The Singapore Cybersecurity Bill aims to establish a regime to prevent, manage, and respond to cybersecurity threats and incidents, and to regulate critical information infrastructure owners and cybersecurity providers, which could necessitate additional cybersecurity measures and testing.
The Singapore Parliament introduced the Cybersecurity Bill on 5 February, a draft of which was previously released for public consultation. The Ministry of Communications and Information (MCI) and the Cyber Security Agency of Singapore (CSA) had published a report based on feedback received from the public consultation exercise on 13 November 2017, and certain amendments were made to the draft Cybersecurity Bill to take such feedback into account. The Cybersecurity Bill was tabled in the Singapore Parliament for a first reading on 8 January before becoming law at the second reading later this month. The Cybersecurity Bill seeks to, among other things, establish a regime to prevent, manage, and respond to cybersecurity threats and incidents; regulate owners of critical information infrastructure (CII); and regulate cybersecurity service providers.
Key Features of the Cybersecurity Bill
Commissioner of Cybersecurity
The Commissioner of Cybersecurity has broad powers to administer the Cybersecurity Bill.
Critical Information Infrastructure
Computer systems directly involved in the provision of essential services are termed CII. The Commissioner has the power to designate a computer or computer system as CII for a period of five years if the Commissioner is satisfied that (1) such computer or computer system is necessary for the continuous delivery of an essential service, the loss or compromise of which will have a debilitating effect on the availability of the essential service in Singapore; and (2) such computer or computer system is located wholly or partly in Singapore.
An “essential service” is defined as any service essential to the national security, defence, foreign relations, economy, public health, public safety, or public order of Singapore and which is expressly in the First Schedule of the Cybersecurity Bill.
The CII designation will be effective for a period of five years unless it is withdrawn by the Commissioner before such period expires.
Designation of CII Owners
CII owners will be given an opportunity to submit representations or to appeal against a CII designation. The Cybersecurity Bill allows for a person who receives a notice of designation to request for the Commissioner to amend the notice and address it to another person who has effective control over the CII (the Controller) by evidencing that the recipient of the notice of designation is not able to comply with the relevant requirements of the Cybersecurity Bill, as such person has neither effective control over the CII’s operations nor the ability or right to carry out changes to the CII, unlike the Controller. If the Commissioner addresses and sends an amended notice to the Controller, the Controller will be subject to the relevant requirements of the Cybersecurity Bill during the period when the notice is in effect, as if the Controller were the CII owner.
Duties of CII Owners
The owners of CII (whether from the public or the private sector) are subject to various duties to ensure the cybersecurity of their CII, including but not limited to
- complying with codes of practice and standards of performance;
- complying with the written directions of the Commissioner;
- informing the Commissioner of any change in beneficial or legal ownership of the CII no later than seven days after the change in ownership;
- reporting cybersecurity incidents in respect of the CII and establishing mechanisms and processes for the purposes of detecting cybersecurity threats and incidents as set out in any applicable code of practice;
- conducting cybersecurity audits of the CII at least once every two years (or at such higher frequency as may be directed by the Commissioner) by an auditor approved or appointed by the Commissioner;
- conducting cybersecurity risk assessments of the CII at least once a year; and
- participating in cybersecurity exercises.
The Commissioner has powers to investigate and prevent serious cybersecurity threats or incidents and may direct any person by written notice to carry out such remedial measures, or to cease carrying on such activities.
Only providers of managed security operations centre (SOC) monitoring services and penetration testing services are required to be licensed under the Cybersecurity Bill.
Potential CII owners and members of the cybersecurity industry should take note of the provisions of the Cybersecurity Bill. Organisations with computers or computer systems that are designated as CII will be notified in writing. If you are providing an “essential service” in Singapore and have been, or are likely to be, designated as a CII owner, you may wish to consider your upcoming obligations under the Cybersecurity Bill, which may require you to implement added cybersecurity measures, including setting up network perimeter defence devices such as firewalls, or performing regular vulnerability scanning of computer systems to identify potential loopholes. It is also expected that specific codes of practice will be issued to provide guidance on the actions required for compliance with the Cybersecurity Bill.