customised software will have their own updates to avoid this situation, but it is always prudent to check with them.

Practice Password Hygiene

Passwords enable a user to access important accounts and data, making them an attractive target for hackers. Further, just about everything about passwords is inconvenient, from creating them, remembering them, and using them. On one hand they cannot be too simple otherwise they can be easily cracked. On the other hand, they cannot be too complicated otherwise they will be forgotten. So, some password hygiene tips.

First, use strong passwords. The recommendation is to have at least 12 characters mixing uppercase and lowercase letters with numbers and symbols. Popular these days is to use a passphrase comprising a few words strung together. As such phrases are easier to remember, users are less likely to write them down. An example is a passphrase like “2minutE1@QquiZ”, ie “Two minute Ten Question Quiz”. The Cyber Security Agency (CSA) of Singapore has a webpage (at https://www.csa.gov.sg/gosafeonline/Resources/Password-Checker where you can check the strength of your password. Use it.

Second, use different passwords for different accounts. A big No! No! is using the same password for your personal and corporate accounts. While this may make remembering the passwords difficult, there are tricks that can be used to make this easier. As an example, use a passphrase like “2minutE1gma@QquiZ” for your gmail account and “2minutE1yah@QquiZ” for your yahoo account.

Third, enable and use 2-factor authentication (2FA) wherever possible. Modern 2FAs is as simple as receiving a one-time passcode on your mobile device. Most organisations, including Google and Microsoft, offer 2FA free of charge.

Fourth, do not share your passwords with anyone and do not write them down. If you need to grant temporary access to anyone, change your password to a ‘throw-away’ password. Once the need for that temporary access is over change the password back to a more lasting one. Remember that some systems do not allow you to recycle old passwords. So, you may have to change your password from “2minutE1@QquiZ” to “3minutE1@QquiZ”.

Fifth, do not login to online services over an unsecured wi-fi network. If you are unsure about the ‘free’ wi-fi network, make use of the hotspot feature on your mobile-phone. You can then tether your laptop or tablet to your mobile-phone hotspot.

Sixth, change your passwords regularly. The recommendation is to change them every 90 days. However, many users will find this too troublesome.

Seventh, consider using a password manager. Having a unique password for every account or service that must be changed every 90 days will mean a lot of passwords to manage. Unless you have perfect memory, you will need something to help you remember these complex passwords. The temptation to writing them on a sticky note attached to the back of the monitor should be resisted. Instead consider using a password manager. These secure applications store all your unique passwords and can generate new strong passwords as needed. Many password managers can sync the information across multiple devices so you will never be without the correct password when they are needed. Another great feature many password managers have is website verification. If you click on a phishing link instead of the real one, the password manager will not auto-fill your password.

Learn how to Spot Phishing Scams

Here are some of the signs to look out for to determine if there is a possible phishing scam.

(a) The message has mismatched or misleading information.

One of clearest indicators of a phishing scam is when the information in the message is wrong. As a simple example, the message asks you to confirm your payment instructions to Bank A. However, you do not have any account with Bank A or that you had not issued any payment instructions in the past few days. That message is very likely a phishing scam.

The more sophisticated hackers are more subtle. They will attempt to mislead you into believing that the information you see is genuine. Therefore, you need to examine the information closely.

If the message asks you to click on a link to a website, check the website address carefully. Better yet, re-type the website address into your web browser from a source that you know is correct. Hackers often create phishing websites with web addresses (or URLs) that are visually similar to the genuine websites. This technique is called a homograph attack or script spoofing. A simple example is when the web address substitutes a “0” (ie zero) for an “O” or a “1” for an “l”.

More sophisticated methods substitute either Cyrillic or Greek characters for our usual Latin ones. An example of this is the word “bank” compared with “bаnk”, the first using the Cyrillic character for “a” while the latter is the usual “a” of our Latin character. The Cyrillic letters – а, с, е, о, р, х and у  – are those that you should look out for because of their visual similarity to those that we are used to. The latest versions of popular browsers have built-in protection against most homograph attacks.

Sometimes, the link ‘as shown’ in the body of the message appears to be a legitimate one. However, if you click on the link, you will be brought to another website. If you move (or hover) your mouse over the link before clicking, a small window will pop-up showing you the true destination. If the two links (the ‘as shown’ link and the link shown when you hover the mouse) are different, it is a strong indicator of a phishing message.

A similar technique is also used for email addresses, they may look similar to, but are in fact different from an organisation’s official email. Hover your mouse over the email to see the true address. Also check the cc or bcc lists to see if there are any unusual addresses. Unusual emails in such lists is a sign of a ‘man-in-the-middle’ attack. A ‘man-in-the-middle’ attack is when the attacker secretly relays and alters the messages between 2 legitimate parties who believe that they are directly communicating with each other when in fact they are referring to the ‘man-in-the-middle’.

(b) The message uses urgent or threatening language.

Hackers also use urgent or threatening language in their messages. It’s a social engineering trick. Urgency can mean you act before you think. Hackers often use words like “Urgent action required”, “Your account will be terminated”, “This is your boss. Transfer money to me urgently.” The fact that the message is unexpected helps create that sense of urgency. Take your time. There is in fact very few situations when you need to respond to any message immediately.

Other tricks used by hackers to create a sense of urgency include saying that they’ve noticed suspicious activity or login attempts, claiming that there is a problem with your account or payment, saying that you need to confirm some personal or financial information, claiming to be from some government authority who requires you to respond immediately, or issuing some ultimatum.

