Singapore's New Cybersecurity Act: What IT Companies Should Note

The Cybersecurity Bill, aimed at strengthening the protection of critical computer systems against cyber-attacks, was passed by Singapore’s Parliament on 5th February.  The new Cybersecurity Act focuses on critical information infrastructure (CII) which are computer systems that are necessary for the continuous delivery of essential services in Singapore. A new commissioner of cybersecurity will be appointed under the new Cybersecurity Act and will, amongst other things, be tasked with designating specific organizations as CII owners.

Although the Ministry of Communications and Information (MCI) and the Cybersecurity Agency (CSA) have previously clarified that suppliers of  IT to owners of CII will not be subject to the new Cybersecurity Act per se, it should be noted that Singapore's Minister for Communications and Information, Dr. Yaacob Ibrahim has said in parliament on the second reading of the Cybersecurity Bill that CII owners must check that the security measures their suppliers put in place are sufficient to ensure they meet their legal obligations. 

Dr. Ibrahim added that "Many engage third-party vendors to support their CII. In deciding which vendors to engage and what conditions to impose on their vendors, CII owners should carry out the necessary risk assessments and due diligence to ensure that their obligations under the Bill are complied with."

Key Provisions

In view of this, there is a need for IT companies to be aware of the key provisions of the new Cybersecurity Act, especially the provisions relating to CII and the regulation of Cybersecurity Services, as these may have an impact on its ability to provide products or services to customers. A summary of these provisions are as follows:

CII. CIIs are computers or computer systems that are necessary for the continuous delivery of essential services that Singapore relies on, the loss or compromise of which will lead to a debilitating impact on national security, defense, foreign relations, economy, public health, public safety or public order of Singapore. Essential services have been identified in 11 sectors in the new Cybersecurity Act, including utilities, banking, and finance, media, info-communications, healthcare and transportation.

The owners of CIIs, have certain statutory duties under the new Cybersecurity Act, including the duty to comply with codes and directions, to conduct audits and risk assessments, to report cybersecurity incidents including any incident that occurs in respect of the CII and any incident that occurs in respect of any computer or computer system under the owner’s control that is interconnected with the CII, and to participate in cybersecurity exercises. The cybersecurity commissioner also has broad powers to carry out investigations on CII regarding cybersecurity threats or incidents and compel CII owners to take remedial action where deficiencies in security measures are found.

The new Cybersecurity Act also contains a mechanism for owners of CII to request the cybersecurity commissioner to address the notice for compliance to another person under certain conditions (e.g., if the owner does not have effective control over the operations of the CII). This acknowledges that owners of CII may not always be operators of the CII, and are hence not best placed to ensure that the statutory obligations are fulfilled.

The new Cybersecurity Act will not have extra-territorial effect and will only apply to CII located in Singapore. However, in cases where the CII in Singapore is operated by systems partly located in Singapore and partly from outside of the country, the new Cybersecurity Act will govern the Singapore-based systems.

Licensing of Cybersecurity Service Providers. To strike a balance between industry development and security needs, the new Cybersecurity Act will contain a simplified licensing framework for cybersecurity service providers with the following features:

  • Licensing regime. There is now only one licensing regime instead of two as proposed under the previous draft of the Cybersecurity Bill, and the distinction between “investigative” and “non-investigative” cybersecurity services has been removed in the new Cybersecurity Act. This allows the new Cybersecurity Act to be more future-proof and enables it to stay relevant as cybersecurity services continue to evolve.
  • Employee exemption. Only service providers who are in the business of providing cybersecurity services, whether individual or business entities, have to comply with the licensing requirements under the new Cybersecurity Act. Under the previous draft of the Cybersecurity Bill, individuals who employed to provide cybersecurity services were required to be subject to separate licensing obligations.
  • Related company exemption. Intra-group cybersecurity services will now fall outside the licensing regime under the new Cybersecurity Act.

Conclusion

The new Cybersecurity Act will sit alongside other Singapore laws and sector-specific regulations relating to information security and protection of data, such as the Singapore Personal Data Protection Act. The new Cybersecurity Act will come into force when it is published in Singapore’s legal gazette.