(c) Promise of attractive rewards

If it is too good to be true, it probably is. Phishing messages often offer amazing deals or rewards, again to encourage you to act before you can think. A recent technique used is to ask you to complete a survey (which will have questions about your personal and financial information) for a chance to win attractive, but not so ‘amazing’ that it would be suspicious, prizes.

(d) Request for confidential information

Nowadays, most organisations do not ask for your confidential information to be sent via unsolicited email or unsolicited calls. If the caller or sender claims to be from your bank and asks for your NRIC number or bank account number, be careful. Inquire further. Most scammers will not be able to respond properly to such inquiries.

On the other hand, it is possible to be over cautious. Banks, as part of their security protocols, often ask you for certain information to verify your identity. So, if the caller asks for such information, is the caller legitimately from the bank or is the caller a scammer? When in doubt, contact the bank directly using the contact information from a legitimate source. Don’t rely on the contact information in the suspicious email.

(e) Unexpected emails & suspicious attachments

Hackers send out millions of emails in the hope that someone responds. Don’t be that one. If you receive an unexpected email and have identified it as a phishing email, do not click on any link or attachment. Instead delete it to prevent any accidental clicking. Also notify your IT provider so that the email address can be added to the organisation’s spam or blocked list.

Training & Keeping up to Date

The final suggestion in this basket is training, not just of the IT staff but also the general staff and senior management. Do the training regularly since people need reminding and hackers keep updating their techniques. Learning how to counter these new techniques is important.

In addition, you should also keep up to date with the latest happenings in the cybersecurity world by checking or subscribing to resources provided by the PDPC, SingCert, and many of the major software or cybersecurity companies. These resources provide information about the latest vulnerabilities or hacks and their solutions or patches.

You will also need to reassess your processes on a regular basis to deal with the newer techniques used by hackers or newly discovered vulnerabilities that have yet to be patched.

In the fourth and final part of this series, we will discuss about the other steps that can be taken to reduce the chances of you being a cybersecurity victim.

If you have a need to seek legal advice on your cybersecurity situation or just require legal assistance in any way, please reach out to us at enquiries@otp.sg or +65 64383922.

Article by Lim Seng Siew.

Businesses do get married. There are a number of terms used to describe the various forms of business ‘marriages’: acquisitions or takeovers, mergers, joint ventures are among the common terms. Dealing with each in turn.

Acquisitions or Takeovers

An acquisition or takeover happens when one company (the acquirer) acquires most or all of the shares of another company (the target) to gain control of the target company. Most of the time, the acquirer pays cash for the target’s shares. Sometimes, the acquirer swaps its shares for the shares of the target company, termed ‘shares-for-shares’ swap.

‘Shares-for-shares’ swaps that result in the acquirer becoming a subsidiary of the target company are known as ‘reverse takeovers’. This often happens when a privately held company (technically, the target but in actual terms, the acquirer) with strong prospects ‘reverse’ acquires a listed shell company (technically the acquirer but in actual terms, the target) which has no legitimate business operations and limited assets.

While in theory all the acquirer needs is to acquire 1 share plus 50% of the target company’s issued shares (ie 50% + 1) to gain control of the target, in practice this rarely happens. This is especially so when the target company is privately held, ie not listed on any stock exchange. Why would you, as a seller, give up control of your business to another without realising a substantial immediate financial gain? After all, there is always the possibility of the business failing because the acquirer doesn’t understand your business.

Most acquisitions of privately held companies are friendly and happen with the mutual agreement of both the acquirer and the shareholders of the target. This does not mean that the negotiations for the deal will therefore be easy. Each party will still negotiate hard to extract the maximum gain from the deal. However the hard bargaining should be tampered by the bigger picture of the mutual benefits that can arise if the deal is successful.

Some acquisitions can be hostile, commonly termed as ‘hostile takeovers’. The shareholders of the target company do not agree to the takeover. For listed companies, there are rules governing parties’ conduct during a takeover. The rules ensure transparency and fairness for all concerned in the deal. Takeovers of listed companies, especially hostile takeovers, are beyond the scope of this article.

Mergers

Closely related to an acquisition is a merger. In a merger, 2 separate business, usually of almost equal characteristics (in terms of size, market share, employees, scale of operations etc), join together to form a new legal entity. The 2 original businesses are usually dissolved after the merger is completed.

Joint Venture

A joint venture (or JV) is a business arrangement in which 2 or more parties agree to pool their resources for a specific project. The participants of a JV maintain their own businesses. The JV can be in the form of a separate company (JV Co) in which the participants are its shareholders. It can also be a partnership or a mere contractual arrangement commonly termed ‘consortium’.

Once the project ends, often the JV Co is liquidated, the partnership is dissolved or the consortium disbanded.

Other Forms of Business ‘Marriages’

Sometimes, instead of the acquirer acquiring the shares of the target company, only the assets, contracts and businesses of the target company are acquired, ie ‘asset acquisition deals’. This typically happens when the target company is facing bankruptcy proceedings.

There is also a management buyout, ‘MBO’ for short, where the company’s executives purchase a controlling stake in the company.

There is another form of a deal called “Acqui-hire’ where the acquirer is not really interested in the business of the target but in the talent (ie key personnel) in the target company.  It happens fairly often in the start-up world where talent is in short supply. Acqui-hires are also used as a ‘soft landing’ by the start-up’s founders and employees when the start-up fails to raise more money for its needed capital. The irony with ‘acqui-hires’ is that the team from the failed start-up enters the office of the acquirer in an elevated position, with lots of money and guaranteed employment contracts, all thanks to a business that went broke.

We have talked about what the various terms mean in a business ‘marriage’. In the next part, we will talk about the processes involved in an acquisition.